Servi
`-s
`Digital Access Service
`(DAS)
`
`WIPO
`WORLD
`INTELLECTUAL PROPERTY
`ORGANIZATION
`
`CERTIFICATE OF AVAILABILITY OF A CERTIFIED PATENT DOCUMENT INA
`DIGITAL LIBRARY
`
`The International Bureau certifies that a copy of the patent application indicated
`
`below has been available to the WIPO Digital Access Service since the date of
`availability indicated, and that the patent application has been available to the
`indicated Office(s) as of the date specified following the relevant Office code:
`
`Documentdetails:|Country/Office: JP
`
`Filing date:
`
`O02 Nov 2017 (02.11.2017)
`
`Application number: 2017-212884
`
`Date of availability of document:
`
`06 Nov 2017 (06.11.2017)
`
`The following Offices can retrieve this document by using the access code:
`JP, US, SE, NZ, KR, EA, IN, BR, GB, AU, EP, ES, IB, EE, CN, MA, FI
`
`Date of issue of this certificate:
`
`07 May 2018 (07.05.2018)
`
`34, chemin des Colombettes
`
`
`
`

`

`H A El
`
`OF
`
`AF
`
`OPP
`
`JAPAN PATENT OFFICE
`
`ABST OBR TRS NCVZLHBRAPROMMBMK MRE
`WS BIBL fl — CHAS teak yZ .
`This is to certify that the annexed is a true copy of the following application as filed
`with this Office.
`
`T
`
`OA
`HBR fF OA
`Date of Application:
`
`i i ee
`Application Number:
`
`
`AN) HILL SHEA OB
`(ALY S ESRD ERO RM
`ce SHRORI— Fe oe
`BS
`The country code and number
`of your priority application,
`to be used for filing abroad
`under the Paris Convention, is
`
`Hy
`
`We
`
`A
`
`Applicant(s):
`
`20174F11A 24
`
`fe2017—-212884
`
`JP2017—212884
`
`WIVAVYI AVFVIFAYNM FON
`—Yayv AT yYAUA
`
`I— RY
`
`rary & EB
`Commissioner,
`Japan Patent Office
`
`
`
`#
`
`

`

`(Ae ]
`CAS]
`CRF ad S404)
`(HET)
`(dC 5G]
`CEE BaarPA
`(seH a]
`(Cerri ds rr)
`
`(G44)
`(Se)
`(ErrIe)
`
`(44)
`(FéHI 2 )
`(eArXIeAr)
`(44)
`CFF ELA)
`Canal Ae]
`(4 KIL]
`
`FFPFREL
`P100926902
`RPA 3 6 RO 2S LIBOMMICkS RH
`Ae2HE LA 271
`Tea eeBe ErIe
`HO4W 88/00
`
`|
`YU ARK- IY 202 KAByF PHYA FRrma=a-
`#O2—11 WHYSEYIA?
`FrUM FYYR FA- HYR
`— YYVARA— FHATAVavy ADF WV FV
`TF WYIAVYI SPI7R—p ViFvkwn
`FIA-W AY¥Y
`
`YYAR—Y 202 REYF YFUA ~Rrra- 1
`#HO2—11 WHVSYIA FY-NW FYE FA- HY
`— YYAR—NV FATAVaY AT KRIVSAVI FV
`TF WYIAVYID SI7R—-p VFvy A
`mryv ut
`
`AIAG MELTAEE 1 0 0 6 AR SPY Sy THERA
`WE SEK
`
`514136668
`IFYaRVYID AYFVIF ATW PANFH A-W-VY
`av AF FRU
`
`100105050
`
`(AREA)
`Cio aS)
`(FFHEt)
`mH
`(Re MISA iN)
`(8) eA ic KS HES ESE OD EG]
`(4)
`FAVAGRE
`CHAR A)
`201746 6H 15H
`62/520, 452
`CHR)
`(HRA 4)
`RFF
`(yV7RAI—F})
`1267
`(Bel Henk Wertecke] CRED)
`[FARO RA)
`(SMAI)
`Ci<iA
`feHe A eK]
`Ctr 44
`CHE]
`CHE]
`Cte 44
`(ERAS)
`
`]
`
`[Ue RA TSHES
`
`041243
`22, O0OFJ
`
`Sasa
`Sh aeARAFan RkOe 1
`TE ieee 1
`Phe need it
`1
`1406849
`
`

