Presentation is loading. Please wait.

Presentation is loading. Please wait.

Relay Threat Model for TGaz

Published byGinger Black Modified over 5 years ago

Similar presentations

Presentation on theme: "Relay Threat Model for TGaz"— Presentation transcript:

1 Relay Threat Model for TGaz
Month Year doc.: IEEE yy/xxxxr0 July 2017 Relay Threat Model for TGaz Date: Authors: Name Affiliations Address Phone Wei Wang Google Inc. Roy Want Roy Want et al., Google Inc John Doe, Some Company

2 Month Year doc.: IEEE yy/xxxxr0 July 2017 Abstract The relay threat model occurs when two attackers collaborate to fake the distance between two stations, making them appear closer than they really are. TGaz should be resilient to a relay attack in both associated and unassociated modes. Roy Want et al., Google Inc John Doe, Some Company

3 Month Year doc.: IEEE yy/xxxxr0 July 2017 Background Wireless Relay Attacks have been used to defeat wireless car locks and pose a real threat to property Attacker Box A Near Owner Attacker Box B Near Car Bridging the gap Roy Want et al., Google Inc John Doe, Some Company

4 Mitigating Relay Attacks
Month Year doc.: IEEE yy/xxxxr0 July 2017 Mitigating Relay Attacks Using range and location can be a good defense against relay attacks, assuming that the range/location of each party can be validated. Roy Want et al., Google Inc John Doe, Some Company

5 Applications using RTT range for secure operation
Month Year doc.: IEEE yy/xxxxr0 July 2017 Applications using RTT range for secure operation Associated (or prior shared key) Building door locks Car door locks Document access (e.g. only at work) Cloud Service Access (e.g. only within home) Unassociated Proof of presence at a location Proximity transfer of a redeemable wireless coupon Proximity control of a public device with a wireless token (IOT) Roy Want et al., Google Inc John Doe, Some Company

6 Ranging in 11mc FTM_Req Ack FTM t1
Month Year doc.: IEEE yy/xxxxr0 July 2017 Ranging in 11mc FTM RESPONDER MOBILE FTM_Req Ack t1 FTM Distance (d) can be used to verify a condition: d < [opening criterion], But ONLY if you can trust it. t2 Ack t3 t4 FTM(t4- t1) Ack Roy Want et al., Google Inc John Doe, Some Company

7 Relay Attack #1: Faking a Range in 11mc
Month Year doc.: IEEE yy/xxxxr0 July 2017 Relay Attack #1: Faking a Range in 11mc Attacker Box A Attacker Box B MOBILE FTM RESPONDER FTM_Req FTM_Req_Ack t1 FTM t2 ‘ t1 ‘ t2 t3 ‘ Ack t3 t4 t4’ FTM(t4- t1) FAKE (t4- t1) Roy Want et al., Google Inc John Doe, Some Company

8 Relay Attack #2: Faking a Range in 11mc
Month Year doc.: IEEE yy/xxxxr0 July 2017 Relay Attack #2: Faking a Range in 11mc Attacker Box A Attacker Box B MOBILE FTM RESPONDER FTM_Req FTM_Req_Ack t1 FTM t2 ‘ t1 ‘ t2 FAKE (Ack) t3 ‘ t4 t3 Ignore t4’ FTM(t4- t1) FTM (t4- t1) VALID_SIG Roy Want et al., Google Inc John Doe, Some Company

9 Authentication can prevent a relay attack if…
Month Year doc.: IEEE yy/xxxxr0 July 2017 11az Authentication can prevent a relay attack if… each packet has an authenticated payload there is a shared symmetric key the stations are in associated mode Roy Want et al., Google Inc John Doe, Some Company

10 What about the unassociated mode in 11az?
July 2017 What about the unassociated mode in 11az? There are not likely to be any shared keys Secure ranging in unassociated mode is important: Proof of presence at a location Proximity transfer of a redeemable wireless coupon Proximity control of a public device with a wireless token (IOT) Roy Want et al., Google Inc

