Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHY-Level Security Protection

Published byWesley Burns Modified over 5 years ago

Similar presentations

Presentation on theme: "PHY-Level Security Protection"— Presentation transcript:

1 PHY-Level Security Protection
Month Year doc.: IEEE yy/xxxxr0 July 2017 PHY-Level Security Protection Date: Authors: Li, Jiang, Segev, Abramovsky, et al, Intel Abramovsky, Ghosh, Segev & Li, Intel

2 July 2017 Abstract Previously in [1][2], we identified a threat model with two types of adversaries: Type A 1ms response time Type B 1us response time In this submission, we present a scheme to detect and suppress Type B adversary attacks at PHY level [1] Doc.: IEEE /0120r2 Intel Secured Location Threat Model [2] Doc.: IEEE /0801r1 Intel Discussion on FTM Protection – follow up Li, Jiang, Segev, Abramovsky, et al, Intel

3 Outline PHY-level technique to protect measurement symbols:
July 2017 Outline PHY-level technique to protect measurement symbols: Prevention of wrong sense of distance through detection of adversary attack: Discarding contaminated measurements ensures security Suppression of adversary attack: Suppressing adversary attacks enhances robustness Li, Jiang, Segev, Abramovsky, et al, Intel

4 Needs for High Security
July 2017 Needs for High Security Some applications require high security Door lock, PC lock, ATM Spoofed measurement should be discarded to prevent property loss Li, Jiang, Segev, Abramovsky, et al, Intel

5 HW Impersonation/Data Integrity – How to Spoof Legacy Sounding
Month Year doc.: IEEE yy/xxxxr0 July 2017 HW Impersonation/Data Integrity – How to Spoof Legacy Sounding L-STF & L-LTF give the timing reference to the VHT-LTF, which could be spoofed by the adversary RSTA (AP) Transmission NAV is set by 11a RTS CTS Beamforming makes DATA not accessible to third parties Add a backup slide for random sequence in 11mc Note: Quotation of Slide 11 in [1] Li, Jiang, Segev, Abramovsky, et al, Intel Abramovsky, Ghosh, Segev & Li, Intel

6 MAC protection is insufficient
July 2017 MAC protection is insufficient Although transmissions of time stamps i.e. t1, t2, t3, t4 can be encrypted, the measurements of t2 and t4 themselves are still vulnerable AP Adversary STA t1 t2 Spoofed 1st tap arrives before the true one t3 t4' RTT is perceived smaller because t4'-t1 < t4-t1 t4 Li, Jiang, Segev, Abramovsky, et al, Intel

7 Goals Detecting adversary attack ensures security
July 2017 Goals Detecting adversary attack ensures security Once adversary attack is detected, spoofed measurement can be discarded and further damage is prevented Suppressing attack signals enhances resilience Processing gain of random sounding sequence suppresses spoofing signal Li, Jiang, Segev, Abramovsky, et al, Intel

8 July 2017 Adversary Detection Conduct two sounding measurements within channel coherence time Shift 2nd sounding symbols (i.e. HE-LTF or VHT-LTF) by a random CSD unknown to spoofer Check consistency across two channel measurements CSD e.g. 170 ns applied to HE-LTF TF 1 UL NPD 1 NDP-A 1 DL NDP 1 TF 2 UL NPD 2 NDP-A 2 DL NDP 2 Channel measurement 1 Channel measurement 2 Li, Jiang, Segev, Abramovsky, et al, Intel

9 Procedures Transmitter: Receiver: July 2017
Transmit two sounding signals within channel coherence time e.g. 1ms Apply CSD to 2nd sounding signal, where CSD value is known to the receiver over encrypted message so that spoofer can’t adapt to the CSD Receiver: Remove the CSD from each measurement, and compare the channel estimates of two adjacent measurements Channel estimates should be consistent unless spoofing occurred Channel estimates from 1st measurement Channel estimates from 2nd measurement Inconsistent Due to spoofer Due to user Li, Jiang, Segev, Abramovsky, et al, Intel

10 July 2017 Discussions Spoofing detection by CSD requires almost no implementation changes CSD is currently used in legacy transmitter and receiver. For example, CSD is compensated before channel interpolation in 11n/ac/ax Adversary attack can be detected but can’t be suppressed by random CSD Li, Jiang, Segev, Abramovsky, et al, Intel

11 Suppression of Adversary Attack — Random sounding symbols
July 2017 Suppression of Adversary Attack — Random sounding symbols Replace existing sounding signal (i.e. LTF binary sequence) by a random binary sequence unknown to spoofer Sequence generation key is exchanged and encrypted before measurement L-STF, L-LTF, L-SIG, RL-SIG, HE-SIG-A HE-STF Random BPSK sequence +1, -1,+1, +1, +1, -1, -1, … Li, Jiang, Segev, Abramovsky, et al, Intel

