Presentation is loading. Please wait.

Presentation is loading. Please wait.

CP Replay Attack Protection

Published byErica Küchler Modified over 5 years ago

Similar presentations

Presentation on theme: "CP Replay Attack Protection"— Presentation transcript:

1 CP Replay Attack Protection
Month Year doc.: IEEE yy/xxxxr0 Sept 2017 CP Replay Attack Protection Date: Authors: Erik Lindskog, Qualcomm, et al. John Doe, Some Company

2 CP Replay Attack Protection
Sept 2017 CP Replay Attack Protection Components: Encryption of LFT base sequence Consideration to PAPR of the time domain signal may be required Modify cyclic prefix to remove repetition in training signal Replace CP with zeroes, or Replace CP with encrypted training signal Conveying of encryption key for LTF and CP (if encrypted) Convey in field after the LTF, e.g. in packet extension Convey prior to LTF Encrypted, or Non-encrypted Erik Lindskog, Qualcomm, et al.

3 Sept 2017 Modification of the CP Erik Lindskog, Qualcomm, et al.

4 Nulling of CP Null CP Channel estimate will become a little distorted
Sept 2017 Nulling of CP Null CP Channel estimate will become a little distorted First tap appears largely to remain in the same position At least for cases with reasonably high SNR and even more so for cases with a strong LOS path If desired, channel estimation could account for nulled CP E.g. used receiver with larger FFT size exploiting nulled CPs surrounding the core LTF symbol as in [1]. Erik Lindskog, Qualcomm, et al.

5 Performance with Nulled CP
Sept 2017 Performance with Nulled CP Erik Lindskog, Qualcomm, et al.

6 Performance with Nulled CP
Sept 2017 Performance with Nulled CP Erik Lindskog, Qualcomm, et al.

7 Performance with Nulled CP
Sept 2017 Performance with Nulled CP Hmm…. Why do we get better performance with nulled CP? Statistical anomaly? Erik Lindskog, Qualcomm, et al.

8 Performance with Nulled CP
Sept 2017 Performance with Nulled CP Erik Lindskog, Qualcomm, et al.

9 Pseudo Random CP Again:
Sept 2017 Pseudo Random CP Again: Channel estimate will become a little distorted First tap appears largely to remain in the same position At least for cases with reasonably high SNR and even more so for cases with a strong LOS path Channel estimation could make use of modified CP signal Erik Lindskog, Qualcomm, et al.

10 Performance with Randomized CP
Sept 2017 Performance with Randomized CP Erik Lindskog, Qualcomm, et al.

11 Performance with Randomized CP
Sept 2017 Performance with Randomized CP Why do we get better performance with randomized CP? Statistical anomaly? Only 100 packets simulated here. Erik Lindskog, Qualcomm, et al.

12 Performance with Randomized CP
Sept 2017 Performance with Randomized CP With 300 packets simulated the regular CP is better than the randomized CP. Erik Lindskog, Qualcomm, et al.

13 Performance with Randomized CP
Sept 2017 Performance with Randomized CP Erik Lindskog, Qualcomm, et al.

14 Performance with Randomized CP
Sept 2017 Performance with Randomized CP Why do we get better performance with randomized CP? Statistical anomaly? Only 100 packets simulated here. Erik Lindskog, Qualcomm, et al.

15 Conveying of encryption key
Sept 2017 Conveying of encryption key Erik Lindskog, Qualcomm, et al.

16 Conveying of Key in Packet Extension
Sept 2017 Conveying of Key in Packet Extension Modulate packet extension as legacy portion of packet Convey LTF encoding key in packet extension No need to encrypt key as the packet extension come after the encoded LTF Erik Lindskog, Qualcomm, et al.

17 CP Replay Attack Protection for 802.11az NDP based Ranging
Sept 2017 CP Replay Attack Protection for az NDP based Ranging Erik Lindskog, Qualcomm, et al.

18 CP Replay Attack Protection for 802.11az NDP based Ranging
Sept 2017 CP Replay Attack Protection for az NDP based Ranging No data in NDP packet => Channel estimate not needed for demodulation Erik Lindskog, Qualcomm, et al.

19 CP Replay Attack Protection for 802.11REVmc evolution
Sept 2017 CP Replay Attack Protection for REVmc evolution Erik Lindskog, Qualcomm, et al.

