1. 27 October 2005
doc.: IEEE a
27 October 2005
Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)
Submission Title: [Enhancement to support private ranging]
Date Submitted: [27 October, 2005]
Source: [Serge Héthuin, Arnaud Tonnerre] Company [THALES Communications]
Address [THALES Communications, 146 boulevard de Valmy, Colombes, France]
E−Mail:
Re: [ a.]
Abstract: [Enhancement to support private ranging.]
Purpose: [To promote discussion in a.]
Notice: This document has been prepared to assist the IEEE P It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P
Serge Héthuin, Arnaud Tonnerre
Serge Héthuin, Arnaud Tonnerre

2. Enhancement to support private ranging
27 October 2005
doc.: IEEE a
27 October 2005
Enhancement to support private ranging
Serge Héthuin, Arnaud Tonnerre
THALES Communications
Serge Héthuin, Arnaud Tonnerre
Serge Héthuin, Arnaud Tonnerre

3. Objectives Future ranging-based application will require privacy
27 October 2005
Objectives
Future ranging-based application will require privacy
Privacy means that the ranging information cannot be obtained and manipulated by an unauthorized party
Private ranging is an optional mode, which intends to provide solutions to most of the targeted applications
Serge Héthuin, Arnaud Tonnerre

4. Contents Threats to ranging Private-ranging services
27 October 2005
Contents
Threats to ranging
Eavesdropping
Man In The Middle (MITM)
Denial of Service (DoS)
Private-ranging services
Private-ranging modes
Serge Héthuin, Arnaud Tonnerre

5. 27 October 2005
Threats to ranging
Serge Héthuin, Arnaud Tonnerre

6. Threats to ranging Passive attacks: Active attacks:
27 October 2005
Threats to ranging
Passive attacks:
Eavesdropping: unauthorized interception of ranging packets to obtain distance information
Active attacks:
Man In The Middle (MITM): unauthorized party intercepts and selectively modifies ranging packets
Denial of Service (DoS): action which prevents ranging from functioning in accordance with its intended purpose
Serge Héthuin, Arnaud Tonnerre

7. Private ranging shall provide confidentiality
27 October 2005
Eavesdropping
Unauthorized party obtains information on:
Data transported by ranging frames (crystal offset, timestamp…), if any
Distance evaluation
Encryption provided by higher layer
Requires physical layer protection
Private ranging shall provide confidentiality
Serge Héthuin, Arnaud Tonnerre

8. Eavesdropping Distance evaluation - ranging with contention
27 October 2005
Eavesdropping
Distance evaluation - ranging with contention
Context: CAP of a superframe or nonbeacon-enable PAN
Node X wiretaps the ranging exchanges between A and B
SHR
PHR / PSDU
Node A
Node B
Node X
Serge Héthuin, Arnaud Tonnerre

9. Eavesdropping Distance evaluation - ranging with contention
27 October 2005
Eavesdropping
Distance evaluation - ranging with contention
The unauthorized node can measure the interval between the reception of the ranging frames
The same measurement can be realized when ranging is originated by the other device (node B)
These two measurements allow node X to determine the distance between A and B:
Serge Héthuin, Arnaud Tonnerre

10. Eavesdropping Distance evaluation - ranging without contention
27 October 2005
Eavesdropping
Distance evaluation - ranging without contention
Ranging requires no interruption and no corruption
Use of GTS (Guaranteed Time Slot) is optimal for ranging
Slots can be divided into several minislots (fine structure)
Introduced in doc
One minislot is allocated to perform
one distance measurement
GTS guarantees ranging transmission
The fine structure provides flexibility
Serge Héthuin, Arnaud Tonnerre

11. Eavesdropping Distance evaluation - ranging without contention
27 October 2005
Eavesdropping
Distance evaluation - ranging without contention
Ranging exchanges between A and B in a GTS
SHR
PHR / PSDU
SHR
PHR / PSDU
Node A
SHR
PHR / PSDU
SHR
PHR / PSDU
Node B
SHR
PHR / PSDU
SHR
PHR / PSDU
Node X
START OF GTS
Serge Héthuin, Arnaud Tonnerre

12. Eavesdropping Ranging without contention
27 October 2005
Eavesdropping
Ranging without contention
On receipt of a ranging packet (request), the unauthorized node can obtain its distance to the node originator, knowing:
The preamble duration of the ranging packet ( )
The start of GTS ( )
Mutual ranging allows the unauthorized node to obtain the distance between A and B, but also its distance to these devices A B X
Serge Héthuin, Arnaud Tonnerre