`

`CA] ob ne A AE
`
`Title of the Invention
`
`COMMUNICATION APPARATUS AND METHOD FOR SECURE LOW POWER
`TRANSMISSION
`
`Technical Field
`
`The present disclosure is generally related to a communication apparatus and a
`
`communication method.
`
`Background Art
`
`The IEEE(Institute of Electrical and Electronics Engineers) 802,11ba Taskgroup is
`
`currently in the process of standardizing wireless communication technologies related to
`
`the operations of a wake-up radio (WUR) apparatus. The WURapparatus is a companion
`
`radio apparatus to the primary connectivity radio (PCR) apparatus and may operate in the
`
`same frequency band as the PCR or mayalso operate in a different frequency band. The
`
`PCR may be any of the existing mainstream IEEE 802.11 amendments (802.11a, 802.11,
`
`802.11n or 802.1 lac) or even other applicable future amendments(e.g. 802.1 lax). The
`
`purpose of the WURapparatusis to triggerthe transition of the PCR apparatus out of
`
`sleep upon reception of a valid wake-up packet (also known as WUR PHYProtocol Data
`
`Unit (PPDU)) , while the PCRis used as the primary wireless communication radio. The
`
`PCRapparatus is only turned on during active communication, while during period of
`
`idle listening, the PCR apparatus is turned off and only the WUR apparatus is operating.
`
`The WURapparatus is expected to have active receiver power consumption less than one
`
`milliwatt, which is much lesser compared to the active receiver power consumption of
`
`the PCR apparatus. Devices with a WUR apparatus may be called WUR devices and
`
`WUR. mode may refer to operation mode where only the WURis in operation while the
`
`PCRis turned off, while PCR mode mayrefer to operations with the PCR apparatus
`
`turned on.
`
`The IEEE 802.1 1ba amendmentis targeted at applications and Internet-of-Things
`
`(JOT) use cases in which the communication devices are usually powered by a battery
`
`and it is highly desirable to extend the battery lifetime while maintaining reasonably low
`
`latency.
`
`

`

`Citation List
`Non Patent Litcrature
`[NPL 1] IEEE Std 802,11-2016
`[NPL 2] IEEE 802.11-17/057512, Specification Framework for TGba, July 2017
`
`[NPL 3] IEEE 802.11-16/0722r1, “Proposal for Wake-Up Receiver (WUR) Study
`
`Group”
`
`[NPL 4] IEEE 802.11-17/0660r0, “WUR Security Proposal”
`[NPLS] Ching-Tsung Hsuehet. al. , “A Secure Scheme Against Power Exhausting
`
`Attacks in Hicrarchical Wireless Sensor Networks”
`
`Patent Literature
`[PL 1] US2017/0099662AI ~ Pascal Thubert et. al. , “Dynamically hashed MAC
`
`address for transmission in a network”
`
`Disclosure Summary of Invention
`Technical Problem
`
`Since much of the power saving for WUR devices is expected to be a result of the
`devices turning off the main PCR apparatus and staying in the WUR mode for extended
`period of time, unnecessary switching to the PCR modeis detrimental to the device’s
`battery life. Duc to the low data rates available for communication in the WUR mode, the
`WURsignal is expected to be much simpler and shorter as compared to the PCR signal.
`As aresult, WURsignals are very easy to be captured and reproduced by malicious
`
`devices for ulterior motives. This makes WUR devices especially susceptible to replay
`
`aliacks, whereby an attacker captures genuine WURsignals used by a central controller
`
`to wake up WUR devices and uses them in the future to falsely wake up the WOR
`
`devices with the intent of causing battery drainage. Such attacks may also be known as
`
`power exhausting attacks or denial of sleep attacks.
`One non-limiting and exemplary embodimentof the present disclosure provides means
`for transmission and reception of secure WURsignals and prevent the above mentioned
`
`malicious attacks on WUR devices.
`
`Solution to Problem
`
`In one general aspect, the techniques disclosed here features: a communication
`
`2
`
`

