doc.: IEEE 802.11-16/1020r0
July 2016
Security Enhancement to FTM
Date: 2016-07-25
Authors:
Name
Affiliations Address
Phone
email
Qi Wang
Broadcom
+1 (408) 922-8798
[email protected]
Nehru Bhandaru
Broadcom
Matthew Fischer
Broadcom
Submission
190 Mathilda
Place,
Sunnyvale,
CA
Nehru.bhandaru@broadcom.
com
Matthew.fischer@broadcom.
com
Slide 1
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Security Limitation of Current FTM Solution
• Some uses cases require security for FTM
–
–
–
–
–
–
Proximity detection to point of sale (e.g.,Starbucks)
Unlock assistance to personal laptop or tablet
Unlock your car
Unlock a locker at sports facility
Serve as entry ticket, e.g., concert, sports event
Alternative access for building, e.g., in lieu of ID cards
• Current FTM solution lacks security protection of RTT
measurement and may be easily compromised.
• Hence extra steps to improve security for FTM are
recommended.
Submission
Slide 2
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Security Issue of FTM
STA1
(Responding
STA)
FTM Request
STA2
(Initiating
STA)
•
ACK
The FTM (Fine Timing Measurement)
protocol enables RTT measurement
–
•
FTM_m payload contains
[t1_(m-1), t4_(m-1)]
t1_m
t2_m
ACK
t3_m
t4_m
FTM_(m+1) payload contains
[t1_m, t4_m]
t1_(m+1)
t2_(m+1)
ACK
t3_(m+1)
t4_(m+1)
t1_(m+2)
FTM_(m+2) payload contains
[t1_(m+1), t4_(m+1)]
t2_(m+2)
ACK
•
RTT = [(t4_m-t1_m) - (t3_m-t2_m)]
FTM frames currently are not
protected.
According to the 802.11 spec [1], an
Ack frame is not protected, as a result,
– a malicious device can transmit fake Ack
frames, which pretend to be the Ack
frames from the Initiating STA, to the
Responding STA, so that the Responding
STA obtains the wrong t4 and include
such a wrong t4 in the payload of the
subsequent FTM frames.
– Subsequently, the Initiating STA derives
the wrong RTT between the Initiating
STA and the Responding STA.
t3_(m+2)
t4_(m+2)
Submission
Slide 3
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Proposal Overview
• We propose methods to protect the Acks to the FTM
frames, thus enhance the security of the FTM protocol.
• The proposed enhancements apply to FTM executed in
the associated state, where FTM frames are protected
using PMF.
• Our methods can also be applied to:
– protect acknowledgement to other management frames.
– protect acknowledgement to other types of frames (e.g., data
frames).
– protect other control frames.
Submission
Slide 4
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 1 -- Overview
• Define a new Ack control frame that is the same as that in
[1], except with an addition of a frame body of 1 octet
length that contains a random value generated by the Ack
transmitter. (See Fig. 1)
• Protect the new Ack frame using CCMP or GCMP.
• The transmitted new Ack frame format is composed of the
MAC header, encrypted frame body, MIC and FCS. (See
Fig. 2)
– Due to our design choices, 8-octet of CCMP/GCMP header is not
needed to reduce overhead.
Submission
Slide 5
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 1 – Illustrations of New Acks
New
Frame control
Duration
2
Octets:
2
RA = address of ACK recipient
Frame Body = random number
generated by Ack transmitter
6
FCS
4
1
Fig. 1: Un-protected new ACK Frame Format (method 1)
Frame control
Octets:
2
Duration
2
RA = address of ACK recipient
6
(encrypted) Frame Body
1
MIC
FCS
8
4
Fig. 2: Protected new ACK Frame Format (method 1)
Submission
Slide 6
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 1 – Protection of New Ack with
CCMP/GCMP
• Use the key ID and TK (temporal key) that are the same
as that used by the FTM frame that solicits the Ack.
• Set the Ack frame’s PN to be the same as the PN used by
the FTM frame that solicits the Ack.
• Data input to the CCM/GCM encryption engine is the 1
octet random value in the new Ack frame body.
• Set AAD = Frame Control || RA (address of Ack receiver)
– Frame Control in AAD is masked as specified in 12.5.3.3.3 of [1].
Submission
Slide 7
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 1 – Protection of New Ack with
CCMP/GCMP – Cont’d
• Construction of CCMP Nonce (See Fig. 3)
– Nonce = Nonce Flags || address of Ack Transmitter || PN
• The Priority subfield of the Nonce Flags field is set to 0.
• When Ack frame protection is negotiated, the Control field of the Nonce
Flag field is set to 1 if the Type field of the Frame is 01 (Control frame);
otherwise it is set to 0.
• Bit 6 to 7 of the Nonce Flags field are set to 0.
Submission
Slide 8
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 1 – Protection of New Ack with
CCMP/GCMP – Cont’d
• Construction of GCMP Nonce (see Fig. 4)
– Nonce = Nonce Flags || address of Ack Transmitter || PN
• When Ack frame protection is negotiated, the Control field of the Nonce Flags
field (bit 0) is set to 1 if the Type field of the Frame is 01 (Control frame);
otherwise it is set to 0.
• Bit 2 to 7 of the Nonce Flags filed is set to 0.
