1 security in 802.16d and 802.16e advisor: dr. kai-wei ke speaker: yen-jen chen date: 03/04/2008
Post on 22-Dec-2015
216 views
TRANSCRIPT
1
Security in 802.16d and 802.16e
Advisor: Dr. Kai-Wei KeSpeaker: Yen-Jen ChenDate: 03/04/2008
2
Outline
Overview of 802.16d Security Security Architecture in the
802.16e Authentication in the 802.16e Key hierarchy in the 802.16e Conclusion References
3
Overview of 802.16d Security
4
MAC Privacy Sub-layer● Provides secure
communication Data encrypted with cipher
clock chaining mode of DES
● Prevents theft of service SSs authenticated by BS using
key management protocol
5
IEEE 802.16 Security Architecture
6
X.509 certificate
7
Security Association Data SA
16-bit SA identifier Cipher to protect
data: DES-CBC 2 TEK TEK key identifier (2-
bit) TEK lifetime 64-bit IV
Authorization SA X.509 certificate SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK
= Truncate-128(SHA1(((AK| 044) xor 5364)
Downlink HMAC key = SHA1((AK|044) xor 3A64)
Uplink HMAC key= SHA1((AK|044) xor 5C64)
A list of authorized data SAs
8
Security Association BS use the X.509 certificate from SS to
authenticate. No BS authentication Negotiate security capabilities between
BS and SS Authentication Key (AK)
exchange AK serves as authorization token AK is encrypted using public key
cryptography Authentication is done when both SS
and BS possess AK
9
IEEE 802.16 Security Process
10
Authentication
Key lifetime: 1 to 70 days , usually 7days
11
Data Key Exchange
12
Data Encryption
13
Key Derivation
KEK = Truncate-128(SHA1(((AK| 044) xor 5364)Downlink HMAC key = SHA1((AK|044) xor 3A64)Uplink HMAC key = SHA1((AK|044) xor 5C64)
14
IEEE 802.16d Security Flaws Lack of Explicit Definitions Lack of the mutual authentication Limited authentication method–
SS certification Authentication Key (AK)
generation
15
Security Architecture in the 802.16e
16
Simple 802.16e Network topology
Mobile Station (MS)
AuthenticatorIP
CloudAuthentication
Server
EAP
WiMAX Link Layer
EAP
AAA-RADIUS
17
802.16e network reference model
18
The reference model of ASN
19
802.16e Network topology
20
Security Architecture Encapsulation protocol
A set of cryptographic suites The rules for applying those algorithm
Key management protocol PKM for distributing key data
AK 160 bits share key for ss and bs TEK 128bits PKM exchange key
Authentication (PKMv2 protocol) To get AK (Authorization key) RSA authentication EAP authentication
21
Security Architecture (Cont.)
22
Authentication in the 802.16e
23
RSA authentication protocol
802.16d uses this one BS uses the PKI mechanism to
verify the Certificate BS uses the CTL (Certificate trust
list)
24
RSA authentication protocol (Cont.)
25
EAP authentication protocol
EAP is a authentication framework not a specially authentication mechanism
the four methods in 802.16e RSA based authentication One level EAP based authentication Two level EAP based authentication RSA based authentication followed by
EAP authentication
26
EAP authentication protocol
27
EAP authentication protocol
28
EAP authentication protocol
RSA based authentication Use the PKMv2 RSA-Request 、 PKMv2 RSA-Repl
y 、 PKMv2 RSA-Reject 、 PKMv2 RSA-acknowledgement messages to get pre-PAK
Using the public key of SS to encrypt the pre-PAK and send back to SS
pre-PAK generates the PAK (Primary Authorization key) and EIK(EAP integrity Key)
PAK generates the AK
29
EAP authentication protocol (Cont.)
