Enhanced Security Methods for IEEE 802.11 Control Frames in 11bn

november 2023 n.w
1 / 25
Embed
Share

Explore enhanced security methods proposed for control frames in IEEE 802.11 standard, focusing on addressing vulnerabilities and ensuring secure data transmission between STAs in the 11bn environment.

  • Security
  • IEEE 802.11
  • Control Frames
  • Data Transmission
  • Vulnerabilities
rayaanacharya
karimahho Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. November 2023 doc.: IEEE 802.11-23/1915r1 Enhanced Security for Control frame in 11bn Date: 2023-11-12 Authors: Name Affiliation Address Phone Email SunHee Baek Insun Jang Jinsoo Choi Yelin Yoon Geonhwan Kim Dongju Cha Eunsung Park Dongguk Lim Jinyoung Chun Insik Jung HanGyu Cho sunhee.baek@lge.com insun.jang@lge.com js.choi@lge.com yl.yoon@lge.com geonhwan.kim@lge.com dongju.cha@lge.com 19, Yangjae-daero 11gil, Seocho-gu, Seoul 137- 130, Korea esung.park@lge.com LG Electronics dongguk.lim@lge.com jiny.chun@lge.com insik0618.jung@lge.com hg.cho@lge.com 10225 Willow Creek Rd, San Diego, CA, USA Sanggook Kim sanggook.kim@lge.com Submission Slide 1 SunHee Baek, LG Electronics

  2. November 2023 doc.: IEEE 802.11-23/1915r1 Introduction Current security definition is applied only to the data frame and management frame. So, the control frame doesn t support security method by setting reserved on the Protected Frame subfield in the Frame Control field. However, the particular types of control frame, Trigger frame and (Multi-)BlockAck, are needed to support security protocol, [1] ~ [3], because of the importance of contained information. Control frames are vulnerable to a number of different attacks. STA must wake up and can waste its power/medium because of the Trigger frame transmitted by an attacker [1]. If the control frame is sent by an attacker, QoS Data delivery status and BA scoreboards are misaligned between STAs [2][3]. In the case of Trigger frame, the RU assignment can be interrupted by an attacker. As the result, the data transmission between STAs will not be done properly. In this contribution, we suggest enhanced security methods for control frame in 11bn. Submission Slide 2 SunHee Baek, LG Electronics

  3. November 2023 doc.: IEEE 802.11-23/1915r1 Background In the current baseline, RSNA security protocol has following types; Only Integrity Check method (e.g., BIP) Encryption/Decryption method (e.g., CCMP, GCMP) The Integrity Check method(BIP) is used for management frame including Beacon frame through IGTK or BIGTK. In the result of BIP, values of Key ID, IPN/BIPN, and MIC within MME(Management MIC element) are included at the end of management frame body without encryption/decryption. The Encryption/Decryption method(CCMP/GCMP) is used for data frame through PTK or GTK. In the result of CCMP/GCMP, values of Key ID and PN are located within CCMP/GCMP header and the value of MIC is located before FCS. There are two possible methods to protect the control frame based on the current security methods of the baseline. Submission Slide 3 SunHee Baek, LG Electronics

  4. November 2023 doc.: IEEE 802.11-23/1915r1 Integrity Check for Control frame The Integrity Check method can detect attacks such as data value changes from a 3rd STA. When applying the Integrity Check method, the ways of constructing the control frame can be differed depending on the individually or group addressed RA. About individually addressed Control frame only for UHR STAs The UHR STA will receive a Control frame applied to the integrity check method(BIP), so check the integrity of the Control frame through (new) PTK. Maybe the length of Protection Info field, Key ID subfield, IPN(/BIPN) subfield, and MIC subfield can be changed. But, current BIP doesn t support to use PTK to check the integrity of the transmitted/received frame. In 11bn, the definition of BIP can be extended to use PTK, or encryption/decryption methods can be used for individually addressed Control frame. For example, the Trigger frame for UHR STA can include information for integrity check(e.g., Key ID, IPN, MIC) as a new field before padding field, and the MIC value can be calculated based on the Common Info field and/or User Info List field. For example, the BlockAck frame for UHR STA can include information for integrity check(e.g., Key ID, IPN, MIC) as a new field before padding field, and the MIC value can be Submission calculated based on the BA Control field and/or BA Information field. Slide 4 SunHee Baek, LG Electronics

