1 / 17

Security Enhancement to FTM

Security Enhancement to FTM. Date: 2016- 07-25. Authors:. Security Limitation of Current FTM Solution. Some uses cases require security for FTM Proximity detection to point of sale ( e.g.,Starbucks ) Unlock assistance to personal laptop or tablet Unlock your car

pearlmassey
Download Presentation

Security Enhancement to FTM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Enhancement to FTM Date: 2016-07-25 Authors: Qi Wang, et.al., Broadcom

  2. Security Limitation of Current FTM Solution • Some uses cases require security for FTM • Proximity detection to point of sale (e.g.,Starbucks) • Unlock assistance to personal laptop or tablet • Unlock your car • Unlock a locker at sports facility • Serve as entry ticket, e.g., concert, sports event • Alternative access for building, e.g., in lieu of ID cards • Current FTM solution lacks security protection of RTT measurement and may be easily compromised. • Hence extra steps to improve security for FTM are recommended. Qi Wang, et.al., Broadcom

  3. Security Issue of FTM STA1 (Responding STA) STA2 (Initiating STA) FTM Request ACK FTM_m payload contains [t1_(m-1), t4_(m-1)] t1_m t2_m t3_m ACK t4_m FTM_(m+1) payload contains [t1_m, t4_m] t1_(m+1) t2_(m+1) t3_(m+1) ACK t4_(m+1) FTM_(m+2) payload contains [t1_(m+1), t4_(m+1)] t1_(m+2) t2_(m+2) ACK t3_(m+2) t4_(m+2) Qi Wang, et.al., Broadcom • The FTM (Fine Timing Measurement) protocol enables RTT measurement • RTT = [(t4_m-t1_m) - (t3_m-t2_m)] • FTM frames currently are not protected. • According to the 802.11 spec [1], an Ack frame is not protected, as a result, • a malicious device can transmit fake Ack frames, which pretend to be the Ack frames from the Initiating STA, to the Responding STA, so that the Responding STA obtains the wrong t4 and include such a wrong t4 in the payload of the subsequent FTM frames. • Subsequently, the Initiating STA derives the wrong RTT between the Initiating STA and the Responding STA.

  4. Proposal Overview • We propose methods to protect the Acks to the FTM frames, thus enhance the security of the FTM protocol. • The proposed enhancements apply to FTM executed in the associated state, where FTM frames are protected using PMF. • Our methods can also be applied to: • protect acknowledgement to other management frames. • protect acknowledgement to other types of frames (e.g., data frames). • protect other control frames. Qi Wang, et.al., Broadcom

  5. Method 1 -- Overview • Define a new Ack control frame that is the same as that in [1], except with an addition of a frame body of 1 octet length that contains a random value generated by the Ack transmitter. (See Fig. 1) • Protect the new Ack frame using CCMP or GCMP. • The transmitted new Ack frame format is composed of the MAC header, encrypted frame body, MIC and FCS. (See Fig. 2) • Due to our design choices, 8-octet of CCMP/GCMP header is not needed to reduce overhead. Qi Wang, et.al., Broadcom

  6. Method 1 – Illustrations of New Acks New Frame Body = random number generated by Ack transmitter RA = address of ACK recipient Frame control FCS Duration 4 2 2 Octets: 6 1 Fig. 1: Un-protected new ACK Frame Format (method 1) RA = address of ACK recipient Frame control FCS Duration MIC (encrypted) Frame Body Octets: 8 4 2 6 2 1 Fig. 2: Protected new ACK Frame Format (method 1) Qi Wang, et.al., Broadcom

  7. Method 1 – Protection of New Ack with CCMP/GCMP • Use the key ID and TK (temporal key) that are the same as that used by the FTM frame that solicits the Ack. • Set the Ack frame’s PN to be the same as the PN used by the FTM frame that solicits the Ack. • Data input to the CCM/GCM encryption engine is the 1 octet random value in the new Ack frame body. • Set AAD = Frame Control || RA (address of Ack receiver) • Frame Control in AAD is masked as specified in 12.5.3.3.3 of [1]. Qi Wang, et.al., Broadcom

  8. Method 1 – Protection of New Ack with CCMP/GCMP – Cont’d • Construction of CCMP Nonce (See Fig. 3) • Nonce = Nonce Flags || address of Ack Transmitter || PN • The Priority subfield of the Nonce Flags field is set to 0. • When Ackframe protection is negotiated, the Control field of the Nonce Flag field is set to 1 if the Type field of the Frame is 01 (Control frame); otherwise it is set to 0. • Bit 6to 7 of the Nonce Flags field are set to 0. Qi Wang, et.al., Broadcom

  9. Method 1 – Protection of New Ack with CCMP/GCMP – Cont’d • Construction of GCMP Nonce (see Fig. 4) • Nonce = Nonce Flags || address of Ack Transmitter || PN • When Ack frame protection is negotiated, the Control field of the Nonce Flags field (bit 0) is set to 1 if the Type field of the Frame is 01 (Control frame); otherwise it is set to 0. • Bit 2 to 7 of the Nonce Flags filed is set to 0. • Nonce Flags can be optional; when it is excluded, the address of the Ack transmitter used is such that the highest order byteis set to its one’s complement • When the Nonce Flags is present, if the first 12 bytes of J0[NIST Special Publication 800-38D] are the same as A2||PN, then the process is repeated with Nonce Flags incremented by 1. This avoids a collision of the initial counter with that used for other types of (Management, Data) frames from the same transmitter preserving security properties of GCM. • J0 is the initial counter value constructed from the IV (initialization vector) input (A2|| PN in [1]) as defined in section 7 of [2]. Qi Wang, et.al., Broadcom