12 Suppressed Spoofing Impact
July 2017 Suppressed Spoofing Impact Spoofed 1st tap True 1st tap Noise level With Legacy LTF symbols With random sounding symbols Concentrated, high power spoofed taps Spread, low power spoofed taps Li, Jiang, Segev, Abramovsky, et al, Intel

13 July 2017 20 dB Suppression Suppress spoofed 1st tap by about 20 dB for 80 MHz sounding True 1st tap Spoofed 1st tap Li, Jiang, Segev, Abramovsky, et al, Intel

14 Requirements for Random Sounding Signal
July 2017 Requirements for Random Sounding Signal Strong security protection A large amount of sounding signals to choose Easy implementation BPSK modulation and minimum storage Support for long distance ranging Low PAPR Scalable protection Nice tradeoff between security and overhead Li, Jiang, Segev, Abramovsky, et al, Intel

15 Golay Sequences Golay sequences have low PAPR
July 2017 Golay Sequences Golay sequences have low PAPR About the same as 11ax LTF Golay sequences can be easily generated Duplication, shift, and sign change 512 sequences can be generated for 80MHz 1x sounding The odd for the adversary is below 2 ×10-3 per sounding Li, Jiang, Segev, Abramovsky, et al, Intel

16 Loading Golay Sequence to Subcarriers
July 2017 Loading Golay Sequence to Subcarriers Slight puncturing is applied to Golay sequence for accommodating guard subcarriers Golay sequence, a complementary pair Li, Jiang, Segev, Abramovsky, et al, Intel

17 Easy Generation Using Concatenation
July 2017 Easy Generation Using Concatenation Long Golay sequence can be generated by concatenating two short sequences +1, +1 +1, -1 [ ] + +1, +1 +1, -1 - +1, +1 - [+1, -1] [+1, +1, +1, -1], [+1, +1 -1, +1] [+1, +1, +1, -1], [-1, -1, +1, -1] Li, Jiang, Segev, Abramovsky, et al, Intel

18 Easy Generation Using Interleaving and Reversion
July 2017 Easy Generation Using Interleaving and Reversion Generate new long sequence by interleaving two short ones Generate new sequence by reversing the order of one Two short sequences a b c d A B C D Interleave a A b B c C d D a -A b -B c -C d -D Reversion -D d -C c -B b -A a D d C c B b A a Li, Jiang, Segev, Abramovsky, et al, Intel

19 Length 2K Golay Sequences
July 2017 Length 2K Golay Sequences 2K+1 sequences with length 2K 512 sequences with length 256 Large distances among generated sequences Concatenation, interleaving, and reversion generate orthogonal sequences, respectively Cross correlation among sequences is either 0 or 1/4 Li, Jiang, Segev, Abramovsky, et al, Intel

20 Higher Security by 4x LTF
July 2017 Higher Security by 4x LTF 4x LTF quadruples the number of sounding sequences 2048 for 80MHz at the cost of 10 us sounding time 4.0 μs 13.6 μs 1x LTF, 512 sequences 4x LTF, 2048 sequences Li, Jiang, Segev, Abramovsky, et al, Intel

21 Higher Security by Multiple Measurements
July 2017 Higher Security by Multiple Measurements Each measurement independently choose a sounding sequence Sequence space increases exponentially with the number of measurements conducted within the channel coherence time The chance left for the adversary is below 4 ×10-6 for passing three contiguous measurements Independent sounding sequences TF 1 UL NPD 1 TF 2 UL NPD 2 TF 3 UL NPD 3 Measurement 1 Measurement 2 Measurement 3 Li, Jiang, Segev, Abramovsky, et al, Intel

22 July 2017 PAPR for 80 MHz Sounding 0.5 dB better than 11ax LTF and 3.5 dB better than fully random BPSK sounding sequence Li, Jiang, Segev, Abramovsky, et al, Intel

23 July 2017 PAPR for 40 MHz Sounding 0.3 dB worse than 11ax LTF and 2.8 dB better than fully random BPSK sounding sequence Li, Jiang, Segev, Abramovsky, et al, Intel

24 July 2017 PAPR for 20 MHz Sounding 0.3 dB worse than 11ax LTF and 2.5 dB better than fully random binary sounding Li, Jiang, Segev, Abramovsky, et al, Intel

25 July 2017 Summary MAC protection is insufficient for preventing Type B spoofing and PHY protection is needed Type B spoofing can be detected by using CSD unknown to spoofer Type B spoofing can be suppressed by using randomized sounding signal Sounding sequences, whose PAPRs are comparable to 11ax LTF, can be easily generated Li, Jiang, Segev, Abramovsky, et al, Intel

