27 October 2005 doc.: IEEE 15-05-0627-00-004a 27 October 2005 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Enhancement to support private ranging] Date Submitted: [27 October, 2005] Source: [Serge Héthuin, Arnaud Tonnerre] Company [THALES Communications] Address [THALES Communications, 146 boulevard de Valmy, 92704 Colombes, France] E−Mail: [serge.hethuin@fr.thalesgroup.com, arnaud.tonnerre@fr.thalesgroup.com] Re: [802.15.4a.] Abstract: [Enhancement to support private ranging.] Purpose: [To promote discussion in 802.15.4a.] Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15. Serge Héthuin, Arnaud Tonnerre Serge Héthuin, Arnaud Tonnerre

Enhancement to support private ranging 27 October 2005 doc.: IEEE 15-05-0627-00-004a 27 October 2005 Enhancement to support private ranging Serge Héthuin, Arnaud Tonnerre THALES Communications Serge Héthuin, Arnaud Tonnerre Serge Héthuin, Arnaud Tonnerre

Objectives Future ranging-based application will require privacy 27 October 2005 Objectives Future ranging-based application will require privacy Privacy means that the ranging information cannot be obtained and manipulated by an unauthorized party Private ranging is an optional mode, which intends to provide solutions to most of the targeted applications Serge Héthuin, Arnaud Tonnerre

Contents Threats to ranging Private-ranging services 27 October 2005 Contents Threats to ranging Eavesdropping Man In The Middle (MITM) Denial of Service (DoS) Private-ranging services Private-ranging modes Serge Héthuin, Arnaud Tonnerre

27 October 2005 Threats to ranging Serge Héthuin, Arnaud Tonnerre

Threats to ranging Passive attacks: Active attacks: 27 October 2005 Threats to ranging Passive attacks: Eavesdropping: unauthorized interception of ranging packets to obtain distance information Active attacks: Man In The Middle (MITM): unauthorized party intercepts and selectively modifies ranging packets Denial of Service (DoS): action which prevents ranging from functioning in accordance with its intended purpose Serge Héthuin, Arnaud Tonnerre

Private ranging shall provide confidentiality 27 October 2005 Eavesdropping Unauthorized party obtains information on: Data transported by ranging frames (crystal offset, timestamp…), if any Distance evaluation Encryption provided by higher layer Requires physical layer protection Private ranging shall provide confidentiality Serge Héthuin, Arnaud Tonnerre

Eavesdropping Distance evaluation - ranging with contention 27 October 2005 Eavesdropping Distance evaluation - ranging with contention Context: CAP of a superframe or nonbeacon-enable PAN Node X wiretaps the ranging exchanges between A and B SHR PHR / PSDU Node A Node B Node X Serge Héthuin, Arnaud Tonnerre

Eavesdropping Distance evaluation - ranging with contention 27 October 2005 Eavesdropping Distance evaluation - ranging with contention The unauthorized node can measure the interval between the reception of the ranging frames The same measurement can be realized when ranging is originated by the other device (node B) These two measurements allow node X to determine the distance between A and B: Serge Héthuin, Arnaud Tonnerre

Eavesdropping Distance evaluation - ranging without contention 27 October 2005 Eavesdropping Distance evaluation - ranging without contention Ranging requires no interruption and no corruption Use of GTS (Guaranteed Time Slot) is optimal for ranging Slots can be divided into several minislots (fine structure) Introduced in doc. 550-00 One minislot is allocated to perform one distance measurement GTS guarantees ranging transmission The fine structure provides flexibility Serge Héthuin, Arnaud Tonnerre

Eavesdropping Distance evaluation - ranging without contention 27 October 2005 Eavesdropping Distance evaluation - ranging without contention Ranging exchanges between A and B in a GTS SHR PHR / PSDU SHR PHR / PSDU Node A SHR PHR / PSDU SHR PHR / PSDU Node B SHR PHR / PSDU SHR PHR / PSDU Node X START OF GTS Serge Héthuin, Arnaud Tonnerre

