Techniques for Protecting Frames in IEEE 802.11-17/0780r1 Ranging PHY Security

may 2017 n.w
1 / 11
Embed
Share

Explore techniques described in the May 2017 document to safeguard ranging measurements at the PHY level from various attacks such as denial-of-service, perturbation, and spoofing attacks. The document also presents an example overlay attack on NDP-based ranging and discusses example PHY security techniques involving phase encoding and cyclic shifting of training signals.

  • IEEE 802.11
  • Ranging
  • PHY Security
  • Denial-of-Service
  • Spoofing
rayaanacharya
kentleywe Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. May 2017 doc.: IEEE 802.11-17/0780r1 Ranging PHY Security Date: 2017-05-10 Authors: Name Erik Lindskog Affiliations Address Qualcomm Phone email elindsko@qti.qualcomm.com nkakani@qti.qualcomm.com Naveen Kakani Qualcomm alirezar@qti.qualcomm.com Ali Raissinia Qualcomm ning@qti.qualcomm.com Ning Zhang Qualcomm xiaoxinz@qti.qualcomm.com Christine Zhang Qualcomm crberger@marvell.com Christian Berger Marvell Submission Slide 1 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  2. May 2017 doc.: IEEE 802.11-17/0780r1 Abstract This presentation describes some techniques for protecting frames for ranging measurements from PHY level attacks. Submission Slide 2 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  3. May 2017 doc.: IEEE 802.11-17/0780r1 Ranging PHY Security Attacks Levels of attacks Denial of service attack: The attacker interferes with the ranging signal such as to generate a denial-of- service attack. This is very hard to protect from. Perturbation attack: The attacker is interfere with the victim s ranging, but is the attacker is not able to control the resulting perceived range. Spoofing attack: The attacker interferes with the victim s ranging and is able to control the victim s perceived range. The spoofing attack is the most dangerous kind of attack as it has the greatest potential to provide an incentive for the attacker. Submission Slide 3 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  4. May 2017 doc.: IEEE 802.11-17/0780r1 Overlay Attack on NDP based Ranging Example training sequence overlay attack Attacker Initiator Responder NDPA NDP T1 NDP Attack T2 or T2* NDP T3 NDP Attack T4 or T4* T2/T2* and T3 feedback Computed incorrect RTT* = (T2*-T1 + T4* T3)/2 Submission Slide 4 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  5. May 2017 doc.: IEEE 802.11-17/0780r1 Example PHY Security Techniques (1) Phase encoding of LTF base sequence: Apply varying phase rotations to the LFT base sequence High variability in training sequence May affect PAPR Using sequences with good PAPR can be an option Requires HW change Submission Slide 5 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  6. May 2017 doc.: IEEE 802.11-17/0780r1 Example PHY Security Techniques (2) Cyclic shifting of training signal: Apply varying cyclic shifts to the training signal Less variability in training sequence Preserves PAPR Can likely be implemented in SW or possibly with smaller HW change Submission Slide 6 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  7. May 2017 doc.: IEEE 802.11-17/0780r1 Cyclic Shift PHY Security in NDP Frames Variable cyclic shift on ranging training Attacker does not know the shift => Attacker can in general not perform a spoofing attack No change in basic channel estimation is needed No data is demodulated Compensate for shift in SW in ranging calculations Submission Slide 7 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  8. May 2017 doc.: IEEE 802.11-17/0780r1 Cyclic Shift PHY Security Applied to 802.11Revmc FTM evolution Variable cyclic shift applied to LTF and subsequent fields Enables decoding of payload in frame No change required to channel estimation and data processing in receiver Change to cyclic shift required in transmitter May only require SW or smaller HW change Compensate for cyclic shift in SW for ranging purposes Submission Slide 8 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  9. May 2017 doc.: IEEE 802.11-17/0780r1 Compensation for Used Cyclic Shift The cyclic shift used need not be conveyed but can be included in the time stamps. The transmitting STA knows the CSD applied and can thus compensate for it the time stamps it either communicates, or just uses. For example, if the initiator applies a CSD of t_a to the first measurement frame , the initiator can instead of sending the true t_1, send a compensated t_1 t_1 = t_1 + t_a (or is it - t_a ) Similarly, if the responder applies a CSD of t_b to the second measurement frame , then responded can instead of using t_3 in its calculations, use a compensated t_3: t_3 = t_3 + t_b (or is it -t_b ) Other time stamps communicated or used can be compensated correspondingly. Submission Slide 9 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  10. May 2017 doc.: IEEE 802.11-17/0780r1 Enhanced Security The most vulnerable use case is that of range estimation, e.g. confirmation of one STA being close to another STA E.g. car key close to car Require multiple range estimates for such sensitive use cases. Attacker has to guess a whole sequence of applied CSDs Can make it arbitrarily difficult for the attacker to guess the CSDs Submission Slide 10 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  11. May 2017 doc.: IEEE 802.11-17/0780r1 Proposal To prevent spoofing attacks, apply per packet varying CSDs to LTFs used for ranging in NDP based ranging measurement frames L-LTF fields and beyond in evolution of 802.11REVmc FTM frames Used CSDs can be conveyed by compensating communicated or used time stamps Especially sensitive use cases can have the security enhanced by requiring multiple ranging measurements, each with a different varying CSD applied. Submission Slide 11 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

