IEEE 802.11az provides security enhancements, solves longstanding problems

In this Help Net Security interview, Jonathan Segev, IEEE 802.11 Task Group (TG) Chair of next-generation positioning (TGaz) at IEEE, discusses IEEE 802.11az. The new standard will enable accuracy to less than 0.1 meters, which is a significant improvement from the current Wi-Fi location accuracy of 1-2 meters.

One of the key features is secure, authenticated, and private positioning. This means that you could set your computer to open only via your smartwatch with proper authentication and when you are within inches of it. Similarly, this can apply to the ability to unlock a vehicle’s door via a smart device, but only if standing within a programmed distance that can be less than a meter away. Another application would be using a smart device to make payment at the point of sale in a store or to facilitate an ATM transaction. The proximity of two devices improves the authenticity guarantee, thwarting attacks from relays.


Can you briefly explain the primary function and importance of the newly released IEEE 802.11az standard?

IEEE 802.11az integrates positioning protocols to mainstream IEEE 802.11ax (also known as Wi-Fi 6), while providing additional benefits such as security and authenticity, 2x to 4x improved accuracy and coverage, 10x improved power efficiency, and dramatic improvement to scalability. All this while taking advantage of the Wi-Fi ecosystem superior link budget for longer range use, and access to spectrum for long-term technology investment value.

What is the evolutionary significance of the IEEE 802.11az standard, or Next Generation Positioning (NGP), in the context of the IEEE 802.11 series?

The IEEE 802.11az standard is the 3rd generation of Wi-Fi positioning protocols, see Figure 1 below. The first generation was based on RSSI (Received Signal Strength) which provided relatively modest accuracy of 10-15m. The second generation referred to as REVmc FTM (Fine Timing Measurement) is ToF (Time of Flight) based, has an accuracy of 1-2m in bandwidth up to 160MHz bandwidth. REVmc FTM is available today on many mobile devices and is supported by multiple enterprise network vendors.

IEEE 802.11az is the third generation, enables sub-1m accuracy, and is just now entering the market. It supports MIMO (Multiple In Multiple Out antenna), and provides enterprise grade MAC and PHY security. Looking forward, 802.11bk is now in development to define 802.11 positioning using 320MHz Wi-Fi 7 channels and is expected to improve accuracy even further to sub-0.1m levels.

Protocol Development Roadmap

Figure 1 – Protocol Development Roadmap

How does the PHY level anti-spoofing mechanism, Secure LTF, introduced in IEEE 802.11az enhance security, especially in proximity-based uses like unlocking doors with a wearable?

The Secure LTF mechanism provides a multi-layer protection to prevent manipulation of over the air signal, such as the Timing Advance attack, where the attacker introduces a false sense of range shown in figure below by transmitting partial message advanced in time.


Figure 2 – PHY Frame level attack on an unprotected measurement frame

IEEE 802.11az builds on the existing IEEE 802.11 Security framework. The same credentials and security scheme used for connectivity is used to authenticate 802.11az peers protocol signaling. In addition, 802.11az uses the key material Pairwise Transient Key (PTK) to derive a separate key called the Key Derivation Key (KDK) that is independent from the Temporal Key (TK) used for MAC and data protection, refer to figure 3 below.

KDK key generation hierarchy

Figure 3 – KDK key generation hierarchy

Each Secure LTF transmission uses a unique AES128 sequence using the scheme shown in figure 4 which is then mapped to a specifically designed Secured LTF symbol and subcarriers within the symbol.


Figure 4 – Pseudo-random PHY Measurement Symbol Generation

MAC level signaling, the SAC (Sequence Authentication Code) is defined and used to synchronize the receive and transmission of pseudo random AES128 sequences, account for errors to the medium, and main-in-the-middle and other attacks.

The sequences are mapped to a specialized 802.11 PHY frames that use 64 QAM (encoding 6 bits per subcarrier, up from one bit BPSK modulation used for regular radio channel estimation). This increases the code word size, improving signal entropy, making it exponentially harder for a listen process attack scheme to be successful, and dramatically decreases the probability of a successful brute force attack.

PHY level Frequency to Time Domain mapping of pseudo-random sequences

Figure 5 – PHY level Frequency to Time Domain mapping of pseudo-random sequences

In addition, a normal practice in OFDM/A systems such as 802.11 is to add redundancy to the symbol to absorb Inter Symbol Interference (ISI) from the environment by repeating a portion of the symbol and concatenating it in a time interval called Guard Interval (GI). For Secured LTF, this practice is replaced by a zero power GI, removing any opportunity for an adversary repetition attack.


Figure 6 – Removal of redundancy prevention of repetition attack

How does the IEEE 802.11az standard contribute to WLANs’ energy efficiency and dynamic scheduling?

Unique amongst wireless positioning connectivity solutions, 802.11az FTM can dynamically modify the rate of the measurement per second, and the amount of measurements per single channel access to the momentary needs and conditions, without service renegotiation. These unique properties provides a reliable, uninterrupted, smooth, and continuous range/Location service.

Instantaneous measurement rate, can vary by as much as a factor of 100 and possibly more, moving from as much as 10Hz to as little as 0.01Hz. This variability is useful to follow rapid vs. sporadic movement by the client or to compensate for outliers in measurement while preserving user experience and device responsiveness.

The ability to vary the amount of measurement per channel access by as much as factor of 64 provide increased statistics improving the Single to Noise Ration (SNR) for reliable and spectrum efficient estimation, and ability to identify brute force attacks. The HE LTF fields in the Secure HE-LTF frame shown in Figure 6, indicate the possible variability in the number of HE-LTFs per PHY frame.

How does the new IEEE 802.11az standard improve home Wi-Fi use, particularly in the context of multiple APs and mesh networks?

Multiple APs and mech networks are now quite common in home and residential environments. In these environments, device location within the house and proximity to a specific AP is very likely a good measure of the medium to long term data link signal. 802.11az can be used to provide input to AP selection algorithms, in addition to supporting services such as location detection and contextual information for IoT services (e.g., turn on lights when entering a room).

Don't miss