Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure SU and MU Ranging Measurement Procedure

Published byEustace Hines Modified over 5 years ago

Similar presentations

Presentation on theme: "Secure SU and MU Ranging Measurement Procedure"— Presentation transcript:

1 Secure SU and MU Ranging Measurement Procedure
Month Year doc.: IEEE yy/xxxxr0 January 2018 Secure SU and MU Ranging Measurement Procedure Date: Authors: Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc. John Doe, Some Company

2 January 2018 Introduction In previous discussions we agree on the following: The HEz and VHTz FTM modes, the fields over which range measurements are performed shall be protected against a VHT/HE Type B adversary attack. For the purpose of PHY Security Mode, the field used for channel/ToA measurement shall not include any form of repetition in time domain or structure that is predictable. In this submission we will review possibilities of how to signaling between iSTA and rSTA that enables LTF protection. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

3 Proposed Key Exchange in Negotiation and LTF Randomization in SU Mode
Month Year doc.: IEEE yy/xxxxr0 January 2018 Proposed Key Exchange in Negotiation and LTF Randomization in SU Mode Negotiation/key exchange NDPA (UL PN, DL PN) UL NDP LTF = f(key, UL PN) DL NDP LTF = f(key, DL PN) LMR ISTA RSTA Key or cipher sequence exchange and establishment for LTF generation between iSTA and rSTA in the non-time critical FTM negotiation phase Sequence generation information for the first measurement instance is part of the IFTM The measurement phase only commences once the negotiation is successful Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc. John Doe, Some Company

4 Secure SU Ranging Measurement Procedure
January 2018 Secure SU Ranging Measurement Procedure For SU operation, the Delayed sequence generation is preferred where sequence generation information is carried in the previous sounding sequence instance For normal operation of SU ranging The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame The specifics of LTF sequence generation information is TBD, this information is associated with a Sequence Authentication Code (SAC) The NDPA carries the SAC indication, a specific reserved value indicates “New LTF generation information needed”. The SAC is also included in the iFTM for the first measurement instance and in the LMR for subsequent Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

5 Secure SU Ranging Measurement Procedure
January 2018 Secure SU Ranging Measurement Procedure For normal operation of SU ranging The size of the SAC should be sufficiently long to prevent simple guessing An adversary doesn’t know the SAC and is unable to predict it and thus can’t trigger the measurement instance. In addition the SAC and its associated measurement results are carried in the LMR If an incorrect SAC is received by the RSTA, the RSTA discards the NDPA (no DL NDP) and keep the current SAC and associated LTF sequence generation information Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

6 Secure SU Ranging Measurement Procedure
January 2018 Secure SU Ranging Measurement Procedure Secure SU ranging measurement example (Immediate LMR Report case) N-1 round sounding sequence N round sounding sequence SAC for sequence generation (SACN-1) SAC for sequence generation (SACN) DL NDP Protected LMR DL NDP Protected LMR NDPA UL NDP NDPA UL NDP Derive LTF sequence of UL NDP and DL NDP of Nth round sounding sequence SAC for sequence generation (SACN) LTF sequence generation information SAC for sequence generation (SACN+1) LTF sequence generation information SAC for measurement sequence (SACN-1) Location measurement information SAC for measurement sequence (SACN) Location measurement information Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

7 Secure SU Ranging Measurement Procedure
January 2018 Secure SU Ranging Measurement Procedure The LMR is an Action non ACK frame So, need a procedure for recovery the LMR reception failure If the LMR was not correctly received: The iSTA comes back to the channel and transmit an NDPA indicating “New LTF generation information needed”. The previous LTF generation information is invalidated. For UL NDP the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). The rSTA sends a new protected LMR content (meas. are lost only for immediate). The iSTA may comeback to the channel and initiate a new sounding sequence minToaReady time after. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

8 MU Ranging Measurement Procedure
January 2018 MU Ranging Measurement Procedure MU ranging measurement consists of one or more rounds of UL sounding followed by one round of DL sounding. Optional TF -> Location Uplink Sounding TF -> Location Uplink Sounding DL NDPA DL NDP UL NDP UL NDP UL NDP UL NDP UL NDP UL NDP Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

9 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure Assume that both UL ranging NDP and DL ranging NDP are designed with secure (e.g., randomized) LTF sequences. But, when an attacker is a member of the MU ranging measurement, The attacker can transmit a Fake DL ranging NDP if a LTF sequence in a DL ranging NDP is common to all members of the MU ranging measurement. TF -> Location Uplink Sounding TF -> Location Uplink Sounding DL NDPA DL NDP iSTA1 UL NDP iSTA3 UL NDP iSTA2 (Attacker) UL NDP Fake DL NDP Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