RSA based authentication EIK|PAK <= Dot16KDF (pre-PAK,SS MAC address |
BSID | ”EIK+PAK” , 320) AK<= Dot16KDF (PAK,SS MAC address | BSID | PA
K|”AK” , 160)
30
EAP authentication protocol (Cont.) One level EAP based
authentication Using the authentication exchange message
to get MSK (Master session key) PMK<= truncate(MSK,160) AK<=Dot16KDF(PMK,SS MAC Address | BSID
| “AK”,160)
31
EAP authentication protocol (Cont.)
Two level EAP based authentication SS sent the PKEv2 EAP Start to BS The first EAP negotiation will begin between BS and
SS included the message of PKMv2 Transfer2(MSK) After that BS will send the EAP-Success or EAP-
failure. If BS sent the EAP-Success then BS will send the
PKMv2_EAP_Complete encrypted by EIK immediate If SS gets the EIK and PMK successful then SS can
verify the message Otherwise the SS might get the EAP-failure or get no
respond to show that BS is failure to authentication
32
EAP authentication protocol (Cont.)
Two level EAP based authentication After SS finished the first EAP negotiation successful ,the
SS will send “PKMv2 Authenticated EAP Start” to start the second EAP negotiation
When BS got this message, BS will check the message by EIK.
If BS check ok then BS will start the second EAP negotiation, otherwise BS will think the Authenticated failure.
The related messages of PKM is protected by EIK in the second EAP negotiation
If BS and SS competed second EAP negotiation, then BS and SS can get the AK form PMK( pairwise authorization key) and PMK2
33
EAP authentication protocol (Cont.)
Two level EAP based authentication EIK|PMK <= truncate (MSK,320) PMK2 <= truncate(MSK,160) AK <= Dot 16KDF(PMK + PMK2, SS MAC
Address| BSID|” AK” , 160)
34
EAP authentication protocol (Cont.) RSA based authentication followed by
EAP authentication First execute RSA-based authorization and execute the se
cond round of Double EAP mode EIK|PAK <= Dot16KDF(pre-PAK, SS MAC Address | BSID | “
EIK+PAK”,320) AK <= Dot16KDF(PAK⊕PMK, SS MAC Address| BSID |PAK
“AK” 160)
35
Key hierarchy in the 802.16e
36
Key hierarchy in the 802.16e
AK (Authorization Key)
KEK (Key Encryption Key) KEK is generated by AK Using it to encrypt the TEK or GKEK etc
37
Key hierarchy in the 802.16e
GKEK (group KEK) One GSA has one GKEK GKEK is generated by random number
of BS BS uses the KEK to encrypt GKEK and
send to SS GKEK encrypted the GTEK when GTEK
updated and send it to all SS in the group
38
Key hierarchy in the 802.16e
TEK (Traffic Encryption Key) TEK is generated by random number
of BS BS use the KEK to encrypt the TEK
and send to SS TEK is used to encrypt the message
or data between BS and SS
39
Key hierarchy in the 802.16e GTEK (Group TEK)
TEK is generated by random number of BS or some nodes in the group
GTEK is used to encrypt the broadcast messages
Using the KEK as the encryption key When request the GTEK
Using the GKEK as the encryption key When update the GTEK
40
Key hierarchy in the 802.16e
MTK (MBS traffic Key) It comes from MAK(MBS AK) but do
not have any generate method in 802.16e
MTK = Dot16KDF (MAK,MGTEK|”MTK”,128)
41
Key hierarchy in the 802.16e
HMAC (HMAC Digests) Using the AK as the material HMAC_KEY_U | HMAC_KEY_D | KEK
<=Dot16KDF(AK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,448)
HMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP HMAC KEY”,160)