`

`apparatus comprising a cryptographic circuitry which, in operation, uses a shared
`
`cryptographic secret Key and a cryptographic salt to generate a cryptographically
`
`encoded MessageIntegrity Code (MIC) that is computed overthe address field of a
`
`Wake Up Radio (WUR)frame; and a transmission signal generator which, in operation,
`generates a secure WUR signal by replacing the address field of the WUR framewith the
`
`MIC; and a transmitter which, in operation, transmits the secure WURsignal.
`
`It should be noted that genera! or specific embodiments may be implemented as a
`
`system, a method, an integrated circuit, a computer program, a storage medium, or any
`
`selective combination thereof.
`
`Advantageous Effects of Invention
`The communication appatatus and communication method described in the present
`
`disclosure provides means for transmission and reception of secure WURsignals and
`
`prevent false wake ups as a result of malicious attacks on WUR devices.
`
`Additional benefits and advantages of the disclosed embodiments will become apparent
`
`from the specification and drawings. The benefits and/or advantages may be individually
`obtained by the various embodiments and features of the specification and drawings,
`
`which need notall be provided in order to obtain one or more of such benefits and/or
`
`advantages.
`
`Brief Description of the Drawings
`
`[Fig. 1]
`Figure 1 shows an example heterogeneous 802.11 wireless network with a mixture of
`genuine and malicious WURcapable devices.
`
`[Fig. 2]
`
`Figure 2 shows the format of WUR PPDU being considered in the 802.11ba Taskgroup.
`
`[Fig. 3]
`
`Figure 3 depicts a frame transmission sequencethatillustrates an example of a malicious
`
`attack,
`
`[Fig. 4]
`Figure 4 depicts a frame transmission sequence used to negotiate/initiate WUR mode as
`
`perthe first embodiment.
`
`[Fig. 5]
`
`

`

`Figure 5 shows the format of the WUR Action frame used for WUR mode
`
`negotiation/initiation as per the first embodiment.
`
`[Fig. 6]
`
`Figure 6 depicts the 4-way handshake used to obtain the secret keys to be used in secure
`
`transmissions.
`
`[Fig. 7]
`
`Figure 7 is a table of the encoding of the Cipher suite field in WUR security element as
`
`perthe first embodiment.
`
`[Fig. 8]
`
`Figure 8 shows the frame format proposed for secure WUR framesas perthe first
`
`embodiment.
`
`[Fig. GA]
`
`Figure 9A showsan alternative frame format proposed for secure WUR. framesas per the
`
`first embodiment.
`
`[Fig. 9B]
`
`Figure 9B shows the format of the WUR Action frame used for notifying the
`
`cryptographic salt value as perthe first embodiment.
`
`[Fig. LOA]
`
`Figure 10A showsthe frame format proposed for secure WUR framesas per the second
`
`embodiment.
`
`[Fig. 10B}
`
`Figure 10B showsthe format of the WUR Action frame used for notifying the MIC as
`
`perthe second embodiment.
`
`[Fig. L1A]
`
`Figure 11A depicts a first frame transmission sequence used in secure WUR
`
`transmissions as per the third embodiment.
`
`jFig. 11B]
`
`Figure 11B depicts a second frame transmission sequence used in secure WUR
`
`transmissions as perthe third embodiment.
`
`[Fig. 12]
`
`Figure 12 depicts a frame transmission sequence used in secure WURtransmissionsas
`
`perthe fourth embodiment.
`
`[Fig. 13]
`
`

`

`Figure 13 shows the format of the WUR Action frame used for notifying a cryptographic
`
`salt range as perthe fifth embodiment.
`
`[Fig. 14]
`
`Figure 14 is a table of example MIC valuesas perthe fifth embodiment.
`
`[Fig. 15]
`Figure 15 showsthe frame format proposed for secure WUR frames as perthe fifth
`
`embodiment.
`
`[Fig. 16]
`Figure 16 shows the frame format proposed for secure multicast WUR frames as per the
`
`fifth embodiment.
`
`[Fig. 17]
`
`Figure 17 shows the format of the Timing Synchronization Function (TSF)field as per
`
`the sixth embodiment.
`
`[Fig. 18]
`Figure 18 shows the frame format proposed for secure WUR framesas perthe sixth
`
`embodiment.
`
`[Fig. 19]
`Figure 19 is a table of an example clock drift issue that may occur when P-TSFis used
`
`for time synchronization.
`
`[Fig. 20]
`
`Figure 20 showsthe intermediate process of creating the TSF field for inpul to the WUR
`
`authentication module as per the sixth embodiment.
`
`[Fig. 21]
`Figure 21 shows an example process to create secure WURframesat the transmitter side
`
`as per the sixth embodiment.
`
`[Fig. 22]
`Figure 22. shows an example process to verify secure WUR framesat the receiver side as
`
`perthe sixth embodiment.
`
`[Fig. 23]
`Figure 23 showsa frame formal proposed for secure multicast WUR frames as per the
`
`sixth embodiment.
`
`{Fig. 24]
`
`Figure 24 showsan alternate frame format proposed for secure multicast WUR frames as
`
`5
`
`

