Enhancing Wireless Security: IEEE 802.11-17/1372r1 Replay Attack Protection

The document discusses measures for enhancing security in wireless communication, focusing on protection against replay attacks. It covers aspects like encryption of sequences, considerations for PAPR, modification of cyclic prefixes, conveying encryption keys, nulling of CP for improved performance, and examining reasons behind performance enhancement with nulled CP.

• Wireless Security
• Replay Attack Protection
• Encryption
• Performance Enhancement
• IEEE 802.11

sam_syn Follow

Uploaded on Nov 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Sept 2017 doc.: IEEE 802.11-17/1372r1 CP Replay Attack Protection Date: 2017-09-11 Authors: Name Erik Lindskog Affiliations Address Qualcomm Phone email elindsko@qca.qualcomm.com ning@qca.qualcomm.com Ning Zhang Qualcomm xiaoxinz@qti.qualcomm.com Christine Zhang Qualcomm nkakani@qca.qualcomm.com Naveen Kakani Qualcomm alirezar@qca.qualcomm.com Ali Raissinia Qualcomm Submission Slide 1 Erik Lindskog, Qualcomm, et al.

2. Sept 2017 doc.: IEEE 802.11-17/1372r1 CP Replay Attack Protection Components: Encryption of LFT base sequence Consideration to PAPR of the time domain signal may be required Modify cyclic prefix to remove repetition in training signal Replace CP with zeroes, or Replace CP with encrypted training signal Conveying of encryption key for LTF and CP (if encrypted) Convey in field after the LTF, e.g. in packet extension Convey prior to LTF Encrypted, or Non-encrypted Submission Slide 2 Erik Lindskog, Qualcomm, et al.

3. Sept 2017 doc.: IEEE 802.11-17/1372r1 Modification of the CP Submission Slide 3 Erik Lindskog, Qualcomm, et al.

4. Sept 2017 doc.: IEEE 802.11-17/1372r1 Nulling of CP Null CP Channel estimate will become a little distorted First tap appears largely to remain in the same position At least for cases with reasonably high SNR and even more so for cases with a strong LOS path If desired, channel estimation could account for nulled CP E.g. used receiver with larger FFT size exploiting nulled CPs surrounding the core LTF symbol as in [1]. Submission Slide 4 Erik Lindskog, Qualcomm, et al.

5. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Nulled CP Submission Slide 5 Erik Lindskog, Qualcomm, et al.

6. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Nulled CP Submission Slide 6 Erik Lindskog, Qualcomm, et al.

7. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Nulled CP Hmm . Why do we get better performance with nulled CP? Statistical anomaly? Submission Slide 7 Erik Lindskog, Qualcomm, et al.

8. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Nulled CP Submission Slide 8 Erik Lindskog, Qualcomm, et al.

9. Sept 2017 doc.: IEEE 802.11-17/1372r1 Pseudo Random CP Again: Channel estimate will become a little distorted First tap appears largely to remain in the same position At least for cases with reasonably high SNR and even more so for cases with a strong LOS path Channel estimation could make use of modified CP signal Submission Slide 9 Erik Lindskog, Qualcomm, et al.

10. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Randomized CP Submission Slide 10 Erik Lindskog, Qualcomm, et al.

11. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Randomized CP Why do we get better performance with randomized CP? Statistical anomaly? Only 100 packets simulated here. Submission Slide 11 Erik Lindskog, Qualcomm, et al.

12. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Randomized CP With 300 packets simulated the regular CP is better than the randomized CP. Submission Slide 12 Erik Lindskog, Qualcomm, et al.

13. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Randomized CP Submission Slide 13 Erik Lindskog, Qualcomm, et al.

14. Sept 2017 doc.: IEEE 802.11-17/1372r1 Performance with Randomized CP Why do we get better performance with randomized CP? Statistical anomaly? Only 100 packets simulated here. Submission Slide 14 Erik Lindskog, Qualcomm, et al.

15. Sept 2017 doc.: IEEE 802.11-17/1372r1 Conveying of encryption key Submission Slide 15 Erik Lindskog, Qualcomm, et al.

