Secure SU and MU Ranging Measurement Procedure

january 2018 secure su and mu ranging measurement n.w
1 / 22
Embed
Share

"Reviewing possibilities for signaling between iSTA and rSTA to enable LTF protection in IEEE 802.11 devices. Includes proposed key exchange, negotiation techniques, and secure SU ranging measurement procedures."

  • IEEE
  • Ranging Measurement
  • Security
  • Key Exchange
  • WiFi
rayaanacharya
bari_sue Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. January 2018 Secure SU and MU Ranging Measurement Procedure Date: 2018-01-18 Authors: doc.: IEEE 802.11-18/0229r1 Name Affiliations Address Phone email 2840 Junction Ave, San Jose, CA 95134 yongho.seok@mediatek .com Yongho Seok MediaTek Inc. Chao-Chun Wang MediaTek Inc. James Yee Chittabrata Ghosh Intel Corporation MediaTek Inc. 2200 Mission College Blvd., Santa Clara, CA 95054 +1-415- 244-8904 chittabrata.ghosh@intel. com Jonathan Segev Intel Corporation Submission Slide 1 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  2. January 2018 doc.: IEEE 802.11-18/0229r1 Introduction In previous discussions we agree on the following: The HEz and VHTz FTM modes, the fields over which range measurements are performed shall be protected against a VHT/HE Type B adversary attack. For the purpose of PHY Security Mode, the field used for channel/ToA measurement shall not include any form of repetition in time domain or structure that is predictable. In this submission we will review possibilities of how to signaling between iSTA and rSTA that enables LTF protection. Submission Slide 2 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  3. January 2018 doc.: IEEE 802.11-18/0229r1 Proposed Key Exchange in Negotiation and LTF Randomization in SU Mode ISTA RSTA Key or cipher sequence exchange and establishment for LTF generation between iSTA and rSTA in the non-time critical FTM negotiation phase Sequence generation information for the first measurement instance is part of the IFTM The measurement phase only commences once the negotiation is successful Negotiation/key exchange NDPA (UL PN, DL PN) UL NDP LTF = f(key, UL PN) DL NDP LTF = f(key, DL PN) LMR Submission Slide 3 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  4. January 2018 doc.: IEEE 802.11-18/0229r1 Secure SU Ranging Measurement Procedure For SU operation, the Delayed sequence generation is preferred where sequence generation information is carried in the previous sounding sequence instance For normal operation of SU ranging The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame The specifics of LTF sequence generation information is TBD, this information is associated with a Sequence Authentication Code (SAC) The NDPA carries the SAC indication, a specific reserved value indicates New LTF generation information needed . The SAC is also included in the iFTM for the first measurement instance and in the LMR for subsequent Submission Slide 4 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  5. January 2018 doc.: IEEE 802.11-18/0229r1 Secure SU Ranging Measurement Procedure For normal operation of SU ranging The size of the SAC should be sufficiently long to prevent simple guessing An adversary doesn t know the SAC and is unable to predict it and thus can t trigger the measurement instance. In addition the SAC and its associated measurement results are carried in the LMR If an incorrect SAC is received by the RSTA, the RSTA discards the NDPA (no DL NDP) and keep the current SAC and associated LTF sequence generation information Submission Slide 5 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  6. January 2018 doc.: IEEE 802.11-18/0229r1 Secure SU Ranging Measurement Procedure Secure SU ranging measurement example (Immediate LMR Report case) N-1 round sounding sequence N round sounding sequence SAC for sequence generation (SACN-1) SAC for sequence generation (SACN) Protected LMR DL NDP Protected LMR DL NDP UL NDP UL NDP NDPA NDPA Derive LTF sequence of UL NDP and DL NDP of Nth round sounding sequence SAC for sequence generation (SACN) LTF sequence generation information SAC for sequence generation (SACN+1) LTF sequence generation information SAC for measurement sequence (SACN-1) Location measurement information SAC for measurement sequence (SACN) Location measurement information Submission Slide 6 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  7. January 2018 doc.: IEEE 802.11-18/0229r1 Secure SU Ranging Measurement Procedure The LMR is an Action non ACK frame So, need a procedure for recovery the LMR reception failure If the LMR was not correctly received: The iSTA comes back to the channel and transmit an NDPA indicating New LTF generation information needed . The previous LTF generation information is invalidated. For UL NDP the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). The rSTA sends a new protected LMR content (meas. are lost only for immediate). The iSTA may comeback to the channel and initiate a new sounding sequence minToaReady time after. Slide 7 Submission Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  8. January 2018 doc.: IEEE 802.11-18/0229r1 MU Ranging Measurement Procedure MU ranging measurement consists of one or more rounds of UL sounding followed by one round of DL sounding. Optional TF -> Location Uplink Sounding TF -> Location Uplink Sounding DL NDPA DL NDP UL NDP UL NDP UL NDP UL NDP UL NDP UL NDP Submission Slide 6 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  9. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure Assume that both UL ranging NDP and DL ranging NDP are designed with secure (e.g., randomized) LTF sequences. But, when an attacker is a member of the MU ranging measurement, The attacker can transmit a Fake DL ranging NDP if a LTF sequence in a DL ranging NDP is common to all members of the MU ranging measurement. TF -> Location Uplink Sounding TF -> Location Uplink Sounding DL NDPA DL NDP iSTA1 iSTA3 UL NDP UL NDP iSTA2 (Attacker) UL NDP Fake DL NDP Submission Slide 7 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  10. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure So, the proposed secure MU ranging measurement procedure is limited to a single iSTA. Extension to the multiple iSTAs is TBD. Basic principle of the secure MU ranging measurement procedure is very similar to the secure SU ranging measurement procedure. The delayed sequence generation where sequence generation information is carried in the previous sounding sequence instance. Sequence generation information carried in LMR Derive LTF sequence of UL NDP and DL NDP of the next round sounding sequence Protected LMR TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR DL NDP Poll UL NDP Response Submission Slide 10 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  11. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure The keys or cipher sequence (if needed) for LTF sequence generation are the result of the FTM negotiation. LTF sequence generation information for the first measurement instance is a part of an iFTM, the measurement phase only commences once the negotiation is successful. The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame. Sequence generation information carried in FTM Response Derive LTF sequence of UL NDP and DL NDP of 1st round sounding sequence FTM Response TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR FTM Request Poll UL NDP Response Submission Slide 11 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  12. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure The specifics of LTF sequence generation information are TBD, but this information is associated with a Sequence Authentication Code (SAC). The Trigger Frame (TF) -> Location Uplink Sounding indicates the SAC for the following NDP frame corresponding to the LTF generation information. After receiving the TF -> Location Uplink Sounding, iSTA shall uses the LTF generation information associated with the SAC. The SAC is also included in the iFTM for the first measurement instance and in the LMR for subsequent measurement instances. Submission Slide 12 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  13. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure An adversary doesn t know the SAC and is unable to predict it and thus can t trigger the measurement instance (DOS). In addition the SAC and its associated measurement results are carried in the LMR. If an incorrect SAC is received by the iSTA, the iSTA may respond with a known LTF sequence or with any other LTF sequence and discards the current SAC and associated LTF sequence generation information. The size of the SAC should be sufficiently long to prevent simple guessing. Submission Slide 13 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  14. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure Secure MU ranging measurement example N-1 round sounding sequence N round sounding sequence SAC for sequence generation (SACN) Protected LMR TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR DL NDP Poll UL NDP Response SAC for sequence generation (SACN) LTF sequence generation information SAC for sequence generation (SACN+1) LTF sequence generation information Derive LTF sequence of UL NDP and DL NDP of Nth round sounding sequence SAC for measurement sequence (SACN-2) Location measurement information SAC for measurement sequence (SACN-1) Location measurement information Submission Slide 14 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  15. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure The LMR is an Action No ACK frame So, need a procedure for recovery the LMR reception failure. If the LMR was not correctly received: For UL NDP, the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP, the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). If two sided LMR is used, the iSTA indicates measurements are invalidated. The rSTA sends a new protected LMR content (measurement results are lost only for immediate sounding sequence). The iSTA may come back to the channel and participate in a new sounding sequence at the next availability interval by responding to a future TF Location -> Poll. Slide 15 Submission Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  16. January 2018 doc.: IEEE 802.11-18/0229r1 Secure MU Ranging Measurement Procedure Secure MU ranging measurement example N-1 round sounding sequence N round sounding sequence SAC for sequence generation (SACN) Protected LMR TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR DL NDP Poll UL NDP Error Response SAC for sequence generation (SACN) LTF sequence generation information SAC for sequence generation (SACN+1) LTF sequence generation information Known LTF sequence is used since SAC is not matched. SAC for measurement sequence (SACN-2) Location measurement information SAC for measurement sequence (SACN-1) Location measurement information Submission Slide 16 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  17. January 2018 doc.: IEEE 802.11-18/0229r1 Straw Poll Do you support the following SFD texts for secure SU ranging measurement (normal operation)? For normal operation of secure SU ranging, The keys or cipher sequence (if needed) for LTF sequence generation are the result of the FTM negotiation Sequence generation information for the first measurement instance is part of the IFTM, the measurement phase only commences once the negotiation is successful The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame The specifics of LTF sequence generation information is TBD, this information associated with a Sequence Authentication Code (SAC) The NDPA carries the SAC indication, a specific reserved value indicates New LTF generation information needed . The SAC is also included in the IFTM for the first measurement instance and in the LMR for subsequent Submission Slide 17 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  18. January 2018 doc.: IEEE 802.11-18/0229r1 Straw Poll Do you support the following the following SFD text for secure SU ranging measurement (SAC operation)? The size of the SAC should be sufficiently long to prevent simple guessing An adversary doesn t know the SAC and is unable to predict it and thus can t trigger the measurement instance (DOS). In addition the SAC and its associated measurement results are carried in the LMR. If an incorrect SAC is received by the RSTA, the RSTA discards the NDPA (no DL NDP) and keep the current SAC and associated LTF sequence generation information. Submission Slide 18 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  19. January 2018 doc.: IEEE 802.11-18/0229r1 Straw Poll Do you support the following SFD texts for secure SU ranging measurement (LMR error recovery operation)? The LMR is an Action non ACK frame If the LMR was not correctly received: The iSTA comes back to the channel and transmit an NDPA indicating New LTF generation information needed . The previous LTF generation information is invalidated. For UL NDP the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). The rSTA sends a new protected LMR content (meas. are lost only for immediate). The iSTA may comeback to the channel and initiate a new sounding sequence minToaReady time after. Submission Slide 19 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  20. January 2018 doc.: IEEE 802.11-18/0229r1 Straw Poll Do you support the following SFD texts for secure MU ranging measurement (general operation)? For normal operation of secure MU ranging, Secure MU ranging measurement procedure is limited to a single iSTA. The delayed sequence generation where sequence generation information is carried in the previous sounding sequence instance. The keys or cipher sequence (if needed) for LTF sequence generation are the result of the FTM negotiation. LTF sequence generation information for the first measurement instance is a part of an iFTM, the measurement phase only commences once the negotiation is successful. The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame. Submission Slide 20 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  21. January 2018 doc.: IEEE 802.11-18/0229r1 Straw Poll Do you support the following SFD texts for secure MU ranging measurement (normal operation)? The specifics of LTF sequence generation information are TBD, but this information is associated with a Sequence Authentication Code (SAC). The Trigger Frame (TF) -> Location Uplink Sounding indicates the SAC for the following NDP frame corresponding to the LTF generation information. The SAC is also included in the iFTM for the first measurement instance and in the LMR for subsequent measurement instances. An adversary doesn t know the SAC and is unable to predict it and thus can t trigger the measurement instance (DOS). In addition the SAC and its associated measurement results are carried in the LMR. If an incorrect SAC is received by the iSTA, the iSTA may respond with a known LTF sequence or with any other LTF sequence and discards the current SAC and associated LTF sequence generation information. The size of the SAC should be sufficiently long to prevent simple guessing. Submission Slide 21 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