  5. November 2023 doc.: IEEE 802.11-23/1915r1 Integrity Check for Control frame About group addressed Control frame, When a STA receives the group addressed Control frame applied to the Integrity Check method(BIP), there are two possible cases depending on how to consist of the control frame, whether received STAs are either only UHR STAs(Case 1) or pre-UHR STA and UHR STA(Case 2). [Case 1] When only UHR STAs receive the control frame, The information for integrity check(e.g., Key ID, IPN, MIC) can be located as a new field in the control frame. For calculate the value of MIC, Key ID will be set (new) GTK for the group addressed Control frame. The format of Case 1 s Control frame can be same with the format of individually addressed Control frame in the previous slide. [Case 2] When pre-UHR STAs and UHR STAs receive the control frame, All recipient STAs including pre-UHR STAs and UHR STAs must decode the frame body of the received control frame where the information for integrity check is located. In one way, the information for integrity check can be included in the User Info List field in the Trigger frame/BA Information field in the BlockAck frame for following the existing baseline. For example, the Special User Info subfield of Trigger frame defined in 11be(EHT) can be one of options to include the information for integrity check with a particular AID. For example, the AID TID Info subfield of Multi-STA BlockAck frame can be one of options to include the information for integrity check with a particular AID. Submission Slide 5 SunHee Baek, LG Electronics

  6. November 2023 doc.: IEEE 802.11-23/1915r1 Integrity Check for Control frame * Maybe the length of Protection Info subfield, Key ID subfield, IPN(/BIPN) subfield, and MIC subfield can be changed. The particular AID indicates only to UHR STA that the Special User Info subfield includes the information for integrity check. Pre-UHR STA will ignore the Special User Info subfields containing the Protection info subfield. The particular AID indicates only to UHR STA that the Per AID TID Info subfield includes the information for integrity check. Pre-UHR STA will ignore the Per AID TID Info subfields containing the Protection info subfield. Submission Slide 6 SunHee Baek, LG Electronics

  7. November 2023 doc.: IEEE 802.11-23/1915r1 Integrity Check mode indication for Control frame About group addressed Control frame, two types of format for control frame are possible depending on combination of recipient STAs. The format for pre-UHR STA and UHR STA(Case 2) can support that pre-UHR STAs can receive its frame body from the Trigger frame or BlockAck frame without decoding error as well as UHR STAs. But when only UHR STAs receive it(Case 1), the format for pre-UHR STA and UHR STA(Case 2) can be unnecessary to use AID 12(11) subfield and divide the information for integrity check into different User Info fields of Trigger frame or BA Information fields of BlockAck frame. So, the two types of format for control frame are needed to guarantee that UHR STAs check the integrity of the received control frame under any circumstances. If the format of control frame is different depending recipient STA(s), an indication needs which type of format for control frame is used. The mode indication distinguishes where the information for integrity check is included in the transmitted/received control frame. For example, whether the information is located after the User Info List field and before Padding field, or the information is located within the User Info List field in the Trigger frame. For example, whether the information is located after the BA Information field and before FCS field, or the information is located within the BA Information field in the BlockAck frame. The reserved bit in Common Info field of Trigger frame or BA Control field of BlockAck frame can be used to indicate the location of the information in the control frame and set by transmitter STA. Submission Slide 7 SunHee Baek, LG Electronics

  8. November 2023 doc.: IEEE 802.11-23/1915r1 Encryption/Decryption for Control frame Encryption/Decryption method is a method of shielding and protecting messages. If the control frame encrypts the frame body of the control frame, the Protected Frame subfield in Frame Control field will be set to 1. The STA supporting encryption/decryption(e.g., CCMP/GCMP) on control frame should announce its capabilities during an association. For example, if the Trigger frame and BlockAck frame are applied to GCMP, the frame body will be encrypted. In the case of the individually addressed RA, the encryption/decryption is performed based on (new) PTK with recipient STA. And in the case of the group addressed RA, the encryption/decryption is performed based on (new) GTK with recipient STAs. The keys(PTK and GTK) can be for encryption/decryption method of control frame(e.g., Trigger frame & BlockAck frame). Submission Slide 8 SunHee Baek, LG Electronics

