Replay Attack to Secured TB Ranging

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1539r0 Submission Dec Minho Cheong, ETRISlide 1 Beam forming for 11ah Date: Authors:
Advertisements

Beamformed HE PPDU Date: Authors: May 2015 Month Year
Submission doc.: IEEE /1340r2 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: Authors:
Submission doc.: IEEE /0353r1 March 2016 Hanseul Hong, Yonsei UniversitySlide 1 MU-RTS/CTS for TWT Protection Date: Authors:
Submission doc.: IEEE /1340r0 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: Authors:
PHY Security FRD and SRD Text
802.11az Negotiation Date: Authors: Jan 2017 Month Year
Collaborative Time of Arrival (CToA)
Location Measurement Protocol for Unassociated STAs
802.11az Negotiation Date: Authors: May 2017 Month Year
Trigger Frame Format for az
PHY Security FRD and SRD Text
Passive Location Date: Authors: March 2017
CP-replay Threat Model for 11az
Locationing Protocol for 11az
Polling for MU Measurements
PHY-Level Security Protection
SU Sounding Measurement Exchange and Feedback
Protected LTF Using PMF in SU and MU Modes
Pre-association Security Negotiation for 11az SFD Follow up
Functional Requirement for Secure Ranging
Frame Protection for 11az
Pre-association Security Negotiation for 11az SFD Follow up
Availability Window Advertisement
Frame Responding Rules for NDP Ranging
Resource Allocation for Unassociated STAs – Follow Up
NDP Ranging Error Recovery
11az NDP Announcement Date: July 2008
Two-sided LMR Feedback between AP and STA
Two-sided LMR Feedback between AP and STA
Secure Ranging Measurement
Pre-Association Security Negotiation (PASN) for 11az
Regarding HE NDPA frame for DL Sounding Sequence
MU Ranging Sequence Date: Authors: Nov 2017 Month Year
Constrained Distributed MU-MIMO
HEz RTT Location Using Anchor Stations and Client Cooperation
HEz RTT Location Using Anchor Stations and Client Cooperation
Existence Indication of Attacker or Jammer in LMR
Intel Secured Location Threat Model
11az NDP Announcement Date: July 2008
Discussion on CR for CID 5066
Availability Window Update
802.11ac Preamble Date: Authors: Month Year Month Year
802.11ac Preamble Discussions
Replay Attack to Secured TB Ranging
FTM Frame Exchange Authentication
PHY-Level Security Protection
FTM TOA measurement on non-HT duplicate PPDUs
11az related bits in the Extended Capabilities element
CR for CID 1115 Date: Authors: May 2019
First Path AWV issue Date: Authors: May 2019
Measurement Report Feedback in 11az
Phase Shift Based TOA Reporting in Passive Location Ranging
Intel Secured Location Threat Model
NDP Bandwidth Selection in Range Measurement
Secure SU and MU Ranging Measurement Procedure
HEz Ranging Availability Window
Sounding-only Support During Ranging
Availability Window Termination
LMR and LCI Reporting For Passive Location
Timing Measurement Date: Authors: Jan 2010 November 2007
PHY Security SRD Text Update
ISTA2RSTA LMR Feedback AP Policy and Negotiation
Location Measurement Protocol for 11ax
CToA Protocol Analysis
11az Negotiation Protocol (update)
Intel Secured Location Threat Model
CR for CID 1115 Date: Authors: May 2019
Availability Window Advertisement
Sounding for AP Collaboration
Presentation transcript:

Replay Attack to Secured TB Ranging Month Year doc.: IEEE 802.11-yy/xxxxr0 Mar. 2019 Replay Attack to Secured TB Ranging Date: 2019-03-12 Jonathan Segev, Intel