  22. January 2018 doc.: IEEE 802.11-18/0229r1 Straw Poll Do you support the following SFD texts for secure MU ranging measurement (LMR error recovery operation)? The LMR is an Action No ACK frame If the LMR was not correctly received: For UL NDP, the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP, the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). If two sided LMR is used, the iSTA indicates measurements are invalidated. The rSTA sends a new protected LMR content (measurement results are lost only for immediate sounding sequence). The iSTA may come back to the channel and participate in a new sounding sequence at the next availability interval by responding to a future TF Location -> Poll. Submission Slide 22 Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

Related


Student Appropriations Committee (SAC) Grant Request Process Overview

Student Appropriations Committee (SAC) Grant Request Process Overview

efan
IEEE 802.11 Proposal for 320MHz Ranging Enhancement

IEEE 802.11 Proposal for 320MHz Ranging Enhancement

eve
IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

ted
Sequence Patterns Using Different Representations

Sequence Patterns Using Different Representations

raheem
Introduction to Data Analysis in Geophysics with Seismic Analysis Code - SAC Lab 2.1

Introduction to Data Analysis in Geophysics with Seismic Analysis Code - SAC Lab 2.1

lyeat
Evolutionary Dynamics in Signaling Games and Strategies

Evolutionary Dynamics in Signaling Games and Strategies

simonian_l
Signaling Pathway Through TLR4: A Molecular Signal Transduction Process

Signaling Pathway Through TLR4: A Molecular Signal Transduction Process

riia345
Cell Communication: Signaling Mechanisms and Types

Cell Communication: Signaling Mechanisms and Types

set_boy
Authentication Mechanisms and Security Vulnerabilities

Authentication Mechanisms and Security Vulnerabilities

lev_tre
IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

choudhry_j
Development of Female Gamete and Embryo Sac in Plant Reproduction

Development of Female Gamete and Embryo Sac in Plant Reproduction

anam_733
Primary Malignant Melanoma of the Lacrimal Sac: A Rare Case Report

Primary Malignant Melanoma of the Lacrimal Sac: A Rare Case Report

tor_dil
Characterization of 3G Control-Plane Signaling Overhead

Characterization of 3G Control-Plane Signaling Overhead

vanhooser_x
Passive Location Ranging Using Phase Shift Based TOA Reporting

Passive Location Ranging Using Phase Shift Based TOA Reporting

ales_563
Optimizing Time-Stamp Reporting for 802.11 FTM Measurements

Optimizing Time-Stamp Reporting for 802.11 FTM Measurements

chipper
Secure Authentication Using ISO 15693 RFID Tags

Secure Authentication Using ISO 15693 RFID Tags

rtrez
IEEE 802.11 NGV Ranging Discussions Summary

IEEE 802.11 NGV Ranging Discussions Summary

sirmich
Authentication in Networking Environments

Authentication in Networking Environments

bolander_j
SAML and Duo 2FA Part 3: Authentication and Assurance Overview Quiz

SAML and Duo 2FA Part 3: Authentication and Assurance Overview Quiz

randhawa_j
Ranging Protocol Overview

Ranging Protocol Overview

medidoc
Mt. SAC 2035 Integrated Planning for Future Success

Mt. SAC 2035 Integrated Planning for Future Success

sylvanna
Proposed Navigation Message Authentication for Civil GPS Anti-Spoofing

Proposed Navigation Message Authentication for Civil GPS Anti-Spoofing

hoke_k

More Related Content