13. Solutions to Eavesdropping
27 October 2005
Solutions to Eavesdropping
Prevent unauthorized node from accessing the distance between the nodes involved in ranging
Prevent unauthorized node from measuring the distance between the originator and itself when ranging is performed in CFP
Dithering the turn-around time
Transmission of the dither in a separate packet
Dithering the start of ranging in a GTS
Transmission of the dither in a separate packet
Serge Héthuin, Arnaud Tonnerre

14. Private ranging shall provide authentication
27 October 2005
Man In The Middle
Unauthorized party sends a ranging frame under an assumed identity:
Start a tow-way ranging procedure with any device of a piconet
Respond to a ranging request in a TWR procedure
Authentication provided by higher layer
Requires physical layer protection
Private ranging shall provide authentication
Serge Héthuin, Arnaud Tonnerre

15. Man In The Middle Respond to a ranging request in a TWR procedure
27 October 2005
Man In The Middle
Respond to a ranging request in a TWR procedure
Attacker (node X) spoofs the long / short address of the device specified in the ranging request in order to masquerade as it
Result: The unauthorized node can provide false information to the originator A
C (originator) X B
Ranging request
False ranging response
See ugly impostor in doc
Serge Héthuin, Arnaud Tonnerre

16. Solutions to Man In The Middle
27 October 2005
Solutions to Man In The Middle
Prevent unauthorized node from sending ranging response frames after having spoofed an address
Transmission of a notification frame
Use of a dedicated waveform for ranging signaling
Serge Héthuin, Arnaud Tonnerre

17. Private ranging shall provide robustness
27 October 2005
Denial of Service
Attacker interferes with the desired signal:
Generating enough noise (jamming attack)
Associating to the piconet and generating a large amount of traffic
Injecting traffic into the radio network without associating to the coordinator
Requires physical layer protection
Private ranging shall provide robustness
Serge Héthuin, Arnaud Tonnerre

18. 27 October 2005
Denial of Service
Transmitted information shall be received despite deliberate jamming attempts
Involved measures should be applied to both ranging and data transmissions B X A C
Ranging frames
See ugly impostor in doc
Serge Héthuin, Arnaud Tonnerre

19. Solutions to Denial of Service
27 October 2005
Solutions to Denial of Service
Identify existence and back off is not sufficient
Avoiding the jammed frequencies
Frequency hopping (not enough frequency bands)
Dynamic Frequency Selection (DFS)
Serge Héthuin, Arnaud Tonnerre

20. Solutions to Denial of Service
27 October 2005
Solutions to Denial of Service
Dynamic Frequency Selection
The two optional bands of 500MHz allows the use of 3 different channels (Sub-Ghz and above-6GHz bands are other alternatives)
The mandatory band is used by default and then if an interferer appears, the coordinator selects one of the other bands
Can be used as DAA (Detect and Avoid) for compliance to regulatory requirements 4
GHz 3 2 1 5 6 7
Frequency selection
Interference
Serge Héthuin, Arnaud Tonnerre

21. Private-ranging services
27 October 2005
Private-ranging services
Serge Héthuin, Arnaud Tonnerre

22. Private-ranging services
27 October 2005
Private-ranging services
Confidentiality
Dithering the turn-around time and ranging start in a GTS
Transport dither values in a separate frame
Ranging waveform setting (notification frame)
Authentication
Use of notification frame prior to ranging
Robustness
Use of dynamic frequency selection
Serge Héthuin, Arnaud Tonnerre

23. Private-ranging modes
27 October 2005
Private-ranging modes
Serge Héthuin, Arnaud Tonnerre

24. Private-ranging modes
27 October 2005
Private-ranging modes
Unprivate-ranging (UR) mode
Mandatory mode which offers no privacy
Confidential-ranging (CR) mode
Provides confidentiality (optional)
Private-ranging (PR) mode
Provides confidentiality and authentication (optional)
Robust-ranging (RR) mode
Provides confidentiality, authentication and robustness (optional)
No-ranging (NR) mode
Ranging is not authorized (optional)
Serge Héthuin, Arnaud Tonnerre

25. Private-ranging modes
27 October 2005
Private-ranging modes
Privacy is set according to the type of object to be ranged and then each node has a specific private-ranging mode
If the modes are different in the originator and the recipient, the highest privacy level shall be used
Toy: Unprivate or confidential ranging mode
Safe: No-ranging mode
Ranging signal
Ranging is not authorized
Child: private or robust ranging mode
Serge Héthuin, Arnaud Tonnerre

