1 / 28

PHY-Level Security Protection

This submission presents a scheme to detect and suppress Type B adversary attacks at the PHY level, providing high security for applications such as door locks, PC locks, and ATMs. The scheme includes techniques for protecting measurement symbols, preventing wrong sense of distance, discarding contaminated measurements, and suppressing adversary attacks.

aleciam
Télécharger la présentation

PHY-Level Security Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHY-Level Security Protection Authors: Date: 2017-04-20 Li, Jiang, Segev, Abramovsky, et al, Intel

  2. Abstract • Previously in [1][2], we identified a threat model with two types of adversaries: • Type A 1ms response time • Type B 1us response time • In this submission, we present a scheme to detect and suppress Type B adversary attacks at PHY level [1] Doc.: IEEE 802.11-17/0120r2 Intel Secured Location Threat Model [2] Doc.: IEEE 802.11-17/0801r1 Intel Discussion on FTM Protection – follow up Li, Jiang, Segev, Abramovsky, et al, Intel

  3. Outline • PHY-level technique to protect measurement symbols: • Prevention of wrong sense of distance through detection of adversary attack: • Discarding contaminated measurements ensures security • Suppression of adversary attack: • Suppressing adversary attacks enhances robustness Li, Jiang, Segev, Abramovsky, et al, Intel

  4. Needs for High Security • Some applications require high security • Door lock, PC lock, ATM • Spoofed measurement should be discarded to prevent property loss Li, Jiang, Segev, Abramovsky, et al, Intel

  5. HW Impersonation/Data Integrity – How to Spoof Legacy Sounding RSTA (AP) Transmission Note: Quotation of Slide 11 in [1] L-STF & L-LTF give the timing reference to the VHT-LTF, which could be spoofed by the adversary Li, Jiang, Segev, Abramovsky, et al, Intel

  6. MAC protection is insufficient Adversary STA AP t1 t2 Spoofed 1st tap arrives before the true one t3 t4' RTT is perceived smaller because t4'-t1 < t4-t1 t4 Although transmissions of time stamps i.e. t1, t2, t3, t4 can be encrypted, the measurements of t2 and t4 themselves are still vulnerable Li, Jiang, Segev, Abramovsky, et al, Intel

  7. Goals • Detecting adversary attack ensures security • Once adversary attack is detected, spoofed measurement can be discarded and further damage is prevented • Suppressing attack signals enhances resilience • Processing gain of random sounding sequence suppresses spoofing signal Li, Jiang, Segev, Abramovsky, et al, Intel

  8. Adversary Detection CSD e.g. 170 ns applied to HE-LTF DL NDP 2 TF 2 UL NPD 2 DL NDP 1 TF 1 UL NPD 1 NDP-A 2 NDP-A 1 Channel measurement 1 Channel measurement 2 Conduct two sounding measurements within channel coherence time Shift 2nd sounding symbols (i.e. HE-LTF or VHT-LTF) by a random CSD unknown to spoofer Check consistency across two channel measurements Li, Jiang, Segev, Abramovsky, et al, Intel

  9. Procedures Channel estimates from 1st measurement Channel estimates from 2nd measurement Inconsistent Due to spoofer Due to user • Transmitter: • Transmit two sounding signals within channel coherence time e.g. 1ms • Apply CSD to 2nd sounding signal, where CSD value is known to the receiver over encrypted message so that spoofer can’t adapt to the CSD • Receiver: • Remove the CSD from each measurement, and compare the channel estimates of two adjacent measurements • Channel estimates should be consistent unless spoofing occurred Li, Jiang, Segev, Abramovsky, et al, Intel

  10. Discussions • Spoofing detection by CSD requires almost no implementation changes • CSD is currently used in legacy transmitter and receiver. For example, CSD is compensated before channel interpolation in 11n/ac/ax • Adversary attack can be detected but can’t be suppressed by random CSD Li, Jiang, Segev, Abramovsky, et al, Intel

  11. Suppression of Adversary Attack— Random sounding symbols L-STF, L-LTF, L-SIG, RL-SIG, HE-SIG-A Random BPSK sequence HE-STF +1, -1,+1, +1, +1, -1, -1, … • Replace existing sounding signal (i.e. LTF binary sequence) by a random binary sequence unknown to spoofer • Sequence generation key is exchanged and encrypted before measurement Li, Jiang, Segev, Abramovsky, et al, Intel

  12. Suppressed Spoofing Impact True 1st tap With Legacy LTF symbols Spoofed 1st tap Noise level Concentrated, high power spoofed taps True 1st tap With random sounding symbols Noise level Spread, low power spoofed taps Li, Jiang, Segev, Abramovsky, et al, Intel

  13. 20 dB Suppression True 1st tap Spoofed 1st tap Suppress spoofed 1st tap by about 20 dB for 80 MHz sounding Li, Jiang, Segev, Abramovsky, et al, Intel

