Frequency spreading techniques

ETSI and other regulators require the use of spread spectrum technologies to be used when communicating. Spread spectrum technologies use generally a greater range of frequency than actually needed, this allows the transmission to be more reliable as it needs an interference in the whole spreaded signal to totally interrupt the communication.

Two different techniques are described within IEEE 802.11, frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS).

Because the second techniques allows higher data rates it is the chosen IEEE 802.11b spreading technique, allowing data rates up to 11 Mbps. DSSS also allows for an easier roaming mechanism.

This work will therefore only shortly mention FHSS for completeness and because there have been claims of improved security.

5.3.3.1. FHSS

The allowed frequency band is divided into sending and receiving channels with 1 MHz bandwidth, this means a number of 79 channels is assigned starting at a centre frequency of 2.402 GHz. These channels are used for transmission only for a short period of time (every 224 µs), then another channel will be used. Which channel will be used next is determined by a defined hopping sequence. The hopping sequences are designed to have a minimum distance of 6 MHz for Europe.

If more than one IEEE 802.11 wireless LAN is used in the same location, collisions occur when two senders are using the same channel. To allow more than one 802.11 LAN to operate in the same location using FHSS, IEEE 802.11 grouped them into three different sets. If used in the same location hopping patterns from the same set have hopping sequences, which are designed to interfere as less as possible. A small example analysis of hopping sequences, see Appendix C for details, shows that even if you deliberately choose the timing offsets, you still have only around 3 collisions. If all stations would hop in a synchronized sequence, no collisions would occur.

Hopping in a random like sequence through different channels could be seen, and has been unfortunately, as a security feature. Using FHSS, or even DSSS, does not enhance security.

For FHSS the IEEE 802.11 standard published all the hopping sequences and IEEE 802.11 requires the beacon⁸ frame to transmit information about the frequency hopping in each beacon signal sent out [26]. This beacon signal is not protected by the privacy protection mechanism (WEP), as this can be applied only to data frames and some authentication management frames. The field called “FH Parameter Set” contains the following fields:

“The Hop Set field identifies the current set of hop patterns (…)”.

“The Hop Pattern field identifies the current pattern within a set of hop patterns (…)”.

“The Hop Index field selects the current index within a pattern (…)”. [26]{page 56}

This information is given to potential attackers, so FHSS does not serve as a security mechanism.

Even if this information could not be obtained by an attacker the hopping sequence can be easily obtained by listening to the different channels and recording the time differences of received beacon

8 A regular transmitted packet, which contains device and control information.

signals. Such an attack does not require much time or computing power and can be considered “trivial”

[65].

So FHSS is purely done to minimize interference with other 2.4 GHz band transmissions and to minimize collisions when operating different IEEE 802.11 conformant systems within the same area.

5.3.3.2. DSSS

Direct sequence spread spectrum (DSSS) is the second spread spectrum technique specified for use with IEEE 802.11 wireless LANs. Because DSSS allows a higher data rate, it is the spreading

technique required in IEEE 802.11b. Rather than using a channel hopping sequence as a code to spread the signal, as done in FHSS, DSSS systems use a pseudo noise (PN) code to spread the small band signal into a broadband signal (Figure 5.12). Because DSSS has no need to wait to switch channels, it is possible to send data continuously on a broad frequency band encoded with a pseudo noise code, allowing higher data rates. Each of these broadband channels is 22 MHz wide [26], allowing to place three non overlapping channels within the ISM frequency band. The number of channels and the three non-overlapping channels 1,7 and 13 are shown in Figure 5.6 and 5.7. While spreading the signal the intensity of the spreaded signal falls below the noise level, leading to minimal interference.

Figure 5.12. Direct Sequence Spread Spectrum signal [43]

The PN code used for 1 and 2 Mbps transmissions is a 11-Chip Barker Code, to allow higher data rates IEEE 802.11b uses complementary code keying (CCK). For a 11 Mbps transmission the complementary code is chosen from a set of 64 different defined complementary codes. These are then modulated using Differential Quadrature Phase Shift Keying (DQPSK).

The different codes are chosen so that the receiver can easily detect which PN-Code has been used, this allows the receiver to recover 6 bit of the original symbol. To allow 11Mbps to be transmitted a symbol contains 8 bits, for encoding 6 bit are used to choose the complementary code word and the remaining 2 bit are controlling which of the four possible phase shifts are used for the DQPSK modulation.

Again the spreading of the signal is done to comply with the regulatory environment and to have a more robust transmission on a wireless medium also used by others.

How the spreading technique of DSSS helps to cope with interference, especially with tone jammers, can bee seen in Figure 5.13.

Figure 5.13. Original Signal and Jammer before and after dispreading [16]

Because a dispreading of a spreaded sequence will not only restore the original signal, but also spread all noise or tone jammers, the jamming signal can easily be filtered out and the signal can be identified correctly.

As with FHSS, some vendors still think that using DSSS has a security advantage [18], as the signal can only be decoded correctly if you know all the PN codes that could be used. But this is only the case if the PN Codes would be secret, and they are not, because otherwise there would be no interoperability between different IEEE 802.11 products. The IEEE 802.11b standard defined which CCK to use (Figure 5.14 gives you the formula). It is not secret and therefore it cannot be regarded as a security feature [17].

Figure 5.14. Formula for the CCK codes for 5.5 Mbps and 11 Mbps [28]

Optionally the IEEE 802.11b standard allows using PBCC (packet binary convolutional coding) instead of CCK for modulation.