• Nonce Flags can be optional; when it is excluded, the address of the Ack
transmitter used is such that the highest order byte is set to its one’s complement
• When the Nonce Flags is present, if the first 12 bytes of J0[NIST Special
Publication 800-38D] are the same as A2||PN, then the process is repeated with
Nonce Flags incremented by 1. This avoids a collision of the initial counter with
that used for other types of (Management, Data) frames from the same
transmitter preserving security properties of GCM.
– J0 is the initial counter value constructed from the IV (initialization vector) input (A2||
PN in [1]) as defined in section 7 of [2].
Submission
Slide 9
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 1 – Nonce Illustrations
Nonce Flags
Octets:
Bits:
6
1
B0
B3
Priority
PN = PN of the FTM frame soliciting ACK
Address of ACK transmitter
6
B5
B4
B6
Control
Management
B7
Zeros
Fig. 3: Nonce construction for CCMP (method 1 )
Address of ACK transmitter
Nonce Flags
1
Octets:
Bits:
6
B0
Control
B1
PN = PN of the frame soliciting ACK
6
B7
Zeros
Fig. 4: Nonce construction for GCMP (Method 1)
Submission
Slide 10
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 2 -- Description
• Define a modified FTM whose format is identical to the
soliciting FTM frames defined in [1] except with an additional
6-octet field containing a random value (See Fig. 5)
– A new random value is generated for every new FTM frame, and included
in the protected FTM frame.
• Define a modified Ack frame, which has the same format as
the Ack frame defined in [1], except that the RA field is
replaced by a field whose content is the 6-octet random value
included in the modified soliciting FTM frame (See Fig. 6)
– The modified Ack is transmitted without encryption.
Submission
Slide 11
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Method 2 -- Illustrations
Category
Octets:
1
ToA Error
Octets:
2
Follow up Dialog
Token
Public Action Dialog Token
1
1
1
Random value
6
ToD
FTM Timing
Measurement
(Optional)
Location Civic Report
(Optional)
LCI Report
(Optional)
Variable
Variable
2
6
6
FTM Synchronization
information (optional)
ToD Error
ToA
Variable
Variable
Fig. 5: Modified_FTM Action field (Method 2)
Frame Control
Octets:
2
Duration/ID
6 bytes random values received in FTM
frames.
2
6
FCS
4
Fig. 6: Modified ACK to FTM frames (method 2)
Submission
Slide 12
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Indication of Protected Ack frames
• Set the Protected Frame subfield in the Frame Control
field of a control frame to 1 when the Control frame is
protected, and set it to 0 otherwise. (See Fig. 7)
• For a protected Ack frame has a MAC duration that is
not equal to 14 bytes (as in Method 1), for the Frame
Control filed, set the Type subfield (Bit 2 and Bit 3) to 01
(Control frame), set the Subtype subfield (Bit 4 to 7) to
0110 (Control Frame Extension) and set Bit 8 to Bit 11
(Control Frame Extension value) to one of the currently
reserved value. (See Fig. 8)
• For a protected Ack frame with a MAC duration that is
equal to 14 bytes (as in Method 2), there is no need to
define a new frame type/subtype value for the frame.
Submission
Slide 13
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Indication of Protected Ack frames - Illustrations
Bits:
B1 B2
B0
Protocol
version
B3 B4
Type
=01
B7
Subtype
B8
To DS
B9
From
DS
B10
More
fragment
B11
B12
Power
Management
Retry
B13
B14
More data
Protected frame
=1
B15
Order
Fig. 7: Frame control field of a protected Ack frame
Bits:
B0
B1
Protocol
version
B2
B3
Type
=01
B4
B7
Subtype =
0110
B8
B11
Use one of the currently reserved value to
indicate a protected Ack frame
B12
Power
Management
B13
B14
B15
More data
Protected frame
=1
Order
Fig. 8: Frame control field of a protected Ack frame when the MAC frame length is not equal to 14 bytes
Submission
Slide 14
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Advertisement and Negotiation of Protected
Acknowledgement
• A device’s requirement for and/or capability of supporting
a protected acknowledgement can be advertised and
negotiated using the currently reserved bits in the Extended
Capability element for all frames with the Protected Frame
subfield (Bit 14) of the Frame Control field set to 1.
• Alternatively, the advertisement and negotiation can be
done specifically for the FTM protocol, during the FTM
setup phase.
– Setting one or both of the reserved bits in the FTM Measurement
Parameter field of the FTM Parameters element to 1 to indicate the
protection of Ack frames for the FTM sessions. (See Fig. 9, 10).
Submission
Slide 15
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
Advertisement and Negotiation of Protected
Acknowledgement – Cont’d
Fig. 9: Fine Timing Measurement Parameters element format (i.e., Figure 9-571 in [1])
Fig. 10: Fine Timing Measurement Parameters field format (i.e., Figure 9-572 in [1])
Set one or both of the reserved bits to 1 to indicate the protection of
ACK frames for the FTM session.
Submission
Slide 16
Qi Wang, et.al., Broadcom
doc.: IEEE 802.11-16/1020r0
July 2016
References
• [1] IEEE Std 802.11 REVmc_D5.0, IEEE Standard for Information
Technology – Telecommunications and information exchange between
systems, local and metropolitan area networks – Specific requirements,
Part 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications
• [2] SD 800-38D-NIST Recommendation for Block Cipher Modes of
Operation: Galois/Counter (GCM) and GMAC, November 2007
Submission
Slide 17
Qi Wang, et.al., Broadcom