  10. Method 1 – Nonce Illustrations PN = PN of the FTM frame soliciting ACK Nonce Flags Address of ACK transmitter 6 Octets: 6 1 B5 B0 B3 B6 B4 B7 Bits: Control Priority Management Zeros Fig. 3: Nonce construction for CCMP (method 1 ) Address of ACK transmitter Nonce Flags PN = PN of the frame soliciting ACK 1 Octets: 6 6 B1 B7 B0 Bits: Control Zeros Fig. 4: Nonce construction for GCMP (Method 1) Qi Wang, et.al., Broadcom

  11. Method 2 -- Description • Define a modified FTM whose format is identical to the soliciting FTM frames defined in [1] except with an additional 6-octet field containing a random value (See Fig. 5) • A new random value is generated for every new FTM frame, and included in the protected FTM frame. • Define a modified Ack frame, which has the same format as the Ack frame defined in [1], except that the RA field is replaced by a field whose content is the 6-octet random value included in the modified soliciting FTM frame (See Fig. 6) • The modified Ack is transmitted without encryption. Qi Wang, et.al., Broadcom

  12. Method 2 -- Illustrations Follow up Dialog Token Category Public Action ToD Error Dialog Token ToD ToA 1 2 1 Octets: 6 6 1 1 FTM Timing Measurement (Optional) Location Civic Report (Optional) FTM Synchronization information (optional) LCI Report (Optional) ToA Error Random value Octets: 6 Variable 2 Variable Variable Variable Fig. 5: Modified_FTM Action field (Method 2) 6 bytes random values received in FTM frames. Duration/ID Frame Control FCS Octets: 2 2 4 6 Fig. 6: Modified ACK to FTM frames (method 2) Qi Wang, et.al., Broadcom

  13. Indication of Protected Ack frames Qi Wang, et.al., Broadcom Set the Protected Frame subfield in the Frame Control field of a control frame to 1 when the Control frame is protected, and set it to 0 otherwise. (See Fig. 7) For a protected Ack frame has a MAC duration that is not equal to 14 bytes (as in Method 1), for the Frame Control filed, set the Type subfield (Bit 2 and Bit 3) to 01 (Control frame), set the Subtype subfield (Bit 4 to 7) to 0110 (Control Frame Extension) and set Bit 8 to Bit 11 (Control Frame Extension value) to one of the currently reserved value. (See Fig. 8) For a protected Ack frame with a MAC duration that is equal to 14 bytes (as in Method 2), there is no need to define a new frame type/subtype value for the frame.

  14. Indication of Protected Ack frames - Illustrations B2 B4 B7 Bits: B0 B1 B3 B8 B9 B10 B11 B12 B13 B14 B15 Protocol version More fragment Type =01 Subtype To DS From DS Power Management Protected frame =1 Retry More data Order Fig. 7: Frame control field of a protected Ack frame B8 B2 B4 B7 B3 B1 B0 Bits: B11 B12 B13 B14 B15 Use one of the currently reserved value to indicate a protected Ack frame Power Management Protected frame =1 Protocol version Type =01 Subtype = 0110 More data Order Fig. 8: Frame control field of a protected Ack frame when the MAC frame length is not equal to 14 bytes Qi Wang, et.al., Broadcom

  15. Advertisement and Negotiation of Protected Acknowledgement • A device’s requirement for and/or capability of supporting a protected acknowledgement can be advertised and negotiated using the currently reserved bits in the Extended Capability element for all frames with the Protected Frame subfield (Bit 14) of the Frame Control field set to 1. • Alternatively, the advertisement and negotiation can be done specifically for the FTM protocol, during the FTM setup phase. • Setting one or both of the reserved bits in the FTM Measurement Parameter field of the FTM Parameters element to 1 to indicate the protection of Ack frames for the FTM sessions. (See Fig. 9, 10). Qi Wang, et.al., Broadcom

  16. Advertisement and Negotiation of Protected Acknowledgement – Cont’d Fig. 9: Fine Timing Measurement Parameters element format (i.e., Figure 9-571 in [1]) Fig. 10: Fine Timing Measurement Parameters field format (i.e., Figure 9-572 in [1]) Set one or both of the reserved bits to 1 to indicate the protection of ACK frames for the FTM session. Qi Wang, et.al., Broadcom

  17. References • [1] IEEE Std 802.11 REVmc_D5.0, IEEE Standard for Information Technology – Telecommunications and information exchange between systems, local and metropolitan area networks – Specific requirements, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications • [2] SD 800-38D-NIST Recommendation for Block Cipher Modes of Operation: Galois/Counter (GCM) and GMAC, November 2007 Qi Wang, et.al., Broadcom

More Related