Eavesdropping Ranging without contention 27 October 2005 Eavesdropping Ranging without contention On receipt of a ranging packet (request), the unauthorized node can obtain its distance to the node originator, knowing: The preamble duration of the ranging packet ( ) The start of GTS ( ) Mutual ranging allows the unauthorized node to obtain the distance between A and B, but also its distance to these devices A B X Serge Héthuin, Arnaud Tonnerre

Solutions to Eavesdropping 27 October 2005 Solutions to Eavesdropping Prevent unauthorized node from accessing the distance between the nodes involved in ranging Prevent unauthorized node from measuring the distance between the originator and itself when ranging is performed in CFP Dithering the turn-around time Transmission of the dither in a separate packet Dithering the start of ranging in a GTS Transmission of the dither in a separate packet Serge Héthuin, Arnaud Tonnerre

Private ranging shall provide authentication 27 October 2005 Man In The Middle Unauthorized party sends a ranging frame under an assumed identity: Start a tow-way ranging procedure with any device of a piconet Respond to a ranging request in a TWR procedure Authentication provided by higher layer Requires physical layer protection Private ranging shall provide authentication Serge Héthuin, Arnaud Tonnerre

Man In The Middle Respond to a ranging request in a TWR procedure 27 October 2005 Man In The Middle Respond to a ranging request in a TWR procedure Attacker (node X) spoofs the long / short address of the device specified in the ranging request in order to masquerade as it Result: The unauthorized node can provide false information to the originator A C (originator) X B Ranging request False ranging response See ugly impostor in doc. 497-04 Serge Héthuin, Arnaud Tonnerre

Solutions to Man In The Middle 27 October 2005 Solutions to Man In The Middle Prevent unauthorized node from sending ranging response frames after having spoofed an address Transmission of a notification frame Use of a dedicated waveform for ranging signaling Serge Héthuin, Arnaud Tonnerre

Private ranging shall provide robustness 27 October 2005 Denial of Service Attacker interferes with the desired signal: Generating enough noise (jamming attack) Associating to the piconet and generating a large amount of traffic Injecting traffic into the radio network without associating to the coordinator Requires physical layer protection Private ranging shall provide robustness Serge Héthuin, Arnaud Tonnerre

27 October 2005 Denial of Service Transmitted information shall be received despite deliberate jamming attempts Involved measures should be applied to both ranging and data transmissions B X A C Ranging frames See ugly impostor in doc. 497-04 Serge Héthuin, Arnaud Tonnerre

Solutions to Denial of Service 27 October 2005 Solutions to Denial of Service Identify existence and back off is not sufficient Avoiding the jammed frequencies Frequency hopping (not enough frequency bands) Dynamic Frequency Selection (DFS) Serge Héthuin, Arnaud Tonnerre

Solutions to Denial of Service 27 October 2005 Solutions to Denial of Service Dynamic Frequency Selection The two optional bands of 500MHz allows the use of 3 different channels (Sub-Ghz and above-6GHz bands are other alternatives) The mandatory band is used by default and then if an interferer appears, the coordinator selects one of the other bands Can be used as DAA (Detect and Avoid) for compliance to regulatory requirements 4 GHz 3 2 1 5 6 7 Frequency selection Interference Serge Héthuin, Arnaud Tonnerre

Private-ranging services 27 October 2005 Private-ranging services Serge Héthuin, Arnaud Tonnerre

Private-ranging services 27 October 2005 Private-ranging services Confidentiality Dithering the turn-around time and ranging start in a GTS Transport dither values in a separate frame Ranging waveform setting (notification frame) Authentication Use of notification frame prior to ranging Robustness Use of dynamic frequency selection Serge Héthuin, Arnaud Tonnerre

Private-ranging modes 27 October 2005 Private-ranging modes Serge Héthuin, Arnaud Tonnerre

Private-ranging modes 27 October 2005 Private-ranging modes Unprivate-ranging (UR) mode Mandatory mode which offers no privacy Confidential-ranging (CR) mode Provides confidentiality (optional) Private-ranging (PR) mode Provides confidentiality and authentication (optional) Robust-ranging (RR) mode Provides confidentiality, authentication and robustness (optional) No-ranging (NR) mode Ranging is not authorized (optional) Serge Héthuin, Arnaud Tonnerre