`

`per the sixth embodiment.
`
`[Fig.25]
`
`Figure 25 showsthe frame format proposed for unsecure WUR framesas perthe sixth
`
`embodiment.
`
`[Fig. 26]
`
`Figure 26 showsthe format of the Packet Number (PN)field as per the seventh
`
`embodiment.
`
`[Fig. 27]
`
`Figure 27 shows a frame format proposed for secure WUR frames as per the seventh
`
`embodiment.
`
`[Fig. 28]
`
`Figure 28 shows a frame format proposed for updating the PN field as per the seventh
`
`embodiment.
`
`[Fig. 29]
`
`Figure 29 shows a frame format proposed for secure WURframesas perthe eight
`
`embodiment.
`
`[Fig. 30]
`
`Figure 30 is a simplified block diagram of an example AP that implements the disclosed
`
`transmission scheme.
`
`[Fig.31]
`
`Figure 31 is a detailed block diagram of an example AP that implements the disclosed
`transmission scheme.
`
`[Fig. 32]
`
`Figure 32 is a simplified block diagram of an example WUR STA that implements the
`
`disclosed transmission scheme.
`
`|Fig. 33]
`
`Figure 33 is a detailed block diagram of an example WUR STAthat implements the
`
`disclosed transmission scheme.
`
`Description of Embodiments
`The present disclosure can be better understood with the aid of following figures and
`
`embodiments. The embodiments described here are merely exemplary in nature and are
`
`6
`
`

`

`used to describe some of the possible applications and uses of the present disclosure and
`
`should not be taken as limiting the present disclosure with regard to alternative
`
`embodiments that are not explicitly described herein.
`
`Figure 1 shows an example of a wireless communication network 100 in which the
`present disclosure may be applied. The wireless communication may be based on popular
`
`wireless standards such as IEEE 802.11. The wireless communication network 100 may
`
`comprise an Access Point (AP) 110 and three stations (STA) 120, 130 and 140 associated
`with the AP 110. The AP 110 is equipped with a Primary Connectivity Radio (PCR)
`
`apparatus (hereinafter stated simply as “PCR”) 112 whichis capable of transmitting and
`receiving wireless signals in the 802.11 waveform (e.g. Orthogonal Frequency Division
`Multiplexing (OFDM)) as well as being capable of transmitting wireless signals in the
`Wake-up radio (WUR) waveform (e.g. On-Off Keying (OOK)). STAs 120, 130 and 140
`
`are WUR capable STAs and are equipped with PCRs 122, 132 and 142 respectively as
`
`well as Wake-up radio receivers (WURx) apparatus (hereinafter stated simply as
`“WURx”) 124, 134 and 144 respectively. STAs 130 and 140 are capable of transmitting
`and receiving 802.11 signals and are also capable of receiving WURsignals, The PCRs
`
`132 and 142 may only be turned on during active communication (PCR mode), while
`
`during period ofidle listening, the PCRs may be turned off and only the WURx 134 and
`
`144 may be operating (WUR mode). STA 120 however may be a custom made device
`that has ali the functionalities of a WUR capable STA andin addition is PCR 122 also
`
`has the ability to transmit wireless signals in the Wake-up radio (WUR) waveform
`
`((OOK), Or STA 120 may simply be a device that possesses both the WUR AP
`
`functionalities as well as the WUR STA functionalities. When the AP 110 needs to
`
`communicate with STAsoperating in WUR mode,it may first transmit wake-up signal to
`
`instruct the STAsto transit to PCR. mode by turning on the respective PCRs and
`
`switching off the WURx. Subsequently the AP and the STAs may perform
`
`communication over the PCR. Once the communication is over, the STAs may switch
`
`back to WUR mode by switching off the PCR and turning on the WURx.
`
`Figure 2 shows the wake-up signal transmission scheme being considered in the IEEE
`
`802.11ba Taskgroup. The wake-up signal may be represented as the WUR PHY Protocol
`Data Unit (PPDU) 200. The WUR PPDU 200 is composed of two distinct portions, The
`
`7
`
`