Introduction The secured TB ranging has the following features Month Year doc.: IEEE 802.11-yy/xxxxr0 Mar. 2019 Introduction The secured TB ranging has the following features The SAC code for UL\DL NDPs is carried in TF for sounding DL NDP has separate HE-LTF fields for different ISTA ISTA’s HE-LTF field is constructed based on the ISTA’s SAC NDPA indicates HE-LTF field allocation of the ISTA NDPA is broadcast packet with no security protection This submission relates to the replay attack model described in CID 1580 in TGaz LB240 Comment Jonathan Segev, Intel

Secured TB Ranging Sequence Mar. 2019 Secured TB Ranging Sequence For DL NDP, NDPA allocates HE-LTF 1 to ISTA1 and HE-LTF2 to ISTA2 DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS ISTA1 ISTA2 UL NDP ISTA1 UL NDP ISTA2

Replay Attack to Secured TB Ranging Mar. 2019 Replay Attack to Secured TB Ranging Fake NDPA: HE-LTF 1 to ISTA2 and HE-LTF2 to ISTA1 Attacker copies HE-LTF1 of DL NDP and replays HE-LTF1 during HE-LTF2 of DL NDP ISTA1 is attacked and ISTA2 gets an invalid ToA DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS UL NDP ISTA1 UL NDP ISTA2 fake NDPA HE LTF 1 Attacker

Detection of Replay Attack Mar. 2019 Detection of Replay Attack Option 1: NDPA frame includes SAC for authentication Requires to define SAC (16 bits) for UL NDP and DL NDP separately The sounding TF carries SAC for UL NDP and the NDPA carries SAC for DL NDP Cause two modes for random bits generation for TB ranging (two SAC) and NTB ranging (single SAC) If ISTA receives NDPA with unknown SAC, ISTA will discard the NDPA Option 2: Include the HE-LTF allocation information in DL LMR Offset (6 bits), DL N_STS (3 bits) and DL Rep (3 bits) DL LMR is protected frame The ISTA compares the HE-LTF allocation information in NDPA and DL LMR If not match, ISTA will discard the measurements

Detection of Replay Attack (cont’d) Mar. 2019 Detection of Replay Attack (cont’d) Option 3: For each ISTA, define ToD/ToA of DL NDP separately based on the start of each ISTA’s HE-LTF field According to legacy FTM, the ToD /ToA of the DL NDP is defined based on the timing when the start of the preamble of the DL NDP appears at RSTA’s or ISTA’s s transmit or receive antenna connector To detect the replay attacker, the RSTA and ISTA can define the ToD and ToA based on the start of the corresponding HE-LTF field The ToD is defined based on the timing when the start of the HE-LTF field appears at RSTA’s transmit antenna The ToA is defined based on the timing when the start of the HE-LTF field appears at ISTA’s receive antenna When there exists replay attack, the RTT will be significantly increased, such that it can be detected. Downside is it may need hardware change for derivation of ToD/ToA and if the real range is larger than 2160m, it may trigger false alarm

An example for Option 3 Mar. 2019 In DL NDP, the reference point for ISTA1’s and ISTA2’s ToA and ToD DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS ISTA1 ISTA2 UL NDP ISTA1 UL NDP ISTA2 Reference point for ISTA1 ToD and ToA Reference point for ISTA2 ToD and ToA

An example for Option 3 (cont’d) Mar. 2019 An example for Option 3 (cont’d) RSTA derives ISTA1’s ToD based on the correct reference point, and ISTA1 derives the corresponding ToA based on the fake reference point ISTA1’s RTT is increased by the duration of the field HE-LTF1 The minimum duration of HE-LTF1 is 14.4us -> 2160m increase in range (invalid) DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS UL NDP ISTA1 Reference point for ISTA1 ToA UL NDP Reference point for ISTA1 ToD ISTA2 fake NDPA HE LTF 1 Attacker

Mar. 2019 Conclusions A replay attack model for secured TB ranging was investigated Different solutions are proposed for detecting the replay attacker Will further investigate this attacker model and follow up in future meeting

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.