Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Enhancement to FTM

Published byFlora Warner Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Enhancement to FTM"— Presentation transcript:

1 Security Enhancement to FTM
Month Year doc.: IEEE /0xxxr0 Security Enhancement to FTM Date: Authors: Qi Wang, et.al., Broadcom Qi Wang, et.al., Broadcom

2 Security Limitation of Current FTM Solution
Some uses cases require security for FTM Proximity detection to point of sale (e.g.,Starbucks) Unlock assistance to personal laptop or tablet Unlock your car Unlock a locker at sports facility Serve as entry ticket, e.g., concert, sports event Alternative access for building, e.g., in lieu of ID cards Current FTM solution lacks security protection of RTT measurement and may be easily compromised. Hence extra steps to improve security for FTM are recommended. Qi Wang, et.al., Broadcom

3 Security Issue of FTM STA1 (Responding STA) STA2 (Initiating STA) FTM Request The FTM (Fine Timing Measurement) protocol enables RTT measurement RTT = [(t4_m-t1_m) - (t3_m-t2_m)] FTM frames currently are not protected. According to the spec [1], an Ack frame is not protected, as a result, a malicious device can transmit fake Ack frames, which pretend to be the Ack frames from the Initiating STA, to the Responding STA, so that the Responding STA obtains the wrong t4 and include such a wrong t4 in the payload of the subsequent FTM frames. Subsequently, the Initiating STA derives the wrong RTT between the Initiating STA and the Responding STA. ACK FTM_m payload contains [t1_(m-1), t4_(m-1)] t1_m t2_m ACK t3_m t4_m t1_(m+1) FTM_(m+1) payload contains [t1_m, t4_m] t2_(m+1) t3_(m+1) ACK t4_(m+1) FTM_(m+2) payload contains [t1_(m+1), t4_(m+1)] t1_(m+2) t2_(m+2) ACK t3_(m+2) t4_(m+2) Qi Wang, et.al., Broadcom

4 Proposal Overview We propose methods to protect the Acks to the FTM frames, thus enhance the security of the FTM protocol. The proposed enhancements apply to FTM executed in the associated state, where FTM frames are protected using PMF. Our methods can also be applied to: protect acknowledgement to other management frames. protect acknowledgement to other types of frames (e.g., data frames). protect other control frames. Qi Wang, et.al., Broadcom

5 Method 1 -- Overview Define a new Ack control frame that is the same as that in [1], except with an addition of a frame body of 1 octet length that contains a random value generated by the Ack transmitter. (See Fig. 1) Protect the new Ack frame using CCMP or GCMP. The transmitted new Ack frame format is composed of the MAC header, encrypted frame body, MIC and FCS. (See Fig. 2) Due to our design choices, 8-octet of CCMP/GCMP header is not needed to reduce overhead. Qi Wang, et.al., Broadcom

6 Method 1 – Illustrations of New Acks
Frame control Frame Body = random number generated by Ack transmitter Duration RA = address of ACK recipient FCS Octets: 2 2 6 1 4 Fig. 1: Un-protected new ACK Frame Format (method 1) Frame control Duration RA = address of ACK recipient (encrypted) Frame Body MIC FCS Octets: 2 2 6 1 8 4 Fig. 2: Protected new ACK Frame Format (method 1) Qi Wang, et.al., Broadcom

7 Method 1 – Protection of New Ack with CCMP/GCMP
Use the key ID and TK (temporal key) that are the same as that used by the FTM frame that solicits the Ack. Set the Ack frame’s PN to be the same as the PN used by the FTM frame that solicits the Ack. Data input to the CCM/GCM encryption engine is the 1 octet random value in the new Ack frame body. Set AAD = Frame Control || RA (address of Ack receiver) Frame Control in AAD is masked as specified in of [1]. Qi Wang, et.al., Broadcom

8 Method 1 – Protection of New Ack with CCMP/GCMP – Cont’d
Construction of CCMP Nonce (See Fig. 3) Nonce = Nonce Flags || address of Ack Transmitter || PN The Priority subfield of the Nonce Flags field is set to 0. When Ack frame protection is negotiated, the Control field of the Nonce Flag field is set to 1 if the Type field of the Frame is 01 (Control frame); otherwise it is set to 0. Bit 6 to 7 of the Nonce Flags field are set to 0. Qi Wang, et.al., Broadcom