10 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure So, the proposed secure MU ranging measurement procedure is limited to a single iSTA. Extension to the multiple iSTAs is TBD. Basic principle of the secure MU ranging measurement procedure is very similar to the secure SU ranging measurement procedure. The delayed sequence generation where sequence generation information is carried in the previous sounding sequence instance. Sequence generation information carried in LMR Derive LTF sequence of UL NDP and DL NDP of the next round sounding sequence DL NDP Protected LMR TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR Poll Response UL NDP Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

11 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure The keys or cipher sequence (if needed) for LTF sequence generation are the result of the FTM negotiation. LTF sequence generation information for the first measurement instance is a part of an iFTM, the measurement phase only commences once the negotiation is successful. The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame. Sequence generation information carried in FTM Response Derive LTF sequence of UL NDP and DL NDP of 1st round sounding sequence FTM Response TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR FTM Request Poll Response UL NDP Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

12 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure The specifics of LTF sequence generation information are TBD, but this information is associated with a Sequence Authentication Code (SAC). The Trigger Frame (TF) -> Location Uplink Sounding indicates the SAC for the following NDP frame corresponding to the LTF generation information. After receiving the TF -> Location Uplink Sounding, iSTA shall uses the LTF generation information associated with the SAC. The SAC is also included in the iFTM for the first measurement instance and in the LMR for subsequent measurement instances. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

13 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure An adversary doesn’t know the SAC and is unable to predict it and thus can’t trigger the measurement instance (DOS). In addition the SAC and its associated measurement results are carried in the LMR. If an incorrect SAC is received by the iSTA, the iSTA may respond with a known LTF sequence or with any other LTF sequence and discards the current SAC and associated LTF sequence generation information. The size of the SAC should be sufficiently long to prevent simple guessing. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

14 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure Secure MU ranging measurement example N-1 round sounding sequence N round sounding sequence SAC for sequence generation (SACN) DL NDP Protected LMR TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR Poll Response UL NDP SAC for sequence generation (SACN) LTF sequence generation information SAC for sequence generation (SACN+1) LTF sequence generation information Derive LTF sequence of UL NDP and DL NDP of Nth round sounding sequence SAC for measurement sequence (SACN-2) Location measurement information SAC for measurement sequence (SACN-1) Location measurement information Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

15 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure The LMR is an Action No ACK frame So, need a procedure for recovery the LMR reception failure. If the LMR was not correctly received: For UL NDP, the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP, the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). If two sided LMR is used, the iSTA indicates measurements are invalidated. The rSTA sends a new protected LMR content (measurement results are lost only for immediate sounding sequence). The iSTA may come back to the channel and participate in a new sounding sequence at the next availability interval by responding to a future TF Location -> Poll. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

16 Secure MU Ranging Measurement Procedure
January 2018 Secure MU Ranging Measurement Procedure Secure MU ranging measurement example N-1 round sounding sequence N round sounding sequence SAC for sequence generation (SACN) DL NDP Protected LMR TF -> Location Poll TF -> Location Uplink Sounding DL NDPA DL NDP Protected LMR Error Poll Response UL NDP SAC for sequence generation (SACN) LTF sequence generation information SAC for sequence generation (SACN+1) LTF sequence generation information Known LTF sequence is used since SAC is not matched. SAC for measurement sequence (SACN-2) Location measurement information SAC for measurement sequence (SACN-1) Location measurement information Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

17 January 2018 Straw Poll Do you support the following SFD texts for secure SU ranging measurement (normal operation)? For normal operation of secure SU ranging, The keys or cipher sequence (if needed) for LTF sequence generation are the result of the FTM negotiation Sequence generation information for the first measurement instance is part of the IFTM, the measurement phase only commences once the negotiation is successful The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame The specifics of LTF sequence generation information is TBD, this information associated with a Sequence Authentication Code (SAC) The NDPA carries the SAC indication, a specific reserved value indicates “New LTF generation information needed”. The SAC is also included in the IFTM for the first measurement instance and in the LMR for subsequent Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

18 January 2018 Straw Poll Do you support the following the following SFD text for secure SU ranging measurement (SAC operation)? The size of the SAC should be sufficiently long to prevent simple guessing An adversary doesn’t know the SAC and is unable to predict it and thus can’t trigger the measurement instance (DOS). In addition the SAC and its associated measurement results are carried in the LMR. If an incorrect SAC is received by the RSTA, the RSTA discards the NDPA (no DL NDP) and keep the current SAC and associated LTF sequence generation information. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

19 January 2018 Straw Poll Do you support the following SFD texts for secure SU ranging measurement (LMR error recovery operation)? The LMR is an Action non ACK frame If the LMR was not correctly received: The iSTA comes back to the channel and transmit an NDPA indicating “New LTF generation information needed”. The previous LTF generation information is invalidated. For UL NDP the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). The rSTA sends a new protected LMR content (meas. are lost only for immediate). The iSTA may comeback to the channel and initiate a new sounding sequence minToaReady time after. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