`

`first portion is comprised of a 20 MHz legacy (also known as non-high-throughput (HT))
`802.11 preamble 210 and one extra OFDM symbol 218 called WUR Mark, which are
`transmitted in the 802.11 OFDM waveform overthe entire 20 MHz channel. The second
`
`portion is the wake-up packet (WUP) payload 220 whichis transmitted ina WUR OOK
`waveform in a narrowersub-channel within the 20 MHz channel, for example a 4 MHz
`
`sub-channel. Although only a single WUP Payload 220 is shown in Figure 2,it is also
`
`possible that more than one, for example three WUP Payloads, are transmitted on
`different, non-overlapping sub-channels within the 20 MHz channel.
`
`The legacy 802.11 preamble 210 provides coexistence with legacy 802.11 STAsthat
`do not understand the WURsignals. Preamble 210 further comprises a non-HT Short
`
`Training Field (L-STF) 212, a non-HT Long Training Field (L-LTF) 214 and a non-HT
`SIGNALfield (L-SIG) 216. The L-SIG 216 carries information regarding the length of
`the WUP payload 220, allowing legacy 802.11 devices to defertheir transmissions for
`the correct duration. The WUR Mark 218 of duration 4 micro-seconds modulated in
`
`Binary Phase Shift Keying (BPSK)is transmitted right after the L-SIG 216 to prevent
`$02.11n devices from wrongly decoding the WUR PPDU 200 as being an 802.11n packet.
`
`The WUP Payload 220 carries the actual wake-up signal and comprises a wake-up
`preamble 222 and a WURframe 230. The wake-up preamble 222 is used for automatic
`gain control (AGC), timing synchronization, packet detection etc., while the WUR frame
`230 carries the control information. The WUR frame 230 may also be known as a WUR
`
`MACProtocol Data Unit (MPDU) and maybe further composed of various sub-fields
`such as a MAC header240, a Frame check sequence (FCS) 252 as well as the optional
`
`Frame body 250. The MAC header 240 may be further comprised of a Frame control
`field 242 that species the frame Type, frame length etc., an Address field 242 that may
`carry eitherone ofthe ‘lransmitter Address, Receiver address or both. Other control
`information may be carried in the TD Controlfield 246 depending on the frame Type.
`For example in WURbeaconframes, the TD Control field 246 may carry a timestamp
`field, while in unicast WUR frames, the TD Control field 246 may carry a packet number
`
`etc.
`
`Figure 3 depicts a frame transmission sequence 300 that illustrates an example replay
`attack launched by an attacker in the wireless network 100 in Figure 1. The attacker may
`
`be the STA 120 in Figure 1, while the AP and the STA may be the AP 110 and STA 130
`
`8
`
`

`

`in Figure 1 respectively. STA 130 may have undergone WUR mode negotiation with AP
`
`110 and maybe operating in WUR mode with only its WORx 134 in operation while its
`
`PCR 132 is tumed off. The attacker STA 120 on the other hand has both its WURx 124
`
`as well as PCR 122 turned on and may be monitoring the traffic between AP 110 and
`
`STA 130. When the AP 110 gets data from the upper layer protocol destined for STA
`
`130, it saves the data frame in buffer and transmits a WUR PPDU 310 to wake STA 130.
`
`Uponreceiving the WUR PPDU 310, STA 130 verifies that the PPDU is addressed to it
`
`and proceedsto turn on its PCR 132 and transmit a PS-Poll frame 312 to the AP 110. In
`
`the meanwhile, the WURx 124 of attacker 120 also receives the WUR PPDU 310 and
`
`saves it in memory for future use. The AP 110 responds to the PS-Poll frame 312 by
`
`transmitting the buffered data frame 314 to STA 130. STA 130 confirmsthe receipt of
`
`the data frame 314 by sending the acknowledgement (ACK) frame 316 to the AP 110 and
`
`may proceed to WUR modeby turning off its PCR radio 132. At a later point in time, the
`
`attacker STA 120 may use the captured WUR PPDU 310 to launch a replay attack on
`
`STA 130 by retransmitting the WUR PPDU 310 toit, causing it to transition to PCR
`
`mode. Since the WUR PPDU 320 is a replay of a valid WUR PPDUtransmitted by AP
`
`110 in the past, it appears to be a valid WUR PPDU to STA 130 and it may proceed to
`
`transmit another PS-Poll frame 322 and may wait for AP 110 to send data frametoit.
`
`Eventually, when STA 130 does not receive any frames from the AP, it may time out of
`
`the PCR mode and goes back to WUR mode, howeverit would already have lost some
`
`powerunnecessarily transitioning to PCR mode. If no measures are implemented to
`
`mitigate such attacks, the attacker STA 120 may repeat the replay attack until STA 130
`
`completely runs out of battery.
`
`Several exemplary embodiments are described in detail in later sections to describe the
`
`disclosure in detail. The various embodiments for mitigating malicious false wake up
`
`attacks as perthe present disclosure are described in detail in the following sections.
`
`<First Embodiment>
`
`Figure 4 depicts the frame exchange sequence 400 used by a WUR STAto negotiate
`the parameters used during WUR mode with its AP. The frame exchange 400 needs to be
`
`completed before a WUR STA enters the WUR modeforthe first time, It may also be
`
`used subsequently to change parameters related to WUR mode and also to enter or exit
`
`9
`
`

