Relay Threat Model for IEEE 802.11-17/1118r3 - July 2017 Documentation

july 2017 n.w
1 / 17
Embed
Share

Explore the relay threat model for IEEE 802.11-17/1118r3 in the July 2017 documentation, focusing on mitigating relay attacks using range and location verification. Learn about wireless relay attacks, their applications, and ways to defend against them effectively.

  • Relay Threat Model
  • IEEE 802.11
  • Wireless Security
  • Relay Attacks
  • Documentation
rayaanacharya
ayeri Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. July 2017 doc.: IEEE 802.11-17/1118r3 Relay Threat Model for TGaz Date: 2017-07-12 Authors: Name Affiliations Address Phone email Wei Wang Google Inc. weiwa@google.com Roy Want Google Inc. roywant@google.com Submission Slide 1 Roy Want et al., Google Inc

  2. July 2017 doc.: IEEE 802.11-17/1118r3 Abstract The relay threat model occurs when two attackers collaborate to fake the distance between two stations, making them appear closer than they really are. 11az should be resilient to a relay attack in both associated and unassociated modes. Submission Slide 2 Roy Want et al., Google Inc

  3. July 2017 doc.: IEEE 802.11-17/1118r3 Background Wireless Relay Attacks have been used to defeat wireless car locks and pose a real threat to property Attacker Box A Near Owner Attacker Box B Near Car Bridging the gap https://www.wired.com/2016/03/study-finds-24-car-models- open-unlocking-ignition-hack/ Submission Slide 3 Roy Want et al., Google Inc

  4. July 2017 doc.: IEEE 802.11-17/1118r3 Mitigating Relay Attacks Using range and location can be a good defense against relay attacks, assuming that the range/location of each party can be validated. Submission Slide 4 Roy Want et al., Google Inc

  5. July 2017 doc.: IEEE 802.11-17/1118r3 Applications using RTT range for secure operation Associated (with prior shared keys) Building door locks Car door locks Document access (e.g. only at work) Cloud Service Access (e.g. only within home) Unassociated (no prior shared keys) Proof of presence at a location Proximity transfer of a redeemable wireless coupon Control of a public IoT device with a wireless token Submission Slide 5 Roy Want et al., Google Inc

  6. July 2017 doc.: IEEE 802.11-17/1118r3 Ranging in 11mc MOBILE FTM RESPONDER FTM_Req Ack FTM t1 Distance (d) can be used to verify a condition: d < [opening criterion], t2 t3 Ack t4 FTM(t4- t1) But ONLY if you can trust it. Ack Submission Slide 6 Roy Want et al., Google Inc

  7. July 2017 doc.: IEEE 802.11-17/1118r3 Relay Attack #1: Faking a Range in 11mc Attacker Box A Attacker Box B MOBILE FTM RESPONDER FTM_Req FTM_Req_Ack FTM t1 t2 t1 t2 t3 t3 Ack t4 t4 FTM(t4- t1) FAKE (t4- t1) Submission Slide 7 Roy Want et al., Google Inc

  8. July 2017 doc.: IEEE 802.11-17/1118r3 Relay Attack #2: Faking a Range in 11mc Attacker Box A Attacker Box B MOBILE FTM RESPONDER FTM_Req FTM_Req_Ack FTM t1 t2 t1 t2 t3 FAKE (Ack) t3 t4 Ignore t4 FTM(t4- t1) FTM (t4- t1) VALID_SIG Submission Slide 8 Roy Want et al., Google Inc

  9. July 2017 doc.: IEEE 802.11-17/1118r3 11az Authentication can prevent a relay attack if 1. each packet is authenticated 2. there is a shared symmetric key Submission Slide 9 Roy Want et al., Google Inc

  10. July 2017 doc.: IEEE 802.11-17/1118r3 What about the unassociated mode in 11az as there are likely no shared keys via AP association? But unassociated modes are useful for: Proof of presence at a location Proximity transfer of a redeemable wireless coupon Control of a public IoT device with a wireless token Solutions Ref: 11-16-1498r1 (Qi Wang et al., Broadcom) FTM Security in Associated and Un-associated States Ref: 11-16-1508r0 (Naveen Kakani et al., Qualcomm) FTM Frame Exchange Authentication Submission Slide 10 Roy Want et al., Google Inc

  11. July 2017 doc.: IEEE 802.11-17/1118r3 Separation of Concerns CLOUD SERVICE CHECKS IF X1 = X2, THERE IS NO RELAY ATTACK APP/OS APP/OS Relay Attack DERIVED X1 DERIVED X2 11az 11az Submission Slide 11 Roy Want et al., Google Inc

  12. July 2017 doc.: IEEE 802.11-17/1118r3 Relay Attack Defense without Shared Keys MOBILE FTM RESPONDER t1 FTM + Nonce-A t2 (Ack + Nonce-B) t4 t3 FTM(t4- t1) + Nonce-AB Verify Verify AB + (t4-t1) at APP Level AB + (t4-t1) at APP Level Submission Slide 12 Roy Want et al., Google Inc

