1 security in 802.16d and 802.16e advisor: dr. kai-wei ke speaker: yen-jen chen date: 03/04/2008

1

Security in 802.16d and 802.16e

Advisor: Dr. Kai-Wei KeSpeaker: Yen-Jen ChenDate: 03/04/2008

2

Outline

Overview of 802.16d Security Security Architecture in the

802.16e Authentication in the 802.16e Key hierarchy in the 802.16e Conclusion References

3

Overview of 802.16d Security

4

MAC Privacy Sub-layer● Provides secure

communication Data encrypted with cipher

clock chaining mode of DES

● Prevents theft of service SSs authenticated by BS using

key management protocol

5

IEEE 802.16 Security Architecture

6

X.509 certificate

7

Security Association Data SA

16-bit SA identifier Cipher to protect

data: DES-CBC 2 TEK TEK key identifier (2-

bit) TEK lifetime 64-bit IV

Authorization SA X.509 certificate SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK

= Truncate-128(SHA1(((AK| 044) xor 5364)

Downlink HMAC key = SHA1((AK|044) xor 3A64)

Uplink HMAC key= SHA1((AK|044) xor 5C64)

A list of authorized data SAs

8

Security Association BS use the X.509 certificate from SS to

authenticate. No BS authentication Negotiate security capabilities between

BS and SS Authentication Key (AK)

exchange AK serves as authorization token AK is encrypted using public key

cryptography Authentication is done when both SS

and BS possess AK

9

IEEE 802.16 Security Process

10

Authentication

Key lifetime: 1 to 70 days , usually 7days

11

Data Key Exchange

12

Data Encryption

13

Key Derivation

KEK = Truncate-128(SHA1(((AK| 044) xor 5364)Downlink HMAC key = SHA1((AK|044) xor 3A64)Uplink HMAC key = SHA1((AK|044) xor 5C64)

14

IEEE 802.16d Security Flaws Lack of Explicit Definitions Lack of the mutual authentication Limited authentication method–

SS certification Authentication Key (AK)

generation

15

Security Architecture in the 802.16e

16

Simple 802.16e Network topology

Mobile Station (MS)

AuthenticatorIP

CloudAuthentication

Server

EAP

WiMAX Link Layer

EAP

AAA-RADIUS

17

802.16e network reference model

18

The reference model of ASN

19

802.16e Network topology

20

Security Architecture Encapsulation protocol

A set of cryptographic suites The rules for applying those algorithm

Key management protocol PKM for distributing key data

AK 160 bits share key for ss and bs TEK 128bits PKM exchange key

Authentication (PKMv2 protocol) To get AK (Authorization key) RSA authentication EAP authentication

21

Security Architecture (Cont.)

22

Authentication in the 802.16e

23

RSA authentication protocol

802.16d uses this one BS uses the PKI mechanism to

verify the Certificate BS uses the CTL (Certificate trust

list)

24

RSA authentication protocol (Cont.)

25

EAP authentication protocol

EAP is a authentication framework not a specially authentication mechanism

the four methods in 802.16e RSA based authentication One level EAP based authentication Two level EAP based authentication RSA based authentication followed by

EAP authentication

26


27


28


RSA based authentication Use the PKMv2 RSA-Request 、 PKMv2 RSA-Repl

y 、 PKMv2 RSA-Reject 、 PKMv2 RSA-acknowledgement messages to get pre-PAK

Using the public key of SS to encrypt the pre-PAK and send back to SS

pre-PAK generates the PAK (Primary Authorization key) and EIK(EAP integrity Key)

PAK generates the AK

30

EAP authentication protocol (Cont.) One level EAP based

authentication Using the authentication exchange message

to get MSK (Master session key) PMK<= truncate(MSK,160) AK<=Dot16KDF(PMK,SS MAC Address | BSID

| “AK”,160)

31


Two level EAP based authentication SS sent the PKEv2 EAP Start to BS The first EAP negotiation will begin between BS and

SS included the message of PKMv2 Transfer2(MSK) After that BS will send the EAP-Success or EAP-

failure. If BS sent the EAP-Success then BS will send the

PKMv2_EAP_Complete encrypted by EIK immediate If SS gets the EIK and PMK successful then SS can

verify the message Otherwise the SS might get the EAP-failure or get no

respond to show that BS is failure to authentication

32


Two level EAP based authentication After SS finished the first EAP negotiation successful ,the

SS will send “PKMv2 Authenticated EAP Start” to start the second EAP negotiation

When BS got this message, BS will check the message by EIK.

If BS check ok then BS will start the second EAP negotiation, otherwise BS will think the Authenticated failure.