`

`the WUR mode. WURAction frame 500 in Figure 5 may be used for the WUR mode
`
`negotiations. A WUR STAinitiates the WUR mode negotiation by transmitting a WUR
`Mode Request frame 410, which may be a variant of the WUR Action frame 500 with
`
`the WUR Mode Request/Response field 512 in the WUR Mode element 510 set to WUR
`
`Mode Request. Alternatively, the WUR Mode Request indication mayalso be carried
`
`within the WUR Action field 502. In either case, a WUR Mode Request framerefers to a
`
`WUR Action framethat carries an indication for WUR Mode request. Although not
`
`shownin Figure 5, the WUR mode element may also carry other parameters related to
`WURmode operation such as duty cycle parameters etc. As per the first embodiment, the
`
`WUR mode element also contains a Security field 514 that may be set to 1 by a WUR
`
`STA to request the AP to enable secure transmission mode for future transmissions of
`
`WUR PPDUs. Secure WURtransmission may be requested by WUR STAsright from
`
`the beginning or it may only be requested when a WUR STAdetectsthat it is under
`
`attack. Although it may not be possible for a WUR STAto detect an attack just from one
`
`or two false wake ups, if the STA keeps getting woken up without receiving any follow
`
`up downlink frames from the AP for more than a certain threshold value, for example 5
`
`times, the STA may consideritself under attack and request for security to be enabled.
`
`Upon receiving the WUR Mode request frame 410, the AP responds with the WUR mode
`response frame 420, which is another variant of the WUR Action frame 500 in Figure 5
`
`with the WUR Mode Request/Responsefield 512 in the WUR Mode element 510 set to
`
`WUR Mode Response. Alternatively, the WUR mode response indication may also be
`
`carried within the WUR Action field 502. In either case, a WUR Mode Response frame
`
`refers toa WUR Action frame that carries an indication for WUR Mode response. Aside
`
`from the parameters necessary for the WUR STA’s WUR modeoperation, if the WUR
`STA had requested security to be enabled for WURtransmissions, the AP also includes
`
`the WUR Security element 520 in Figure 5 in the WUR moderesponse frame 420
`
`carrying the parameters required for secure WUR communication. Once the security
`parameters have beennotified, the AP will use the secure WUR PPDU 430 whenit necds
`
`to wake the WUR STA.
`
`The WURsecurity element 520 in Figure 5 carries the WUR Security Parameters 530
`
`that contains the information regarding the secret keys to be used by a WUR STAto
`
`receive secure WUR PPDUs. Since a WUR STAis also an JEEE 802.11 device, it makes
`
`10
`
`

`

`sense that the STA reuses the existing 802.11 security framework as much as possible.
`
`Robust security network association (RSNA)is the default security protocol used by
`
`IEFE 802.11 devices. Although within RSNAthere are several security algorithms such
`
`as counter mode with cipher-block chaining message authentication code protocol
`
`(CCMP), Galois/counter mode (GCM)protocol (GCMP), broadcast/multicast integrity
`protocol (BIP) ete., as well as several hash algorithms, the secret Keys that these
`algorithms use may be broadly classified as either Pairwise Key or Group Key. Pairwise
`
`Keys are used for unicast communication between a pair of devices, while Group Kcys
`
`are used for broadcast or multicast communication. The Pairwise Cipher Suite field 540
`
`indicates the Ciphersuite to be used for unicasl. WUR PPDUsandis identified by the
`organizationally unique identifier (OUI) field 542 and the Suite Type field 544, The
`
`pairwise Key ID field 545 indicates the identifier of the Pairwise Key to be used for
`WUR PPDUsif more than one Pairwise Key has been negotiated between the AP and the
`
`WUR STA. The Group Key count 548 indicates the number of Group Keysincluded in
`the element. If the same Group Keyis to be used for all WOR broadcast and muiticast
`
`PPDUs, only one Group Key is required, howeverif the AP decides to use different
`Group Keysfor broadcast and multicast WUR PPDUs, two or more Group Keys may be
`
`included in the element. The Group Key Data field 550, is variable in length, and
`
`includes the information regarding the Group Keys. For each included Group Key,the
`
`Group Cipher Suite field 550 indicates the Ciphersuite to be used for broadcast or
`multicast WUR PPDUsandis identified by the organizationally unique identifier (OUD)
`
`field 552 and the Suite Type field 554. The Group Key Info field 560 identifies a Group
`
`Key as well as its use. The Key ID field 562 indicates the identifier of the Group key to
`be used for WUR PPDUs if more than one Key has been negotiated between the AP and
`
`the WUR STA; the GIK/IGTKfield 564 indicates whether the Group Key is Group
`
`Temporal Key (GTK)or Integrity Group ‘l'emporal Key (GTK) and the B’cast/M’cast
`field 566 indicates whether the Group Keyis to be used or broadcast or multicast WUR
`
`PPDUs. The Group ID field 568 may be used to specify a particular multicast group with
`which the Group Keyis associated and this field is set only if the B’cast/M’cast field 566
`is set as multicast, The Key Len field 570 indicates the length of the Wrapped Key field
`
`580 and maybeset to 0 if the Wrapped Keyfield 580 is not included in the element.
`When the Key ID field indicates that the Group Key to be used for WUR PPDUsis the
`
`same as that negotiated for use in PCR, the Wrapped Keyfield 580 is omitted, else the
`
`11
`
`