  14. Requirements for Random Sounding Signal • Strong security protection • A large amount of sounding signals to choose • Easy implementation • BPSK modulation and minimum storage • Support for long distance ranging • Low PAPR • Scalable protection • Nice tradeoff between security and overhead Li, Jiang, Segev, Abramovsky, et al, Intel

  15. Golay Sequences • Golay sequences have low PAPR • About the same as 11ax LTF • Golay sequences can be easily generated • Duplication, shift, and sign change • 512 sequences can be generated for 80MHz 1x sounding • The odd for the adversary is below 2 ×10-3 per sounding Li, Jiang, Segev, Abramovsky, et al, Intel

  16. Loading Golay Sequence to Subcarriers Golay sequence, a complementary pair Slight puncturing is applied to Golay sequence for accommodating guard subcarriers Li, Jiang, Segev, Abramovsky, et al, Intel

  17. Easy Generation Using Concatenation +1, +1 +1, -1 [ ] + +1, +1 +1, -1 +1, +1 -[+1, -1] - [+1, +1, +1, -1], [+1, +1 -1, +1] [+1, +1, +1, -1], [-1, -1, +1, -1] Long Golay sequence can be generated by concatenating two short sequences Li, Jiang, Segev, Abramovsky, et al, Intel

  18. Easy Generation Using Interleaving and Reversion Two short sequences a b c d A B C D Interleave a A b B c C d D a -A b -B c -C d -D Reversion -D d -C c -B b -A a D d C c B A a b Generate new long sequence by interleaving two short ones Generate new sequence by reversing the order of one Li, Jiang, Segev, Abramovsky, et al, Intel

  19. Length 2K Golay Sequences • 2K+1 sequences with length 2K • 512 sequences with length 256 • Large distances among generated sequences • Concatenation, interleaving, and reversion generate orthogonal sequences, respectively • Cross correlation among sequences is either 0 or 1/4 Li, Jiang, Segev, Abramovsky, et al, Intel

  20. Higher Security by 4x LTF 4.0 μs 13.6 μs 1x LTF, 512 sequences 4x LTF, 2048 sequences • 4x LTF quadruples the number of sounding sequences • 2048 for 80MHz at the cost of 10 us sounding time Li, Jiang, Segev, Abramovsky, et al, Intel

  21. Higher Security by Multiple Measurements Independent sounding sequences … … TF 3 UL NPD 3 … TF 2 UL NPD 2 TF 1 UL NPD 1 Measurement 3 Measurement 2 Measurement 1 • Each measurement independently choose a sounding sequence • Sequence space increases exponentially with the number of measurements conducted within the channel coherence time • The chance left for the adversary is below 4 ×10-6 for passing three contiguous measurements Li, Jiang, Segev, Abramovsky, et al, Intel

  22. PAPR for 80 MHz Sounding 0.5 dB better than 11ax LTF and 3.5 dB better than fully random BPSK sounding sequence Li, Jiang, Segev, Abramovsky, et al, Intel

  23. PAPR for 40 MHz Sounding 0.3 dB worse than 11ax LTF and 2.8 dB better than fully random BPSK sounding sequence Li, Jiang, Segev, Abramovsky, et al, Intel

  24. PAPR for 20 MHz Sounding 0.3 dB worse than 11ax LTF and 2.5 dB better than fully random binary sounding Li, Jiang, Segev, Abramovsky, et al, Intel

  25. Summary MAC protection is insufficient for preventing Type B spoofing and PHY protection is needed Type B spoofing can be detected by using CSD unknown to spoofer Type B spoofing can be suppressed by using randomized sounding signal Sounding sequences, whose PAPRs are comparable to 11ax LTF, can be easily generated Li, Jiang, Segev, Abramovsky, et al, Intel

  26. Backup Li, Jiang, Segev, Abramovsky, et al, Intel

  27. Random Sounding Sequence for 11mc L-STF L-LTF L-SIG VTHm-LTF VHT-SIG-B VHT-STF VHT-SIG-A DATA • Replace VHT-LTF by a new VHTm-LTF • BPSK sounding sequence is replaced • Only 11mc devices can read VHT-SIG-B and DATA • Although legacy devices can’t read the VHT-SIG-B and DATA, it should be fine • NAV is usually set by legacy PPDU e.g. 11a RTS/CTS • Legacy devices don’t need to read the duration field in the DATA Li, Jiang, Segev, Abramovsky, et al, Intel

  28. Additional Suppression to Adversary • Instead of 1x LTF symbol duration, 4x LTF symbol duration may be used • 6 dB processing gain • Instead of 1 OFDM symbol, the random sounding signal may spread over 8 OFDM symbols • 9 dB processing gain Li, Jiang, Segev, Abramovsky, et al, Intel

More Related