26. Unprivate-ranging mode
27 October 2005
Unprivate-ranging mode
A node with UR mode allows ranging in the piconet without the use of privacy
Unprivate ranging can only be performed between two nodes with UR mode
Fast ranging:
No additional messages
Only the maximum ranging grade is allowed
Serge Héthuin, Arnaud Tonnerre

27. Unprivate-ranging mode
27 October 2005
Unprivate-ranging mode
Originator
MAC
Originator
PHY
Recipient
PHY
Recipient
MAC
(UR mode)
(UR mode)
PD-DATA.request
DATA (ServiceType = UR_MODE)
PD-DATA.indication
Turn-around
time
ACK
PD-DATA.indication
PD-DATA.request
Serge Héthuin, Arnaud Tonnerre

28. Confidential-ranging mode
27 October 2005
Confidential-ranging mode
A node with CR mode allows ranging in the piconet using the confidential-ranging service
Slow ranging:
One additional message (Timestamp frame)
Dithering of the turn-around time
Transport of the dither time in a separate frame
Possible used of ranging grades
Serge Héthuin, Arnaud Tonnerre

29. Confidential-ranging mode
27 October 2005
Confidential-ranging mode
Originator
MAC
Originator
PHY
Recipient
PHY
Recipient
MAC
(CR mode)
(CR mode)
PD-DATA.request
DATA (ServiceType = CR_MODE)
PD-DATA.indication
Dithered turn-around time
ACK
PD-DATA.indication
PD-DATA.request
DATA (DitherTime, RangingGrade)
PD-DATA.request
PD-DATA.indication
Timestamp frame
Serge Héthuin, Arnaud Tonnerre

30. 27 October 2005
Private-ranging mode
A node with PR mode allows ranging in the piconet using the private-ranging service
Slower ranging:
Additional messages (Notification and Timestamp frames)
Dithering of the turn-around time
Transport of the dither time in a separate frame
Dedicated waveform for the ranging signaling
Possible used of ranging grades
Serge Héthuin, Arnaud Tonnerre

31. Modification of the waveform
27 October 2005
Private-ranging mode
Originator
MAC
Originator
PHY
Recipient
PHY
Recipient
MAC
(PR mode)
(PR mode)
Notification frame
PD-DATA.request
DATA (ServiceType = PR_MODE)
PD-DATA.indication
PLME-SET.confirm
PD-DATA.request
DATA (DitherTime, RangingGrade, Waveform)
PD-DATA.indication
Timestamp frame
PLME-SET.request
PLME-SET.request
Modification of the waveform
PD-DATA.request
DATA
PD-DATA.indication
Dithered turn-around time
ACK
PD-DATA.indication
PD-DATA.request
Ranging frames using
specified waveform
Serge Héthuin, Arnaud Tonnerre

32. 27 October 2005
Robust-ranging mode
A node with RP mode allows ranging in the piconet using the robust-ranging service
Slower ranging:
Additional messages (Notification and Timestamp frames)
Same measures as private-ranging mode
Dynamic Frequency Selection handled by the coordinator
Detection of interference based on the received BER
Disassociation of every associated node
Selection of another frequency band and reassociation
Serge Héthuin, Arnaud Tonnerre

33. 27 October 2005
No-ranging mode
A node with No-ranging mode can’t be involved in ranging
No reply to ranging request and notification frames
Serge Héthuin, Arnaud Tonnerre

34. Ranging with different modes
27 October 2005
Ranging with different modes
Originator and recipient can have different modes in the same piconet
Special cases
Unprivate
Confidential
Private / Robust
No ranging
Unprivate ranging
Confidential ranging
Private ranging
Recipient mode
Originator mode
Serge Héthuin, Arnaud Tonnerre

35. Notification or ranging frame
27 October 2005
Special cases
Scheduled ranging mode should be modified
Originator
MAC
Originator
PHY
Recipient
PHY
Recipient
MAC
(UR or CR mode)
(other modes)
Ranging is not allowed
PD-DATA.request
DATA (ServiceType = UR_MODE)
PD-DATA.indication
ACK (ServiceType = MODE)
PD-DATA.indication
PD-DATA.request
PD-DATA.request
DATA (ServiceType)
PD-DATA.indication
• • •
• • •
Notification or ranging frame
Serge Héthuin, Arnaud Tonnerre