Presentation is loading. Please wait.

Presentation is loading. Please wait.

Replay Attack to Secured TB Ranging

Published byKrista Järvenpää Modified over 5 years ago

Similar presentations

Presentation on theme: "Replay Attack to Secured TB Ranging"— Presentation transcript:

1 Replay Attack to Secured TB Ranging
Month Year doc.: IEEE yy/xxxxr0 Mar. 2019 Replay Attack to Secured TB Ranging Date: Jonathan Segev, Intel

2 Introduction The secured TB ranging has the following features
Month Year doc.: IEEE yy/xxxxr0 Mar. 2019 Introduction The secured TB ranging has the following features The SAC code for UL\DL NDPs is carried in TF for sounding DL NDP has separate HE-LTF fields for different ISTA ISTA’s HE-LTF field is constructed based on the ISTA’s SAC NDPA indicates HE-LTF field allocation of the ISTA NDPA is broadcast packet with no security protection This submission relates to the replay attack model described in CID 1580 in TGaz LB240 Comment Jonathan Segev, Intel

3 Secured TB Ranging Sequence
Mar. 2019 Secured TB Ranging Sequence For DL NDP, NDPA allocates HE-LTF 1 to ISTA1 and HE-LTF2 to ISTA2 DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS ISTA1 ISTA2 UL NDP ISTA1 UL NDP ISTA2

4 Replay Attack to Secured TB Ranging
Mar. 2019 Replay Attack to Secured TB Ranging Fake NDPA: HE-LTF 1 to ISTA2 and HE-LTF2 to ISTA1 Attacker copies HE-LTF1 of DL NDP and replays HE-LTF1 during HE-LTF2 of DL NDP ISTA1 is attacked and ISTA2 gets an invalid ToA DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS UL NDP ISTA1 UL NDP ISTA2 fake NDPA HE LTF 1 Attacker

5 Detection of Replay Attack
Mar. 2019 Detection of Replay Attack Option 1: NDPA frame includes SAC for authentication Requires to define SAC (16 bits) for UL NDP and DL NDP separately The sounding TF carries SAC for UL NDP and the NDPA carries SAC for DL NDP Cause two modes for random bits generation for TB ranging (two SAC) and NTB ranging (single SAC) If ISTA receives NDPA with unknown SAC, ISTA will discard the NDPA Option 2: Include the HE-LTF allocation information in DL LMR Offset (6 bits), DL N_STS (3 bits) and DL Rep (3 bits) DL LMR is protected frame The ISTA compares the HE-LTF allocation information in NDPA and DL LMR If not match, ISTA will discard the measurements

6 Detection of Replay Attack (cont’d)
Mar. 2019 Detection of Replay Attack (cont’d) Option 3: For each ISTA, define ToD/ToA of DL NDP separately based on the start of each ISTA’s HE-LTF field According to legacy FTM, the ToD /ToA of the DL NDP is defined based on the timing when the start of the preamble of the DL NDP appears at RSTA’s or ISTA’s s transmit or receive antenna connector To detect the replay attacker, the RSTA and ISTA can define the ToD and ToA based on the start of the corresponding HE-LTF field The ToD is defined based on the timing when the start of the HE-LTF field appears at RSTA’s transmit antenna The ToA is defined based on the timing when the start of the HE-LTF field appears at ISTA’s receive antenna When there exists replay attack, the RTT will be significantly increased, such that it can be detected. Downside is it may need hardware change for derivation of ToD/ToA and if the real range is larger than 2160m, it may trigger false alarm

7 An example for Option 3 Mar. 2019
In DL NDP, the reference point for ISTA1’s and ISTA2’s ToA and ToD DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS ISTA1 ISTA2 UL NDP ISTA1 UL NDP ISTA2 Reference point for ISTA1 ToD and ToA Reference point for ISTA2 ToD and ToA

8 An example for Option 3 (cont’d)
Mar. 2019 An example for Option 3 (cont’d) RSTA derives ISTA1’s ToD based on the correct reference point, and ISTA1 derives the corresponding ToA based on the fake reference point ISTA1’s RTT is increased by the duration of the field HE-LTF1 The minimum duration of HE-LTF1 is 14.4us -> 2160m increase in range (invalid) DL NDP UL NDP TF UL NDP TF DL NDPA RSTA DL LMR Preamble HE LTF 1 HE LTF 2 SIFS SIFS SIFS SIFS SIFS SIFS UL NDP ISTA1 Reference point for ISTA1 ToA UL NDP Reference point for ISTA1 ToD ISTA2 fake NDPA HE LTF 1 Attacker

9 Mar. 2019 Conclusions A replay attack model for secured TB ranging was investigated Different solutions are proposed for detecting the replay attacker Will further investigate this attacker model and follow up in future meeting

Download ppt "Replay Attack to Secured TB Ranging"

Similar presentations

Doc.: IEEE 802.11-11/1539r0 Submission Dec. 2011 Minho Cheong, ETRISlide 1 Beam forming for 11ah Date: 2011-12-12 Authors:

Doc.: IEEE /1539r0 Submission Dec Minho Cheong, ETRISlide 1 Beam forming for 11ah Date: Authors:
Beamformed HE PPDU Date: Authors: May 2015 Month Year

Beamformed HE PPDU Date: Authors: May 2015 Month Year
Submission doc.: IEEE 802.11-15/1340r2 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: 2015-11-11 Authors:

Submission doc.: IEEE /1340r2 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: Authors:
Submission doc.: IEEE 802.11-16/0353r1 March 2016 Hanseul Hong, Yonsei UniversitySlide 1 MU-RTS/CTS for TWT Protection Date: 2016-03-15 Authors:

Submission doc.: IEEE /0353r1 March 2016 Hanseul Hong, Yonsei UniversitySlide 1 MU-RTS/CTS for TWT Protection Date: Authors:
Submission doc.: IEEE 802.11-15/1340r0 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: 2015-11-09 Authors:

Submission doc.: IEEE /1340r0 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: Authors:
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
802.11az Negotiation Date: Authors: Jan 2017 Month Year

802.11az Negotiation Date: Authors: Jan 2017 Month Year
Collaborative Time of Arrival (CToA)

Collaborative Time of Arrival (CToA)
Location Measurement Protocol for Unassociated STAs

Location Measurement Protocol for Unassociated STAs
802.11az Negotiation Date: Authors: May 2017 Month Year

802.11az Negotiation Date: Authors: May 2017 Month Year
Trigger Frame Format for az

Trigger Frame Format for az
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
Passive Location Date: Authors: March 2017

Passive Location Date: Authors: March 2017
CP-replay Threat Model for 11az

CP-replay Threat Model for 11az
Locationing Protocol for 11az

Locationing Protocol for 11az
Polling for MU Measurements

Polling for MU Measurements
PHY-Level Security Protection

PHY-Level Security Protection
SU Sounding Measurement Exchange and Feedback

SU Sounding Measurement Exchange and Feedback
Protected LTF Using PMF in SU and MU Modes

Protected LTF Using PMF in SU and MU Modes
Pre-association Security Negotiation for 11az SFD Follow up

Pre-association Security Negotiation for 11az SFD Follow up

Similar presentations

Ads by Google