  9. November 2023 doc.: IEEE 802.11-23/1915r1 Encryption/Decryption for Control frame Encryption/Decryption method is the most powerful protection method than the integrity check method of the baseline. Encryption/Decryption method can prevent from attacks to change/damage data values from a 3rd STA. If STA can decrypt the cipher message based on the value of the Key ID subfield in the CCMP/GCMP header, it can access/decode the plain message and check the integrity of the received frame based on PN and MIC. If a STA doesn t recognize the key info based on the value of the Key ID subfield, the STA cannot access/decode the cipher message. So, the 3rdSTA doesn t have an opportunity to change/damage the cipher message at all. This method applies only to (beyond-)UHR STA supporting encryption/decryption for the control frame. If pre-UHR STAs receive the encrypted control frame, they cannot decode the frame body of the control frame. Also, unassociated STAs cannot decode the encrypted control frame. Encryption/Decryption method can guarantee the confidentiality and integrity of the control frame between UHR STAs. Submission Slide 9 SunHee Baek, LG Electronics

  10. November 2023 doc.: IEEE 802.11-23/1915r1 Further Issues There are several topics to address to support the frames designed in this contribution. How to announce whether the control frame supports to apply a security method(s). Which cipher suites for the control frame are used. Which keys for the control frame are used depending on individually and group addressed Control frame. How to set/define the information related to check integrity/confidentiality of the control frame. It is necessary to review whether protection is required for which types/variants of each of control frames. E.g, Trigger frame(Basic, etc), BlockAck frame(compressed/Multi-STA), etc. Submission Slide 10 SunHee Baek, LG Electronics

  11. November 2023 doc.: IEEE 802.11-23/1915r1 Conclusion In this contribution, we propose several protection methods for the control frame (e.g., Trigger frame & BlockAck frame). Only Integrity Check based on BIP, Individually addressed RA group addressed RA Encryption/Decryption based on CCMP/GCMP To support that legacy STAs can receive/decode the control frame applied to the security mechanism, the integrity check method for the control frame is preferred. Submission Slide 11 SunHee Baek, LG Electronics

  12. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 1 Do you support to define Trigger frame protection in 802.11bn? The detailed method is TBD. Submission Slide 12 SunHee Baek, LG Electronics

  13. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 2 Do you support to define BlockAck frame protection in 802.11bn? The detailed method is TBD. The applied variant is TBD. Submission Slide 13 SunHee Baek, LG Electronics

  14. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 3 Do you support to define BlockAckReq frame protection in 802.11bn? The detailed method is TBD. The applied variant is TBD. Submission Slide 14 SunHee Baek, LG Electronics

  15. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 4 Do you agree to use Broadcast Integrity Protocol (BIP) for checking the integrity of the Trigger frame, BlockAck frame, and BlockAckReq frame? The detailed method is TBD. The applied variant of BA frame and BAR frame is TBD. Submission Slide 15 SunHee Baek, LG Electronics

  16. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 5 Do you agree to define mechanism that a Trigger frame transmitted by an UHR AP carries the information for checking the integrity of the Trigger frame? The information is derived from BIP. The detailed information is TBD. Submission Slide 16 SunHee Baek, LG Electronics

  17. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 6 Do you agree that when an UHR AP intends to transmit a Trigger frame for one or more UHR STA(s) as receivers to check the integrity of the Trigger frame, the Trigger frame carries the Key ID, PN, and MIC? NOTE: Receivers of Trigger frame can include pre-UHR STA(s). Submission Slide 17 SunHee Baek, LG Electronics

  18. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 7 Do you agree to define mechanism that a BlockAck frame transmitted by an UHR STA carries the information for checking the integrity of the BlockAck frame? The information is derived from BIP The detailed information is TBD. The applied variant of BA frame is TBD. Submission Slide 18 SunHee Baek, LG Electronics

  19. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 8 Do you agree that when an UHR STA intends to transmit a BlockAck frame for one or more UHR STA(s) as receivers to check the integrity of the BlockAck frame, the BlockAck frame carries the Key ID, PN, and MIC? The applied variant of BA frame is TBD. NOTE: Receivers of BlockAck frame can include pre-UHR STA(s). Submission Slide 19 SunHee Baek, LG Electronics

  20. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 9 Do you agree to define mechanism that a BlockAckReq frame transmitted by an UHR STA carries the information for checking the integrity of the BlockAckReq frame? The information is derived from BIP The detailed information is TBD. The applied variant of BAR frame is TBD. Submission Slide 20 SunHee Baek, LG Electronics

  21. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 10 Do you agree that when an UHR STA intends to transmit a BlockAckReq frame to an UHR STA as an receiver to check the integrity of the BlockAckReq frame, the BlockAcReq frame carries the Key ID, PN, and MIC? The applied variant of BAR frame is TBD. Submission Slide 21 SunHee Baek, LG Electronics