9 Method 1 – Protection of New Ack with CCMP/GCMP – Cont’d
Construction of GCMP Nonce (see Fig. 4) Nonce = Nonce Flags || address of Ack Transmitter || PN When Ack frame protection is negotiated, the Control field of the Nonce Flags field (bit 0) is set to 1 if the Type field of the Frame is 01 (Control frame); otherwise it is set to 0. Bit 2 to 7 of the Nonce Flags filed is set to 0. Nonce Flags can be optional; when it is excluded, the address of the Ack transmitter used is such that the highest order byte is set to its one’s complement When the Nonce Flags is present, if the first 12 bytes of J0[NIST Special Publication D] are the same as A2||PN, then the process is repeated with Nonce Flags incremented by 1. This avoids a collision of the initial counter with that used for other types of (Management, Data) frames from the same transmitter preserving security properties of GCM. J0 is the initial counter value constructed from the IV (initialization vector) input (A2|| PN in [1]) as defined in section 7 of [2]. Qi Wang, et.al., Broadcom

10 Method 1 – Nonce Illustrations
Nonce Flags Address of ACK transmitter PN = PN of the FTM frame soliciting ACK Octets: 1 6 6 Bits: B0 B3 B4 B5 B6 B7 Priority Management Control Zeros Fig. 3: Nonce construction for CCMP (method 1 ) Nonce Flags Address of ACK transmitter PN = PN of the frame soliciting ACK Octets: 1 6 6 B0 B1 B7 Bits: Control Zeros Fig. 4: Nonce construction for GCMP (Method 1) Qi Wang, et.al., Broadcom

11 Method 2 -- Description Define a modified FTM whose format is identical to the soliciting FTM frames defined in [1] except with an additional 6-octet field containing a random value (See Fig. 5) A new random value is generated for every new FTM frame, and included in the protected FTM frame. Define a modified Ack frame, which has the same format as the Ack frame defined in [1], except that the RA field is replaced by a field whose content is the 6-octet random value included in the modified soliciting FTM frame (See Fig. 6) The modified Ack is transmitted without encryption. Qi Wang, et.al., Broadcom

12 Method 2 -- Illustrations
Category Follow up Dialog Token Public Action Dialog Token ToD ToA ToD Error Octets: 1 1 1 1 6 6 2 FTM Synchronization information (optional) LCI Report (Optional) Location Civic Report (Optional) FTM Timing Measurement (Optional) ToA Error Random value Octets: 2 6 Variable Variable Variable Variable Fig. 5: Modified_FTM Action field (Method 2) 6 bytes random values received in FTM frames. Frame Control Duration/ID FCS Octets: 2 2 6 4 Fig. 6: Modified ACK to FTM frames (method 2) Qi Wang, et.al., Broadcom

13 Indication of Protected Ack frames
Set the Protected Frame subfield in the Frame Control field of a control frame to 1 when the Control frame is protected, and set it to 0 otherwise. (See Fig. 7) For a protected Ack frame has a MAC duration that is not equal to 14 bytes (as in Method 1), for the Frame Control filed, set the Type subfield (Bit 2 and Bit 3) to 01 (Control frame), set the Subtype subfield (Bit 4 to 7) to 0110 (Control Frame Extension) and set Bit 8 to Bit 11 (Control Frame Extension value) to one of the currently reserved value. (See Fig. 8) For a protected Ack frame with a MAC duration that is equal to 14 bytes (as in Method 2), there is no need to define a new frame type/subtype value for the frame. Qi Wang, et.al., Broadcom

14 Indication of Protected Ack frames - Illustrations
Bits: B0 B1 B2 B3 B4 B7 B8 B9 B10 B11 B12 B13 B14 B15 Protocol version Type =01 Subtype More fragment To DS From DS Power Management Protected frame =1 Retry More data Order Fig. 7: Frame control field of a protected Ack frame Bits: B0 B1 B2 B3 B4 B7 B8 B11 B12 B13 B14 B15 Protocol version Type =01 Subtype = 0110 Use one of the currently reserved value to indicate a protected Ack frame Power Management Protected frame =1 More data Order Fig. 8: Frame control field of a protected Ack frame when the MAC frame length is not equal to 14 bytes Qi Wang, et.al., Broadcom

