Techniques for Protecting IEEE 802.11 Ranging Measurements from Attacks

may 2017 n.w
1 / 11
Embed
Share

Learn about techniques to safeguard IEEE 802.11 ranging measurements from various levels of attacks like denial of service, perturbation, and spoofing. Explore strategies such as phase encoding of LTF base sequences and cyclic shifting of training signals to enhance PHY security.

  • IEEE
  • Security Techniques
  • Ranging Measurements
  • Attacks
  • PHY Security
rayaanacharya
bcat Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. May 2017 doc.: IEEE 802.11-17/0780r2 Ranging PHY Security Date: 2017-05-10 Authors: Name Erik Lindskog Affiliations Address Qualcomm Phone email elindsko@qti.qualcomm.com nkakani@qti.qualcomm.com Naveen Kakani Qualcomm alirezar@qti.qualcomm.com Ali Raissinia Qualcomm ning@qti.qualcomm.com Ning Zhang Qualcomm xiaoxinz@qti.qualcomm.com Christine Zhang Qualcomm crberger@marvell.com Christian Berger Marvell Submission Slide 1 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  2. May 2017 doc.: IEEE 802.11-17/0780r2 Abstract This presentation describes some techniques for protecting frames for ranging measurements from PHY level attacks. Submission Slide 2 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  3. May 2017 doc.: IEEE 802.11-17/0780r2 Ranging PHY Security Attacks Levels of attacks Denial of service attack: The attacker interferes with the ranging signal such as to generate a denial-of- service attack. This is very hard to protect from. Perturbation attack: The attacker is interfere with the victim s ranging, but is the attacker is not able to control the resulting perceived range. Spoofing attack: The attacker interferes with the victim s ranging and is able to control the victim s perceived range. The spoofing attack is the most dangerous kind of attack as it has the greatest potential to provide an incentive for the attacker. Submission Slide 3 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  4. May 2017 doc.: IEEE 802.11-17/0780r2 Overlay Attack on NDP based Ranging Example training sequence overlay attack Attacker Initiator Responder NDPA NDP T1 NDP Attack T2 or T2* NDP T3 NDP Attack T4 or T4* T2/T2* and T3 feedback Computed incorrect RTT* = (T2*-T1 + T4* T3)/2 Submission Slide 4 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  5. May 2017 doc.: IEEE 802.11-17/0780r2 Example PHY Security Techniques (1) Phase encoding of LTF base sequence: Apply varying phase rotations to the LFT base sequence High variability in training sequence May affect PAPR Using sequences with good PAPR can be an option Requires HW change Submission Slide 5 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  6. May 2017 doc.: IEEE 802.11-17/0780r2 Example PHY Security Techniques (2) Cyclic shifting of training signal: Apply varying cyclic shifts to the training signal Less variability in training sequence Preserves PAPR Can likely be implemented in SW or possibly with smaller HW change Submission Slide 6 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  7. May 2017 doc.: IEEE 802.11-17/0780r2 Cyclic Shift PHY Security in NDP Frames Variable cyclic shift on ranging training Attacker does not know the shift => Attacker can in general not perform a spoofing attack No change in basic channel estimation is needed No data is demodulated Compensate for shift in SW in ranging calculations Submission Slide 7 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  8. May 2017 doc.: IEEE 802.11-17/0780r2 Cyclic Shift PHY Security Applied to 802.11Revmc FTM evolution Variable cyclic shift applied to LTF and subsequent fields Enables decoding of payload in frame No change required to channel estimation and data processing in receiver Change to cyclic shift required in transmitter May only require SW or smaller HW change Compensate for cyclic shift in SW for ranging purposes Submission Slide 8 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  9. May 2017 doc.: IEEE 802.11-17/0780r2 Compensation for Used Cyclic Shift The cyclic shift used need not be conveyed but can be included in the time stamps. The transmitting STA knows the CSD applied and can thus compensate for it the time stamps it either communicates, or just uses. For example, referring to the NDP based EFTM exchange in slide 4: If the initiator applies a CSD of t_a to the first measurement frame , the initiator can instead of using the true t_1 in its calculations, use a compensated t_1 t_1 = t_1 + t_a (or is it - t_a ) Similarly, if the responder applies a CSD of t_b to the second measurement frame , then responded can instead of feeding back t_3 send a compensated t_3: t_3 = t_3 + t_b (or is it -t_b ) Other time stamps communicated or used can be compensated correspondingly. Submission Slide 9 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  10. May 2017 doc.: IEEE 802.11-17/0780r2 Enhanced Security The most vulnerable use case is that of range estimation, e.g. confirmation of one STA being close to another STA E.g. car key close to car Require multiple range estimates for such sensitive use cases. Attacker has to guess a whole sequence of applied CSDs Can make it arbitrarily difficult for the attacker to guess the CSDs Submission Slide 10 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