42
Key hierarchy in the 802.16e
HMAC (HMAC Digests) Using the EIK as the material HMAC_KEY_U | HMAC_KEY_D | KEK
<=Dot16KDF(EIK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,320)
43
Key hierarchy in the 802.16e
CMAC (Cipher-based MAC) Using the AK as the material CMAC_KEY_U | CMAC_KEY_D | KEK
<=Dot16KDF(AK, SS MAC Address | BSID | “CMAC_KEYS+KEK”,384)
CMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP CMAC KEY”,128)
44
Key hierarchy in the 802.16e
CMAC (Cipher-based MAC) Using the EIK as the material CMAC_KEY_U | CMAC_KEY_D |
KEK<=Dot16KDF(EIK, SS MAC Address | BSID | “CMAC_KEYS + KEK” , 256)
45
Key hierarchy in the 802.16e
46
Key hierarchy in the 802.16e
47
Conclusion
48
WiMAX PKM ProtocolSS BS
認證資訊 (authentication information)
X.509 certificate授權請求 (authorization request)X.509 certificate, capability, Basic CID
1.確認 SS身分2.產生 AK, 並用憑證中的 public key將之加密
授權答覆 (authorization reply)encrypted AK, SAIDs, SQNAK,…
AK exchange
密鑰請求 (key request)SAID, HMAC-Digest,…
密鑰答覆 (key reply)encrypted TEK, CBC IV,
HMAC-Digest,…
將 AK解開
1.利用 SHA演算法驗證 HMAC-Digest2.產生 TEK3.由 AK產生 KEK用以加密 TEK
1.利用 SHA驗證 HMAC-Digest2.由 AK計算出 KEK以解開 TEK
資料交換 (利用 TEK加密 )
TEK exchange(每一個資料傳輸連線都必須先做此動
作 )
HMAC-Digest:用以驗證資料的完整性
49
WiMAX PKMv2 Protocol
50
Conclusion Authentication & Authorization more rob
ust Using the bidirectional Authentication to avoid t
he rude base station and support the different Authentication policy 。
Data Privacy 802.16e add more encryption algorithm (Advanc
ed Encryption Standard, AES) to enhance the security
Key’s generation Using the robust solution to generate the AK
51
References IEEE Std 802.16-2001 standard for the local and
metropolitan Area Networks,part 16 “ZAir interface for Fixed BroadBand Wireless Access Systems,” IEEE Press , 2001
IEEE Std 802.16-2004(Revision of IEEE Std 802.16-2001) Johnson, David and Walker, Jesse of Intel (2004), “Overview of IE
EE 802.16 Security” ,published by the IEEE computer society http://www.seas.gwu.edu/~cheng/388/LecNotes2006/ IEEE Std 802.16e WiMAX 安全問題之研究 IEEE 802.16e-2005 WiMAX 安全子層初探
52
Public Key Infrastructure (PKI)
It is a security mechanism which uses the public and private keys
The five components of PKI Security Policy Certificate Authority ; CA Registration Authority ; RA Certificate Revocation List ; CRL Directory Service; DS
53
Public Key Infrastructure (Cont.)
Send the request to RA / cancel the request of
certification
DS
CA
Publish the certification / Certificate Revocation List
RA
Check the certification/Certificate Revocation List
Security channelUsual channel
applicant
54
Public Key Infrastructure (Cont.)
Signal root CA CA
A B
55
Public Key Infrastructure (Cont.)
Simple Trust List
The CA of A
Tom John
The CA of B
Cherry Chris
B
D
……
John’s Trust List
56
Dot16KDF algorithm
CRT (counter mode encryption) uses the input material to generate the designed length key
input material (key,astring,keylength) Output key length is keylength*2
57
Dot16KDF algorithm (Cont.)
CMAC Kin = Truncate (key,128) get the leftmo
st 128 bits of key as the Kin Output key = (CMAC(Kin,0| astring | keyle
ngth) || CMAC(Kin,1| astring | keylength) || CMAC(Kin,2| astring | keylength) …………)
58
Dot16KDF algorithm (Cont.)
HMAC Kin = Truncate (key,160) get the leftmo
st 160 bits of key as the Kin Output key = SHA-1(Kin , i | astring | keyle
ngth)