`

`Wrapped Key field 580 contains the encrypted GTK. or IGTK Key to be used for WUR
`
`PPDUs.
`
`Figure 6 depicts the WUR mode negotiation process 600 in which the AP and WUR
`
`STA negotiates separate secret Keys to be used exclusively for WUR PPDUs. Even
`
`though it would be possible to reuse the same secret Keys for WUR PPDUsas the ones
`used for PCR communications, if the WUR STA has the capability, the AP may also
`
`initiate a separate 4 way handshake process 620 with the WUR STAto obtain the PT
`
`and GTK/IGTKto be used exclusively for WUR PPDUs. Since the PCR mode of
`
`operation and the WUR modeof operation are very distinct from each other and a STA
`may only operate in either one modeat a time, generating separate secret keys to be used
`
`exclusively for WUR PPDUs may be beneficial as the security risks are isolated to each
`
`mode of operation and the risk of a cryptographic salt being repeated for a secret key is
`
`minimized. In addition, renegotiation of the Group Keys used for PCR need notaffect the
`
`Group Keys used for WUR PPDUs. Uponreceiving the WUR Mode Request frame 410
`from a STA requesting security to be enabled for WUR PPDUs in a WUR Mode Request
`
`procedure 610, the AP may chooseto initiate the 4 way handshake 620 to derive separate
`
`secrets Keys used to encode/decode WUR PPDUs. The 4 way handshake 620, shown
`
`within the dotted box, is the same as used in RSNA when a STA associates with the AP
`
`to negotiate the Pairwise Transient Key (PTK) and Group Keys (GTK and IGTK)to be
`
`used for secure sessions except that the secret Keys are meant to be used exclusively for
`
`WUR PPDUsand hencethe secret Keys may be referred to as W-PTK, W-GTK and W-
`
`IGTKto differentiate them from the secret Keys used during PCR communications. The
`
`AP concludes the WURmode negotiation by transmitting the WUR Mode Response
`
`frame 420 which carries the rest of the parameters necessary for the WUR STAto enter
`
`WUR mode in a WUR Mode Responseprocedure 630. In this case the WUR Mode
`
`Response frame 420 does not include the Wrapped Key field 580 shownin Figure 5.
`
`Howeverthe AP may chcose to transmit unsolicited WUR Mode Response frame 500 in
`
`Figure 5 that includes the Wrapped Keyfield 580 to the WUR STAat a future time to
`
`update the Group Keys in the event that the Group Keys may have changed while the
`
`WURSTA was in WUR mode,
`
`Figure 7 is the table 700 of the OUI and Suite Type encoding used in the WUR
`
`12
`
`