Related


Role of Security Champions in Organizations

Role of Security Champions in Organizations

irvin
Roles of a Security Partner

Roles of a Security Partner

zaara
Proposal for EHT 320 MHz PPDU Support in EDCA Ranging for IEEE 802.11-23/0391r1

Proposal for EHT 320 MHz PPDU Support in EDCA Ranging for IEEE 802.11-23/0391r1

mehmet
IEEE 802.11 Proposal for 320MHz Ranging Enhancement

IEEE 802.11 Proposal for 320MHz Ranging Enhancement

eve
IEEE 802.11-20/1728r2 NGV Ranging Contributions

IEEE 802.11-20/1728r2 NGV Ranging Contributions

lillyrose
IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

ted
Security Threats and Countermeasures

Security Threats and Countermeasures

grob_aid
IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

choudhry_j
Simulation Results for LC-Optimized PHY Proposal in July 2019

Simulation Results for LC-Optimized PHY Proposal in July 2019

cout_an
Passive Location Ranging Using Phase Shift Based TOA Reporting

Passive Location Ranging Using Phase Shift Based TOA Reporting

ales_563
JESD204B Physical Layer (PHY) in High-Speed Serial Interfaces

JESD204B Physical Layer (PHY) in High-Speed Serial Interfaces

cab_ov
IEEE 802.11 NGV Ranging Discussions Summary

IEEE 802.11 NGV Ranging Discussions Summary

sirmich
Ethernet PHY Registers Tool Operation

Ethernet PHY Registers Tool Operation

berkshire_r
Relevance of Lean PHY for EHT in 6 GHz

Relevance of Lean PHY for EHT in 6 GHz

hjod
Comprehensive DevOps Security Training Overview

Comprehensive DevOps Security Training Overview

jahv_808
Enhancing HRP UWB PHY through Simultaneous Ranging Technique

Enhancing HRP UWB PHY through Simultaneous Ranging Technique

brodri
Channel Estimation Field for EDMG OFDM PHY in 11ay

Channel Estimation Field for EDMG OFDM PHY in 11ay

cha_hin
IEEE 802.11-19/2034r0 MAC Layer Support for LC PHY Operation

IEEE 802.11-19/2034r0 MAC Layer Support for LC PHY Operation

yoc_d
Interference Detection for High-Integrity Ranging in UWB Systems

Interference Detection for High-Integrity Ranging in UWB Systems

anyelina
IEEE 802.15.3e Single Carrier PHY Proposal for High-Rate Close Proximity System

IEEE 802.15.3e Single Carrier PHY Proposal for High-Rate Close Proximity System

sier200
Performance Analysis of Ranging Integrity Fragment with Distance Commitment

Performance Analysis of Ranging Integrity Fragment with Distance Commitment

alofa
Innovative Multi-Millisecond Ranging and Data Transmission Technique

Innovative Multi-Millisecond Ranging and Data Transmission Technique

nrexr

More Related Content