15 Advertisement and Negotiation of Protected Acknowledgement
A device’s requirement for and/or capability of supporting a protected acknowledgement can be advertised and negotiated using the currently reserved bits in the Extended Capability element for all frames with the Protected Frame subfield (Bit 14) of the Frame Control field set to 1. Alternatively, the advertisement and negotiation can be done specifically for the FTM protocol, during the FTM setup phase. Setting one or both of the reserved bits in the FTM Measurement Parameter field of the FTM Parameters element to 1 to indicate the protection of Ack frames for the FTM sessions. (See Fig. 9, 10). Qi Wang, et.al., Broadcom

16 Advertisement and Negotiation of Protected Acknowledgement – Cont’d
Fig. 9: Fine Timing Measurement Parameters element format (i.e., Figure in [1]) Fig. 10: Fine Timing Measurement Parameters field format (i.e., Figure in [1]) Set one or both of the reserved bits to 1 to indicate the protection of ACK frames for the FTM session. Qi Wang, et.al., Broadcom

17 References [1] IEEE Std REVmc_D5.0, IEEE Standard for Information Technology – Telecommunications and information exchange between systems, local and metropolitan area networks – Specific requirements, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications [2] SD D-NIST Recommendation for Block Cipher Modes of Operation: Galois/Counter (GCM) and GMAC, November 2007 Qi Wang, et.al., Broadcom

Download ppt "Security Enhancement to FTM"

Similar presentations

Short MAC Header Date: Authors: John Doe, Some Company

Short MAC Header Date: Authors: John Doe, Some Company
MAC Header Compression

MAC Header Compression
IEEE 802.11 Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE 802.11 defines two MAC sublayers Distributed coordination function (DCF) Point coordination.

IEEE Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE defines two MAC sublayers Distributed coordination function (DCF) Point coordination.
Shambhu Upadhyaya 1 802.11 Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
1 July, 2002 doc:.: 802.15-02/275r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

1 July, 2002 doc:.: /275r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)
Doc.: IEEE 802.11-12/0110r8 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: 2012-05-14 Authors: Date: May, 2012.

Doc.: IEEE /0110r8 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: Authors: Date: May, 2012.
Doc.:IEEE 802.11-10/0476r1 Submission Apr. 2010 Santosh Pandey, Cisco SystemsSlide 1 Management Frame Policy Definition Authors: Date: 2010-04-20.

Doc.:IEEE /0476r1 Submission Apr Santosh Pandey, Cisco SystemsSlide 1 Management Frame Policy Definition Authors: Date:
Doc.: IEEE 802.11-12/0110r3 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: 2012-01-16 Authors: Date: Jan, 2012.

Doc.: IEEE /0110r3 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: Authors: Date: Jan, 2012.
Doc.: IEEE 802.11-12/0110r6 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: 2012-03-11 Authors: Date: March, 2012.

Doc.: IEEE /0110r6 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: Authors: Date: March, 2012.
Doc.: IEEE 802.11-12/0110r7 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: 2012-04-5 Authors: Date: April, 2012.

Doc.: IEEE /0110r7 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: Authors: Date: April, 2012.
Doc.: IEEE 802.11-12/0110r1 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: 2012-01-16 Authors: Date: Jan, 2012.

Doc.: IEEE /0110r1 SubmissionLiwen Chu Etc.Slide 1 Frame Header Compression Date: Authors: Date: Jan, 2012.
IEEE 802.1AS REV D5.0 Review Comments

IEEE 802.1AS REV D5.0 Review Comments
IEEE 802.1AS REV D5.0 Review Comments

IEEE 802.1AS REV D5.0 Review Comments
FILS Reduced Neighbor Report

FILS Reduced Neighbor Report
Location Measurement Protocol for Unassociated STAs

Location Measurement Protocol for Unassociated STAs
IEEE 802.1AS REV D5.0 Review Comments

IEEE 802.1AS REV D5.0 Review Comments
Relay Threat Model for TGaz

Relay Threat Model for TGaz
November 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted:

November 2017 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for ] Date Submitted:
Management Frame Policy Definition

Management Frame Policy Definition
Functional Requirement for Secure Ranging

Functional Requirement for Secure Ranging

Similar presentations

Ads by Google