  13. July 2017 doc.: IEEE 802.11-17/1118r3 Simplified relay attack solution for unassociated 11az MOBILE FTM RESPONDER Attacker Box A Attacker Box B FTM_Req FTM_Req_Ack t1 t2 t1 FTM + Nonce-A FTM + Nonce-A (Ack + Nonce-X) t3 generated t2 t4 Ack + Nonce-B ignored t4 t3 FTM(t4- t1) + Nonce-AX FTM (t4- t1) + Nonce-AB Verify Verify AB + (t4-t1) at APP Level AB + (t4-t1) at APP Level Submission Slide 13 Roy Want et al., Google Inc

  14. July 2017 doc.: IEEE 802.11-17/1118r3 Conclusion If encryption is not supported in the FTM negotiation - because of silicon complexity - because of interaction time - because of power consumption Then range integrity can still be obtained by making the 2 nonces + (t4-t1) accessible to the App layer At the expense of having the range data overheard [which may not be a problem in many use cases]. Submission Slide 14 Roy Want et al., Google Inc

  15. July 2017 doc.: IEEE 802.11-17/1118r3 Straw Poll 11az protocol shall support a mode where range integrity can be obtained without authentication and encryption protecting against type A adversaries. Y: 16 N: 0 A: 7 Submission Slide 15 Roy Want et al., Google Inc

  16. July 2017 doc.: IEEE 802.11-17/1118r3 Motion Move to adopt the functional requirement depicted below, and instruct the FRD editor to include it in the FRD under section 2.1.6, in a subsection dealing with ranging integrity without cryptography, and give editorial license. 11az protocol shall support a mode where range integrity can be obtained without authentication and encryption protecting against type A adversaries. Mover: Roy Want Seconder: SK Yong Y: 10 N: 0 A: 2 Submission Slide 16 Roy Want et al., Google Inc

  17. July 2017 doc.: IEEE 802.11-17/1118r3 References 11-16-1498r1 (Qi Wang et al., Broadcom) FTM Security in Associated and Un-associated States 11-16-1508r0 (Naveen Kakani et al., Qualcomm) FTM Frame Exchange Authentication Radio attack lets hackers steal 24 different car models https://www.wired.com/2016/03/study-finds-24-car-models-open- unlocking-ignition-hack/ Submission Slide 17 Roy Want et al., Google Inc

Related


Modern Threat Modeling & Cloud Systems in OWASP Sacramento

Modern Threat Modeling & Cloud Systems in OWASP Sacramento

maven
Enhancing Wi-Fi Relay Networks for Improved Coverage and Reliability

Enhancing Wi-Fi Relay Networks for Improved Coverage and Reliability

lando
Cyber Threat Detection and Network Security Strategies

Cyber Threat Detection and Network Security Strategies

lilliemae
The 5V Relay Module and Its Applications

The 5V Relay Module and Its Applications

case
Considerations for Relay Operation in Next Generation Wi-Fi Networks

Considerations for Relay Operation in Next Generation Wi-Fi Networks

theo
Fun Team Relay Games for Physical Education

Fun Team Relay Games for Physical Education

randy
Cyber Threat Assessment and DBT Methodologies

Cyber Threat Assessment and DBT Methodologies

jgra
Evolution of Relay Services for Deaf and Hard of Hearing Individuals

Evolution of Relay Services for Deaf and Hard of Hearing Individuals

poma_tal
Relay Communications for Ultra High Reliability in IEEE 802.11-22/1908r1

Relay Communications for Ultra High Reliability in IEEE 802.11-22/1908r1

jessic
Wide Area Networking Using Frame Relay Cloud

Wide Area Networking Using Frame Relay Cloud

burl_nal
Enhancing Internet Telephony Quality Through Predictive Relay Selection

Enhancing Internet Telephony Quality Through Predictive Relay Selection

amarach
IEEE 802.11-23/1899r0 Relay Operation for 11bn - Presentation Summary

IEEE 802.11-23/1899r0 Relay Operation for 11bn - Presentation Summary

whad
IEEE 802.11-22/842r1 TGaz Next Generation Positioning Closing Report July 2022

IEEE 802.11-22/842r1 TGaz Next Generation Positioning Closing Report July 2022

mu_eli
IEEE 802.11-22/225r0 TGaz Next Generation Positioning March Electronic Meeting Closing Report

IEEE 802.11-22/225r0 TGaz Next Generation Positioning March Electronic Meeting Closing Report

wherry_b
Considerations for Relay Operation in Next-Gen Wi-Fi Networks

Considerations for Relay Operation in Next-Gen Wi-Fi Networks

deia152
IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

choudhry_j
Relay Logic and Circuits

Relay Logic and Circuits

ben_emf
IEEE 802.11-24/0386r0 Lower MAC Relay Protocol Details

IEEE 802.11-24/0386r0 Lower MAC Relay Protocol Details

nyza_17
Stereotype Threat in Education

Stereotype Threat in Education

bshe
Threat Assessment Tabletop Exercise Overview

Threat Assessment Tabletop Exercise Overview

snyder_m
The Redox-Relay Heck Reaction in Organic Synthesis

The Redox-Relay Heck Reaction in Organic Synthesis

simo_ae
Energy Efficient Relay Antenna Selection for AF MIMO Two-Way Relay Channels

Energy Efficient Relay Antenna Selection for AF MIMO Two-Way Relay Channels

ayde_968

More Related Content