20 January 2018 Straw Poll Do you support the following SFD texts for secure MU ranging measurement (general operation)? For normal operation of secure MU ranging, Secure MU ranging measurement procedure is limited to a single iSTA. The delayed sequence generation where sequence generation information is carried in the previous sounding sequence instance. The keys or cipher sequence (if needed) for LTF sequence generation are the result of the FTM negotiation. LTF sequence generation information for the first measurement instance is a part of an iFTM, the measurement phase only commences once the negotiation is successful. The frame used to deliver subsequent LTF sequence generation information is the protected LMR frame. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

21 January 2018 Straw Poll Do you support the following SFD texts for secure MU ranging measurement (normal operation)? The specifics of LTF sequence generation information are TBD, but this information is associated with a Sequence Authentication Code (SAC). The Trigger Frame (TF) -> Location Uplink Sounding indicates the SAC for the following NDP frame corresponding to the LTF generation information. The SAC is also included in the iFTM for the first measurement instance and in the LMR for subsequent measurement instances. An adversary doesn’t know the SAC and is unable to predict it and thus can’t trigger the measurement instance (DOS). In addition the SAC and its associated measurement results are carried in the LMR. If an incorrect SAC is received by the iSTA, the iSTA may respond with a known LTF sequence or with any other LTF sequence and discards the current SAC and associated LTF sequence generation information. The size of the SAC should be sufficiently long to prevent simple guessing. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

22 January 2018 Straw Poll Do you support the following SFD texts for secure MU ranging measurement (LMR error recovery operation)? The LMR is an Action No ACK frame If the LMR was not correctly received: For UL NDP, the iSTA uses a known UL NDP LTF sequence (not suitable for measurement). For DL NDP, the rSTA may use the secured DL NDP LTF sequence (not suitable for measurement). If two sided LMR is used, the iSTA indicates measurements are invalidated. The rSTA sends a new protected LMR content (measurement results are lost only for immediate sounding sequence). The iSTA may come back to the channel and participate in a new sounding sequence at the next availability interval by responding to a future TF Location -> Poll. Chittabrata Ghosh, Intel and Yongho Seok, MediaTek Inc.

Download ppt "Secure SU and MU Ranging Measurement Procedure"

Similar presentations

Protocol for SU and MU Sounding Feedback

Protocol for SU and MU Sounding Feedback
Beamformed HE PPDU Date: Authors: May 2015 Month Year

Beamformed HE PPDU Date: Authors: May 2015 Month Year
Submission doc.: IEEE 802.11-15/1097r1 September 2015 Narendar Madhavan, ToshibaSlide 1 Reducing Channel Sounding Protocol Overhead for 11ax Date: 2015-09-14.

Submission doc.: IEEE /1097r1 September 2015 Narendar Madhavan, ToshibaSlide 1 Reducing Channel Sounding Protocol Overhead for 11ax Date:
Submission doc.: IEEE 802.11-15/1340r2 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: 2015-11-11 Authors:

Submission doc.: IEEE /1340r2 November 2015 Narendar Madhavan, ToshibaSlide 1 NDP Announcement for HE Sequence Date: Authors:
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
802.11az Negotiation Date: Authors: Jan 2017 Month Year

802.11az Negotiation Date: Authors: Jan 2017 Month Year
Location Measurement Protocol for Unassociated STAs

Location Measurement Protocol for Unassociated STAs
MU BAR Frame Format Date: Authors: November 2015 Month Year

MU BAR Frame Format Date: Authors: November 2015 Month Year
Resource Negotiation for Unassociated STAs in MU Operation

Resource Negotiation for Unassociated STAs in MU Operation
Trigger Frame Format for az

Trigger Frame Format for az
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
SIG Fields Design of Long Preamble

SIG Fields Design of Long Preamble
Polling for MU Measurements

Polling for MU Measurements
Compressed Uplink Trigger Frame

Compressed Uplink Trigger Frame
SU Sounding Measurement Exchange and Feedback

SU Sounding Measurement Exchange and Feedback
Protected LTF Using PMF in SU and MU Modes

Protected LTF Using PMF in SU and MU Modes
Ranging ID and its Lifetime Management

Ranging ID and its Lifetime Management
Month Year doc.: IEEE yy/xxxxr0 July 2017

Month Year doc.: IEEE yy/xxxxr0 July 2017
Random Access RU Allocation in the Trigger Frame

Random Access RU Allocation in the Trigger Frame
Random Access RU Allocation in the Trigger Frame

Random Access RU Allocation in the Trigger Frame

Similar presentations

Ads by Google