11 Separation of Concerns
July 2017 Separation of Concerns CLOUD SERVICE CHECKS X1 = X2 APP/OS APP/OS 11az 11az DERIVED X1 DERIVED X2 Roy Want et al., Google Inc

12 Relay Attack Defense without shared keys
July 2017 Relay Attack Defense without shared keys FTM RESPONDER MOBILE t1 FTM + Nonce-A t2 t4 Ack + Nonce-B t3 FTM(t4- t1) + Nonce-AB Verify AB + (t4-t1) at APP Level Verify AB + (t4-t1) at APP Level Roy Want et al., Google Inc

13 Possible relay solution for unassociated 11az
July 2017 Possible relay solution for unassociated 11az FTM RESPONDER Attacker Box A Attacker Box B MOBILE FTM_Req FTM_Req_Ack t1 FTM + Nonce-A t2’ t1’ Ack + Nonce-X FTM + Nonce-A t3’ generated t4 t2 Ack + Nonce-B t4’ t3 FTM(t4- t1) + Nonce-AX FTM (t4- t1) + Nonce-AB Verify AB + (t4-t1) at APP Level Verify AB + (t4-t1) at APP Level Roy Want et al., Google Inc

14 July 2017 Considerations For authenticated ranging (associated) 11az will likely need a nonce in both FTM and Ack messages to validate range. Both end-STAs already have (t4-t1) An unassociated mode, that protects against relay attacks could give the App layer access to the nonces and (t4-t1) parameters. The App is then responsible for validating the parameters Roy Want et al., Google Inc

15 July 2017 Straw Poll TGaz should include a mechanism to defend against relay ranging attacks between pairs of both associated and unassociated stations Y: N: A: Roy Want et al., Google Inc

16 References Radio attack lets hackers steal 24 different car models
Month Year doc.: IEEE yy/xxxxr0 July 2017 References Radio attack lets hackers steal 24 different car models Roy Want et al., Google Inc John Doe, Some Company

Download ppt "Relay Threat Model for TGaz"

Similar presentations

Doc.: IEEE 802.11-07/2778r1 Submission November 2007 Sandra Qin et al., SamsungSlide 1 Content Protection Support in 802.11 Date: 2007-11-12 Authors:

Doc.: IEEE /2778r1 Submission November 2007 Sandra Qin et al., SamsungSlide 1 Content Protection Support in Date: Authors:
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
History and Implementation of the IEEE 802 Security Architecture

History and Implementation of the IEEE 802 Security Architecture
Content Protection Support in

Content Protection Support in
Proposed Functional Requirements for 11az

Proposed Functional Requirements for 11az
Security Enhancement to FTM

Security Enhancement to FTM
Broadcasting on WLAN Date: Authors: July 2017

Broadcasting on WLAN Date: Authors: July 2017
Proposed SFD Text for ai Link Setup Procedure

Proposed SFD Text for ai Link Setup Procedure
Broadcasting on WLAN Date: Authors: September 2017

Broadcasting on WLAN Date: Authors: September 2017
Resource Negotiation for Unassociated STAs in MU Operation

Resource Negotiation for Unassociated STAs in MU Operation
PHY Security FRD and SRD Text

PHY Security FRD and SRD Text
CP-replay Threat Model for 11az

CP-replay Threat Model for 11az
Broadcasting on WLAN Date: Authors: July 2017

Broadcasting on WLAN Date: Authors: July 2017
Discussions on FILS Authentication

Discussions on FILS Authentication
Relay Threat Model for TGaz

Relay Threat Model for TGaz
Security for location determination at a Public Domain

Security for location determination at a Public Domain
Month Year doc.: IEEE yy/xxxxr0 July 2015

Month Year doc.: IEEE yy/xxxxr0 July 2015
Pre-association Security Negotiation for 11az SFD Follow up

Pre-association Security Negotiation for 11az SFD Follow up
Month Year doc.: IEEE yy/xxxxr0 July 2017

Month Year doc.: IEEE yy/xxxxr0 July 2017
Relay Threat Model for TGaz

Relay Threat Model for TGaz

Similar presentations

Ads by Google