  11. May 2017 doc.: IEEE 802.11-17/0780r2 Proposal To prevent spoofing attacks, apply per packet varying CSDs to LTFs used for ranging in NDP based ranging measurement frames L-LTF fields and beyond in evolution of 802.11REVmc FTM frames Used CSDs can be conveyed by compensating communicated or used time stamps Especially sensitive use cases can have the security enhanced by requiring multiple ranging measurements, each with a different varying CSD applied. Submission Slide 11 Erik Lindskog, Naveen Kakani, Ali Raissinia, Ning Zhang and Christine Zhang - Qualcomm

Related


Proposal for EHT 320 MHz PPDU Support in EDCA Ranging for IEEE 802.11-23/0391r1

Proposal for EHT 320 MHz PPDU Support in EDCA Ranging for IEEE 802.11-23/0391r1

mehmet
IEEE 802.11 Proposal for 320MHz Ranging Enhancement

IEEE 802.11 Proposal for 320MHz Ranging Enhancement

eve
IEEE 802.11-20/1728r2 NGV Ranging Contributions

IEEE 802.11-20/1728r2 NGV Ranging Contributions

lillyrose
IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

ted
IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

choudhry_j
Simulation Results for LC-Optimized PHY Proposal in July 2019

Simulation Results for LC-Optimized PHY Proposal in July 2019

cout_an
Passive Location Ranging Using Phase Shift Based TOA Reporting

Passive Location Ranging Using Phase Shift Based TOA Reporting

ales_563
JESD204B Physical Layer (PHY) in High-Speed Serial Interfaces

JESD204B Physical Layer (PHY) in High-Speed Serial Interfaces

cab_ov
IEEE 802.11 NGV Ranging Discussions Summary

IEEE 802.11 NGV Ranging Discussions Summary

sirmich
Ethernet PHY Registers Tool Operation

Ethernet PHY Registers Tool Operation

berkshire_r
Relevance of Lean PHY for EHT in 6 GHz

Relevance of Lean PHY for EHT in 6 GHz

hjod
Enhancing HRP UWB PHY through Simultaneous Ranging Technique

Enhancing HRP UWB PHY through Simultaneous Ranging Technique

brodri
Channel Estimation Field for EDMG OFDM PHY in 11ay

Channel Estimation Field for EDMG OFDM PHY in 11ay

cha_hin
NGV PHY Simulation Overview: Channel Models and Implementations

NGV PHY Simulation Overview: Channel Models and Implementations

opern
Enabling DS-TWR with MMS Ranging for Improved Accuracy

Enabling DS-TWR with MMS Ranging for Improved Accuracy

demichael
Ranging Protocol Overview

Ranging Protocol Overview

medidoc
IEEE 802.11-19/2034r0 MAC Layer Support for LC PHY Operation

IEEE 802.11-19/2034r0 MAC Layer Support for LC PHY Operation

yoc_d
Interference Detection for High-Integrity Ranging in UWB Systems

Interference Detection for High-Integrity Ranging in UWB Systems

anyelina
IEEE 802.15.3e Single Carrier PHY Proposal for High-Rate Close Proximity System

IEEE 802.15.3e Single Carrier PHY Proposal for High-Rate Close Proximity System

sier200
Performance Analysis of Ranging Integrity Fragment with Distance Commitment

Performance Analysis of Ranging Integrity Fragment with Distance Commitment

alofa
Innovative Multi-Millisecond Ranging and Data Transmission Technique

Innovative Multi-Millisecond Ranging and Data Transmission Technique

nrexr
IEEE 802.11-20/1956r1 Ranging PHY Security Insights

IEEE 802.11-20/1956r1 Ranging PHY Security Insights

bsad

More Related Content