16. Sept 2017 doc.: IEEE 802.11-17/1372r1 Conveying of Key in Packet Extension Modulate packet extension as legacy portion of packet Convey LTF encoding key in packet extension No need to encrypt key as the packet extension come after the encoded LTF Submission Slide 16 Erik Lindskog, Qualcomm, et al.

17. Sept 2017 doc.: IEEE 802.11-17/1372r1 CP Replay Attack Protection for 802.11az NDP based Ranging Submission Slide 17 Erik Lindskog, Qualcomm, et al.

18. Sept 2017 doc.: IEEE 802.11-17/1372r1 CP Replay Attack Protection for 802.11az NDP based Ranging No data in NDP packet => Channel estimate not needed for demodulation Submission Slide 18 Erik Lindskog, Qualcomm, et al.

19. Sept 2017 doc.: IEEE 802.11-17/1372r1 CP Replay Attack Protection for 802.11REVmc evolution Submission Slide 19 Erik Lindskog, Qualcomm, et al.

20. Sept 2017 doc.: IEEE 802.11-17/1372r1 CP Replay Attack Protection for 802.11REVmc evolution For HT/VHT ranging Require ranging measurements to be made on HT/VHT-LTF(s) Encrypt HT/VHT-LTF(s) Modify CP (nulled or randomized) Restrict MCS level in FTM, and implicitly in the ACK so that the payload can be decoded despite the modified CP LTF key conveying: Add packet extension and convey LTF encryption key in it, or Convey LTF key prior to ranging measurement packets Submission Slide 20 Erik Lindskog, Qualcomm, et al.

21. Sept 2017 doc.: IEEE 802.11-17/1372r1 Need for PHY Security Submission Slide 21 Erik Lindskog, Qualcomm, et al.

22. Sept 2017 doc.: IEEE 802.11-17/1372r1 Need for PHY Security PHY security is primarily needed to protect against spoofing attacks Spoofing location is considerably more difficult than spoofing proximity Spoofing location requires spoofing the ranging measurements from multiple (>=3) anchor stations Location measurements also usually, for reliability reasons, have a lot of redundancy build in into its process => Makes it yet harder to spoof Proximity measurements may only require spoofing of a single ranging measurement => Much more sensitive to spoofing Submission Slide 22 Erik Lindskog, Qualcomm, et al.

23. Sept 2017 doc.: IEEE 802.11-17/1372r1 Selective PHY Security Modifying the CP may have effect on the ranging performance At high SNR and low delay spread the effects is likely small Spoofing security only needed in a limited number of use cases Complete, loss-less, complication free and general protection against CP replay attacks may be difficult to realize Enable selective security against CP replay attacks to be turned on for vulnerable use cases. Submission Slide 23 Erik Lindskog, Qualcomm, et al.

24. Sept 2017 doc.: IEEE 802.11-17/1372r1 Proposed Solutions Encrypt LTF Add the option to null or encrypt the CP of LTFs used for ranging to protect against CP replay attacks. Optionally use receiver that exploits modified CP, or use regular receiver. E.g. use receiver with larger FFT size exploiting nulled CPs surrounding the core LTF symbol as in [1]. However, losses with regular receiver does not seem to be prohibiting. Convey encryption key prior to ranging or non-encrypted in packet extension For 802.11REVmc FTM evolution ((V)HT): Require that ranging measurements are performed on the (V)HT-LTF Restrict MCS level to ensure decoding of payload Submission Slide 24 Erik Lindskog, Qualcomm, et al.

25. Sept 2017 doc.: IEEE 802.11-17/1372r1 References [1] Zero padded waveform , Mingguang Xu, John Dogan, SK Yong, Qi Wang, Kyle Brogle and AJ Ringer IEEE 802.11-17/1378r2. Submission Slide 25 Erik Lindskog, Qualcomm, et al.

26. Sept 2017 doc.: IEEE 802.11-17/1372r1 Thank You! Submission Slide 26 Erik Lindskog, Qualcomm, et al.