The related messages of PKM is protected by EIK in the second EAP negotiation

If BS and SS competed second EAP negotiation, then BS and SS can get the AK form PMK( pairwise authorization key) and PMK2

33


Two level EAP based authentication EIK|PMK <= truncate (MSK,320) PMK2 <= truncate(MSK,160) AK <= Dot 16KDF(PMK + PMK2, SS MAC

Address| BSID|” AK” , 160)

34

EAP authentication protocol (Cont.) RSA based authentication followed by

EAP authentication First execute RSA-based authorization and execute the se

cond round of Double EAP mode EIK|PAK <= Dot16KDF(pre-PAK, SS MAC Address | BSID | “

EIK+PAK”,320) AK <= Dot16KDF(PAK⊕PMK, SS MAC Address| BSID |PAK

“AK” 160)

35

Key hierarchy in the 802.16e

36


AK (Authorization Key)

KEK (Key Encryption Key) KEK is generated by AK Using it to encrypt the TEK or GKEK etc

37


GKEK (group KEK) One GSA has one GKEK GKEK is generated by random number

of BS BS uses the KEK to encrypt GKEK and

send to SS GKEK encrypted the GTEK when GTEK

updated and send it to all SS in the group

38


TEK (Traffic Encryption Key) TEK is generated by random number

of BS BS use the KEK to encrypt the TEK

and send to SS TEK is used to encrypt the message

or data between BS and SS

39

Key hierarchy in the 802.16e GTEK (Group TEK)

TEK is generated by random number of BS or some nodes in the group

GTEK is used to encrypt the broadcast messages

Using the KEK as the encryption key When request the GTEK

Using the GKEK as the encryption key When update the GTEK

40


MTK (MBS traffic Key) It comes from MAK(MBS AK) but do

not have any generate method in 802.16e

MTK = Dot16KDF (MAK,MGTEK|”MTK”,128)

41


HMAC (HMAC Digests) Using the AK as the material HMAC_KEY_U | HMAC_KEY_D | KEK

<=Dot16KDF(AK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,448)

HMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP HMAC KEY”,160)

42


HMAC (HMAC Digests) Using the EIK as the material HMAC_KEY_U | HMAC_KEY_D | KEK

<=Dot16KDF(EIK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,320)

43


CMAC (Cipher-based MAC) Using the AK as the material CMAC_KEY_U | CMAC_KEY_D | KEK

<=Dot16KDF(AK, SS MAC Address | BSID | “CMAC_KEYS+KEK”,384)

CMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP CMAC KEY”,128)

44


CMAC (Cipher-based MAC) Using the EIK as the material CMAC_KEY_U | CMAC_KEY_D |

KEK<=Dot16KDF(EIK, SS MAC Address | BSID | “CMAC_KEYS + KEK” , 256)

45


46


47

Conclusion

48

WiMAX PKM ProtocolSS BS

認證資訊 (authentication information)

X.509 certificate授權請求 (authorization request)X.509 certificate, capability, Basic CID

1.確認 SS身分2.產生 AK, 並用憑證中的 public key將之加密

授權答覆 (authorization reply)encrypted AK, SAIDs, SQNAK,…

AK exchange

密鑰請求 (key request)SAID, HMAC-Digest,…

密鑰答覆 (key reply)encrypted TEK, CBC IV,

HMAC-Digest,…

將 AK解開

1.利用 SHA演算法驗證 HMAC-Digest2.產生 TEK3.由 AK產生 KEK用以加密 TEK

1.利用 SHA驗證 HMAC-Digest2.由 AK計算出 KEK以解開 TEK

資料交換 (利用 TEK加密 )

TEK exchange(每一個資料傳輸連線都必須先做此動

作 )

HMAC-Digest：用以驗證資料的完整性

49

WiMAX PKMv2 Protocol

50

Conclusion Authentication & Authorization more rob

ust Using the bidirectional Authentication to avoid t

he rude base station and support the different Authentication policy 。

Data Privacy 802.16e add more encryption algorithm (Advanc

ed Encryption Standard, AES) to enhance the security

Key’s generation Using the robust solution to generate the AK

51

References IEEE Std 802.16-2001 standard for the local and

metropolitan Area Networks,part 16 “ZAir interface for Fixed BroadBand Wireless Access Systems,” IEEE Press , 2001

IEEE Std 802.16-2004(Revision of IEEE Std 802.16-2001) Johnson, David and Walker, Jesse of Intel (2004), “Overview of IE

EE 802.16 Security” ,published by the IEEE computer society http://www.seas.gwu.edu/~cheng/388/LecNotes2006/ IEEE Std 802.16e WiMAX 安全問題之研究 IEEE 802.16e-2005 WiMAX 安全子層初探

52

Public Key Infrastructure (PKI)

It is a security mechanism which uses the public and private keys

The five components of PKI Security Policy Certificate Authority ； CA Registration Authority ； RA Certificate Revocation List ； CRL Directory Service; DS

53

Public Key Infrastructure (Cont.)

Send the request to RA / cancel the request of

certification

DS

CA

Publish the certification / Certificate Revocation List

RA

Check the certification/Certificate Revocation List

Security channelUsual channel

applicant

54


Signal root CA CA

A B

55


Simple Trust List

The CA of A

Tom John

The CA of B

Cherry Chris

B

D

……

John’s Trust List

56

Dot16KDF algorithm

CRT (counter mode encryption) uses the input material to generate the designed length key

input material (key,astring,keylength) Output key length is keylength*2

57

Dot16KDF algorithm (Cont.)

CMAC Kin = Truncate (key,128) get the leftmo

st 128 bits of key as the Kin Output key = (CMAC(Kin,0| astring | keyle

ngth) || CMAC(Kin,1| astring | keylength) || CMAC(Kin,2| astring | keylength) …………)

58

Dot16KDF algorithm (Cont.)

HMAC Kin = Truncate (key,160) get the leftmo

st 160 bits of key as the Kin Output key = SHA-1(Kin , i | astring | keyle

ngth)

1 security in 802.16d and 802.16e advisor: dr. kai-wei ke speaker: yen-jen chen date: 03/04/2008

Documents