20 CP Replay Attack Protection for 802.11REVmc evolution
Sept 2017 CP Replay Attack Protection for REVmc evolution For HT/VHT ranging Require ranging measurements to be made on HT/VHT-LTF(s) Encrypt HT/VHT-LTF(s) Modify CP (nulled or randomized) Restrict MCS level in FTM, and implicitly in the ACK so that the payload can be decoded despite the modified CP LTF key conveying: Add packet extension and convey LTF encryption key in it, or Convey LTF key prior to ranging measurement packets Erik Lindskog, Qualcomm, et al.

21 Sept 2017 Need for PHY Security Erik Lindskog, Qualcomm, et al.

22 Sept 2017 Need for PHY Security PHY security is primarily needed to protect against spoofing attacks Spoofing location is considerably more difficult than spoofing proximity Spoofing location requires spoofing the ranging measurements from multiple (>=3) anchor stations Location measurements also usually, for reliability reasons, have a lot of redundancy build in into its process => Makes it yet harder to spoof Proximity measurements may only require spoofing of a single ranging measurement => Much more sensitive to spoofing Erik Lindskog, Qualcomm, et al.

23 Selective PHY Security
Sept 2017 Selective PHY Security Modifying the CP may have effect on the ranging performance At high SNR and low delay spread the effects is likely small Spoofing security only needed in a limited number of use cases Complete, loss-less, complication free and general protection against CP replay attacks may be difficult to realize Enable selective security against CP replay attacks to be turned on for vulnerable use cases. Erik Lindskog, Qualcomm, et al.

24 Proposed Solutions Encrypt LTF
Sept 2017 Proposed Solutions Encrypt LTF Add the option to null or encrypt the CP of LTFs used for ranging to protect against CP replay attacks. Optionally use receiver that exploits modified CP, or use regular receiver. E.g. use receiver with larger FFT size exploiting nulled CPs surrounding the core LTF symbol as in [1]. However, losses with regular receiver does not seem to be prohibiting. Convey encryption key prior to ranging or non-encrypted in packet extension For REVmc FTM evolution ((V)HT): Require that ranging measurements are performed on the (V)HT-LTF Restrict MCS level to ensure decoding of payload Erik Lindskog, Qualcomm, et al.

25 Sept 2017 References [1] “Zero padded waveform”, Mingguang Xu, John Dogan, SK Yong, Qi Wang, Kyle Brogle and AJ Ringer IEEE /1378r2. Erik Lindskog, Qualcomm, et al.

26 Sept 2017 Thank You! Erik Lindskog, Qualcomm, et al.

Download ppt "CP Replay Attack Protection"

Similar presentations

PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
WUR Link Budget Analysis Follow-up: Data Rates and SIG Bits Protection

WUR Link Budget Analysis Follow-up: Data Rates and SIG Bits Protection
PHY Design Considerations for af

PHY Design Considerations for af
WUR Legacy Preamble Design

WUR Legacy Preamble Design
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
Passive Location Date: Authors: March 2017

Passive Location Date: Authors: March 2017
CP-replay Threat Model for 11az

CP-replay Threat Model for 11az
WUR Preamble SYNC Field Design

WUR Preamble SYNC Field Design
GI Overhead/Performance Impact on Open-Loop SU-MIMO

GI Overhead/Performance Impact on Open-Loop SU-MIMO
Relay Threat Model for TGaz

Relay Threat Model for TGaz
Relay Threat Model for TGaz

Relay Threat Model for TGaz
WUR Legacy Preamble Design

WUR Legacy Preamble Design
PHY-Level Security Protection

PHY-Level Security Protection
Protected LTF Using PMF in SU and MU Modes

Protected LTF Using PMF in SU and MU Modes
80MHz Tone Allocation Date: Authors: Month Year Month Year

80MHz Tone Allocation Date: Authors: Month Year Month Year
Relay Threat Model for TGaz

Relay Threat Model for TGaz
Relay Threat Model for TGaz

Relay Threat Model for TGaz
doc.: IEEE <doc#>

doc.: IEEE <doc#>
PHY abstraction and performance for outdoor channel models

PHY abstraction and performance for outdoor channel models
Sounding and P Matrix Proposal

Sounding and P Matrix Proposal

Similar presentations

Ads by Google