Private-ranging modes 27 October 2005 Private-ranging modes Privacy is set according to the type of object to be ranged and then each node has a specific private-ranging mode If the modes are different in the originator and the recipient, the highest privacy level shall be used Toy: Unprivate or confidential ranging mode Safe: No-ranging mode Ranging signal Ranging is not authorized Child: private or robust ranging mode Serge Héthuin, Arnaud Tonnerre

Unprivate-ranging mode 27 October 2005 Unprivate-ranging mode A node with UR mode allows ranging in the piconet without the use of privacy Unprivate ranging can only be performed between two nodes with UR mode Fast ranging: No additional messages Only the maximum ranging grade is allowed Serge Héthuin, Arnaud Tonnerre

Unprivate-ranging mode 27 October 2005 Unprivate-ranging mode Originator MAC Originator PHY Recipient PHY Recipient MAC (UR mode) (UR mode) PD-DATA.request DATA (ServiceType = UR_MODE) PD-DATA.indication Turn-around time ACK PD-DATA.indication PD-DATA.request Serge Héthuin, Arnaud Tonnerre

Confidential-ranging mode 27 October 2005 Confidential-ranging mode A node with CR mode allows ranging in the piconet using the confidential-ranging service Slow ranging: One additional message (Timestamp frame) Dithering of the turn-around time Transport of the dither time in a separate frame Possible used of ranging grades Serge Héthuin, Arnaud Tonnerre

Confidential-ranging mode 27 October 2005 Confidential-ranging mode Originator MAC Originator PHY Recipient PHY Recipient MAC (CR mode) (CR mode) PD-DATA.request DATA (ServiceType = CR_MODE) PD-DATA.indication Dithered turn-around time ACK PD-DATA.indication PD-DATA.request DATA (DitherTime, RangingGrade) PD-DATA.request PD-DATA.indication Timestamp frame Serge Héthuin, Arnaud Tonnerre

27 October 2005 Private-ranging mode A node with PR mode allows ranging in the piconet using the private-ranging service Slower ranging: Additional messages (Notification and Timestamp frames) Dithering of the turn-around time Transport of the dither time in a separate frame Dedicated waveform for the ranging signaling Possible used of ranging grades Serge Héthuin, Arnaud Tonnerre

Modification of the waveform 27 October 2005 Private-ranging mode Originator MAC Originator PHY Recipient PHY Recipient MAC (PR mode) (PR mode) Notification frame PD-DATA.request DATA (ServiceType = PR_MODE) PD-DATA.indication PLME-SET.confirm PD-DATA.request DATA (DitherTime, RangingGrade, Waveform) PD-DATA.indication Timestamp frame PLME-SET.request PLME-SET.request Modification of the waveform PD-DATA.request DATA PD-DATA.indication Dithered turn-around time ACK PD-DATA.indication PD-DATA.request Ranging frames using specified waveform Serge Héthuin, Arnaud Tonnerre

27 October 2005 Robust-ranging mode A node with RP mode allows ranging in the piconet using the robust-ranging service Slower ranging: Additional messages (Notification and Timestamp frames) Same measures as private-ranging mode Dynamic Frequency Selection handled by the coordinator Detection of interference based on the received BER Disassociation of every associated node Selection of another frequency band and reassociation Serge Héthuin, Arnaud Tonnerre

27 October 2005 No-ranging mode A node with No-ranging mode can’t be involved in ranging No reply to ranging request and notification frames Serge Héthuin, Arnaud Tonnerre

Ranging with different modes 27 October 2005 Ranging with different modes Originator and recipient can have different modes in the same piconet Special cases Unprivate Confidential Private / Robust No ranging Unprivate ranging Confidential ranging Private ranging Recipient mode Originator mode Serge Héthuin, Arnaud Tonnerre

Notification or ranging frame 27 October 2005 Special cases Scheduled ranging mode should be modified Originator MAC Originator PHY Recipient PHY Recipient MAC (UR or CR mode) (other modes) Ranging is not allowed PD-DATA.request DATA (ServiceType = UR_MODE) PD-DATA.indication ACK (ServiceType = MODE) PD-DATA.indication PD-DATA.request PD-DATA.request DATA (ServiceType) PD-DATA.indication • • • • • • Notification or ranging frame Serge Héthuin, Arnaud Tonnerre