  22. November 2023 doc.: IEEE 802.11-23/1915r1 Straw Poll 7 Do you agree to define the mechanism(s) for confidentiality and integrity protocol of the Trigger frame and BlockAck frame in 802.11bn? The detailed method is TBD. The applied variant is TBD. Submission Slide 22 SunHee Baek, LG Electronics

  23. November 2023 doc.: IEEE 802.11-23/1915r1 References [1] 23/0286 Trigger frame protection [2] 23/0312 Thoughts on Secure control frames [3] 23/0352 Enhanced Security Discussion Submission Slide 23 SunHee Baek, LG Electronics

  24. November 2023 Appendix A. Integrity Check method for BlockAckReq frame doc.: IEEE 802.11-23/1915r1 When applying the Integrity Check method, the ways of constructing the control frame can be defined to the new field for the information for checking integrity about individually address BlockAckReq frame only for UHR STA. Maybe the length of Protection Info subfield, Key ID subfield, IPN/BIPN subfield, and MIC subfield can be changed. Submission Slide 24 SunHee Baek, LG Electronics

  25. November 2023 Appendix B. Encryption/Decryption method for BlockAckReq frame doc.: IEEE 802.11-23/1915r1 Encryption/Decryption method is a method of shielding and protecting messages. For example, if BlockAckReq frame is applied to CCMP or GCMP, BAR Control field and BAR Information field will be encrypted. Submission Slide 25 SunHee Baek, LG Electronics

Related


Pest control in Kolkata

Pest control in Kolkata

socspl
Coordinated Spatial Reuse in IEEE 802.11bn Standard

Coordinated Spatial Reuse in IEEE 802.11bn Standard

anayah
Enhanced Security Considerations in IEEE 802.11-23 for UHR

Enhanced Security Considerations in IEEE 802.11-23 for UHR

kieran
Soil Conservation Practices: Building an A-Frame for Erosion Control

Soil Conservation Practices: Building an A-Frame for Erosion Control

amias
Introduction to Database Security and Countermeasures

Introduction to Database Security and Countermeasures

ailbe
Marketing Control and Its Importance in Business

Marketing Control and Its Importance in Business

rebekah
Overview of the Community Waiver Program (CWP) and Enrollment Groups

Overview of the Community Waiver Program (CWP) and Enrollment Groups

warren
Proposal for R-TWT Protection in IEEE 802.11-23/2212r1 11bn

Proposal for R-TWT Protection in IEEE 802.11-23/2212r1 11bn

dea_lla
Wide Area Networking Using Frame Relay Cloud

Wide Area Networking Using Frame Relay Cloud

burl_nal
Role-based Access Control Policies and Security Properties Overview

Role-based Access Control Policies and Security Properties Overview

shma570
The Modern Period in American Literature: 1915-1945 - Cultural Shifts and Historical Events

The Modern Period in American Literature: 1915-1945 - Cultural Shifts and Historical Events

karn_809
IEEE 802.11-24/0386r0 Lower MAC Relay Protocol Details

IEEE 802.11-24/0386r0 Lower MAC Relay Protocol Details

nyza_17
Mitigating Client Frame Tracking in IEEE 802.11 Networks

Mitigating Client Frame Tracking in IEEE 802.11 Networks

ahund
Spatial Error in Photogrammetry

Spatial Error in Photogrammetry

stev_9
Seeking a General-Purpose CCSDS Link Layer Protocol: Next-Generation Data Link Protocol (NGDLP)

Seeking a General-Purpose CCSDS Link Layer Protocol: Next-Generation Data Link Protocol (NGDLP)

constante_m
Integrating WUR into IEEE 802.11bn for Enhanced Network Efficiency

Integrating WUR into IEEE 802.11bn for Enhanced Network Efficiency

amont
Control Plans in Process Management

Control Plans in Process Management

alek_172
Deflection for Frame by Unit Load Method

Deflection for Frame by Unit Load Method

gtyz
Discussion on 11bn Relay Operation

Discussion on 11bn Relay Operation

vanelop
L4S Support in IEEE 802.11bn Proposal

L4S Support in IEEE 802.11bn Proposal

mangione_a
Enhanced Long Range Frame format

Enhanced Long Range Frame format

juanjose
Exceptional Support Waiver Service Task

Exceptional Support Waiver Service Task

sily178

More Related Content