`

`Security element and is used to identify the security algorithm used for secure WUR.
`PPDUs. The AP may choose the appropriate algorithm to use based on factors such as
`
`STA’s capabilities. For example, for very resource limited WUR STAs, AP may choose
`simple hash functions such as SHA1-128 or SHA-256, while for WUR STAs with higher
`processing power, the AP may choose the CCMP-128 Ciphersuite. Ifthe AP indicates
`“Use group ciphersuite” for pairwise cipher suite, PTI. is not used for WUR PPDUsand
`only Group Keysare used. Althoughthe use of pairwise cipher suite is recommended for
`
`unicast WUR PPDUs,under certain circumstance the AP may also decide to use Group
`cipher suite for all WUR PPDUs.
`
`Figure 8 illustrates a secure WUR frame 800 that carries a cryptographically encoded
`
`MIC field 816 which helps the intended receiver WUR STAto categorically authenticate
`
`the transmitter of the frame. In orderto differentiate secure WUR frames from unsecure
`
`WURframes, the AP sets the Security bit 814 within the Frame Control field 812 to 1.
`
`The Security bit 814 alerts the receiving WUR STA ofthe presence of the MIC field 816
`
`within the WUR frame. As mentioned earlier, due to the comparatively simple signals
`
`used for transmissions of WUR PPDUs, itis not very difficult for an attacker to replay an
`
`earlier WUR PPDU,or even generate a forged WURframe with the malicious intention
`
`of causing a WURSTAto waste battery power by forcing fhe STA to wake up
`
`unnecessarily, Such attempts may be thwarted if the WUR frame contains somefield that
`can only be generated by a trusted transmitter using a shared secret Key and which can be
`verified by the intended WUR STAusing the same secret Key. Suchfields are generally
`
`known as Message Authentication Codes (MAC) or Message Integrity Codes (MIC). The
`
`AP may use popular cryptographic hash functions that are also commonly used in IEEE
`
`$02.11 devices such as SHA-1-128, SHA-256, SHA-384 or MDS etc. to generate the
`
`MICfield 816, or the AP may also choose to generate the MIC field 816 using block
`
`cipher algorithm such as Cipher Block Chaining Message Authentication Codes (CBC-
`MAC) whichin turn may be based on Advanced Encryption Standard (AES) such as
`
`AES-128-CMACor AES-256-CMAC. The AP’s choice of the cryptographic algorithm
`
`to use to generate the MIC field 816 may be based onfactors such as STA’s capabilities,
`for example for very resource limited WUR STAs, AP may choose simple hash functions
`
`such as SHA1-128 or SHA-256, while for WUR STAswith higher processing power, the
`
`AP may choose the CCMP-128 which is based on AES. A key assumption in using MAC
`
`13
`
`

`

`or MICto provide security is the fact that an attacker that does not possess the secret Key
`
`is not able to generate the same MIC orit is too computationally expensive to reverse
`
`engineer the secret key based on the MIC. However,it is still possible for an attacker to
`
`sniff a genuine secure WUR PPDUand useit at a future time to launch a replay attack.
`
`To prevent such replay attacks, the transmitter must ensure that each MIC computation
`
`uses a unique input (or a random number)that is different for each secure WUR PPDU
`
`for a particular secret Key. Such unique inputs are generally knownas “salt” or “nonce”,
`Several types of WURframes arc being considered in the IEEE 802.11ba Taskgroup
`
`and even thoughthe format of the frames may be similar, as shown in the gencric WUR
`
`frame 230 in Figure 2, the content of the frame fields may differ slightly depending on
`
`frame type. WUR frames that are addressed to a single WUR STA may be known as
`unicast WUR frame, WUR frames that are addressed to a group of WUR STAs may be
`
`known as multicast WUR frames while WUR frames that are addressed to all the WUR
`
`STAsassociated with an AP may be known as broadcast WUR frames. A unicast WOR
`
`frame may contain both the Receiver Address (RA) as well as Transmitter Address (TA)
`within the Address field 244, and the TD contro! field 246 may contain a timestampfield
`
`or a packet number, while the Frame body 250 field may be absent. Similarly a broadcast
`
`WUR frame such as WUR Beacon,that is purely used for time synchronization (i.c. not
`
`used to wake WUR STAs) may only contain a Transmitter Address (TA) within the
`
`Address field 244, and the TD control field 246 may contain a timestamp field use for
`
`time synchronization and the Frame body 250 may be absent. A mullicast WUR frame on
`
`the other hand may contain the Transmitter Address in the Address field 244, a
`
`timestamp or packet numberin the TD control field, while the Frame body field 250 may
`
`contain a list of the WUR STAsthat are targeted for waking by the multicast frame.
`
`Referring again to Figure 8, ifa WUR frame contains a unique numberthat is different
`
`for each WUR frame, for example a Partial-TSF (P-TSF) field 818, this may be used as a
`
`salt for the cryptographic function. The P-TSF field may represent some selected bits of
`
`the Time Synchronization l'unction (TSF) maintained by the AP. If the WURframeis a
`unicast frame, the AP uses its secret Key, for example the Temporal Key (TK) portion of
`
`the pairwise secrel Key PTK or W-PTK,the Transmitter Address (TA) and the Receiver
`Address (RA), as well as the P-TSF field as input to the cryptographic algorithm to
`
`obtain a MIC. Usually, the output o