26 July 2017 Backup Li, Jiang, Segev, Abramovsky, et al, Intel

27 Random Sounding Sequence for 11mc
Month Year doc.: IEEE yy/xxxxr0 July 2017 Random Sounding Sequence for 11mc Replace VHT-LTF by a new VHTm-LTF BPSK sounding sequence is replaced Only 11mc devices can read VHT-SIG-B and DATA Although legacy devices can’t read the VHT-SIG-B and DATA, it should be fine NAV is usually set by legacy PPDU e.g. 11a RTS/CTS Legacy devices don’t need to read the duration field in the DATA L-STF L-LTF L-SIG VHT-SIG-A VHT-STF VTHm-LTF VHT-SIG-B DATA Li, Jiang, Segev, Abramovsky, et al, Intel Abramovsky, Ghosh, Segev & Li, Intel

28 Additional Suppression to Adversary
July 2017 Additional Suppression to Adversary Instead of 1x LTF symbol duration, 4x LTF symbol duration may be used 6 dB processing gain Instead of 1 OFDM symbol, the random sounding signal may spread over 8 OFDM symbols 9 dB processing gain Li, Jiang, Segev, Abramovsky, et al, Intel

Download ppt "PHY-Level Security Protection"

Similar presentations

Doc.: IEEE 802.11-11/1539r0 Submission Dec. 2011 Minho Cheong, ETRISlide 1 Beam forming for 11ah Date: 2011-12-12 Authors:

Doc.: IEEE /1539r0 Submission Dec Minho Cheong, ETRISlide 1 Beam forming for 11ah Date: Authors:
Beamformed HE PPDU Date: Authors: May 2015 Month Year

Beamformed HE PPDU Date: Authors: May 2015 Month Year
Doc.: IEEE 802.11-14/1228r2 Submission Nov. 2014 Heejung Yu, Yeungnam Univ./NEWRACOM Issues on 256-FFT per 20MHz Date: 2014-11-03 Authors: Slide 1.

Doc.: IEEE /1228r2 Submission Nov Heejung Yu, Yeungnam Univ./NEWRACOM Issues on 256-FFT per 20MHz Date: Authors: Slide 1.
Submission doc.: IEEE 802.11-14/1452r0 November 2014 Leif Wilhelmsson, EricssonSlide 1 Frequency selective scheduling in OFDMA Date: 2014-11-03 Authors:

Submission doc.: IEEE /1452r0 November 2014 Leif Wilhelmsson, EricssonSlide 1 Frequency selective scheduling in OFDMA Date: Authors:
Submission doc.: IEEE 802.11-15/1088r0 September 2015 Daewon Lee, NewracomSlide 1 LTF Design for Uplink MU-MIMO Date: 2015-09-14 Authors:

Submission doc.: IEEE /1088r0 September 2015 Daewon Lee, NewracomSlide 1 LTF Design for Uplink MU-MIMO Date: Authors:
Doc.: IEEE 802.11-10/0130r0 Submission January 2010 Yung-Szu Tu, et al., Ralink Tech.Slide 1 Proposed TGac Preamble Date: 2010-01-20 Authors:

Doc.: IEEE /0130r0 Submission January 2010 Yung-Szu Tu, et al., Ralink Tech.Slide 1 Proposed TGac Preamble Date: Authors:
Submission Sungho Moon, NewracomSlide 1 doc.: IEEE 802.11-15/0584r1May 2015 Considerations on LTF Sequence Design Date: 2015-05-10 Authors:

Submission Sungho Moon, NewracomSlide 1 doc.: IEEE /0584r1May 2015 Considerations on LTF Sequence Design Date: Authors:
Doc.: IEEE 802.11-12/0363r2 Submission Pilot Value Definitions May 2012 Yongho Seok (LG Electronics), Hongyuan Zhang (Marvell)Slide 1 Date: 2012-05-14.

Doc.: IEEE /0363r2 Submission Pilot Value Definitions May 2012 Yongho Seok (LG Electronics), Hongyuan Zhang (Marvell)Slide 1 Date:
PHY Design Considerations for af

PHY Design Considerations for af
Efficient Positioning Method using Beacon Frames

Efficient Positioning Method using Beacon Frames
WUR Legacy Preamble Design

WUR Legacy Preamble Design
Discussions on Signaling for UL HE MU PPDU

Discussions on Signaling for UL HE MU PPDU
CP-replay Threat Model for 11az

CP-replay Threat Model for 11az
Locationing Protocol for 11az

Locationing Protocol for 11az
Protected LTF Using PMF in SU and MU Modes

Protected LTF Using PMF in SU and MU Modes
PAPR reduction of Legacy portion of VHT PLCP Preamble

PAPR reduction of Legacy portion of VHT PLCP Preamble
Bandwidth Indication and Static/Dynamic Indication within Legacy

Bandwidth Indication and Static/Dynamic Indication within Legacy
WUR SYNC Preamble Design

WUR SYNC Preamble Design
160 MHz PHY Transmission Date: Authors: March 2010

160 MHz PHY Transmission Date: Authors: March 2010
Flexible Wider Bandwidth Transmission

Flexible Wider Bandwidth Transmission

Similar presentations

Ads by Google