overview of ieee 802.16 security advisor: dr. kai-wei ke speaker: yen-jen chen date: 03/26/2007
Post on 22-Dec-2015
215 views
TRANSCRIPT
Overview of IEEE 802.16 Security
Advisor: Dr. Kai-Wei KeSpeaker: Yen-Jen ChenDate: 03/26/2007
Outline
Introduction to IEEE 802.16 IEEE 802.16 Security Architecture IEEE 802.16 Security Issues IEEE 802.16 Security Flaws Conclusion References
Introduction to IEEE 802.16
IEEE 802.16 WiMAX
For the wide area( ranging up to 50 Km) Last mile connectively Provide the higher speed connectively for
the data, voice and video(32-134Mbps) Low cast
IEEE 802.16 WiMAX
IEEE 802.16 WiMAX
IEEE 802.16 WiMAX
Comparing Technologies
802.11WiFi
802.16WiMAX
802.20Mobile-FI
UMTS3G
Bandwidth 11-54 Mbps shared Share up to 70 MbpsUp to 1.5 Mbps
each384 Kbps – 2
Mbps
Range (LOS)Range (NLOS)
100 meters
30 meters
30 – 50 km
2 - 5 km (’07)3 – 8 km
Coverage is overlaid on
wireless infrastructure
Mobility Portable Fixed (Mobile - 16e) Full mobility Full mobility
Frequency/Spectrum
2.4 GHz for 802.11b/g
5.2 GHz for 802.11a
2-11 GHz for 802.16a
11-60 GHz for 802.16<3.5 GHz
Existing wireless spectrum
Standardization 802.11a, b and g standardized
802.16, 802.16a and 802.16 REVd
standardized, other under development
802.20 in development
Part of GSM standard
Backers Industry-wideIntel, Fujitsu, Alcatel, Siemens, BT, AT&T,
Qwest, McCaw
Cisco, Motorola, Qualcom and
Flarion
GSM Wireless Industry
IEEE 802.16 Security Architecture
802.16 MAC Protocol Stack
MAC CS Sub-layer
● CS Layer: Receives data from higher
layers Classifies the packet Forwards frames to CPS
layer
MAC CPS Sub-layer● Performs typical MAC functions such as
addressing Each SS assigned 48-bit MAC address Connection Identifiers used as primary
address after initialization
● MAC policy determined by direction of transmission
Uplink is DAMA-TDM
Downlink is TDM
● Data encapsulated in a common format facilitating interoperability
Fragment or pack frames as needed Changes transparent to receiver
MAC Privacy Sub-layer● Provides secure
communication Data encrypted with cipher
clock chaining mode of DES
● Prevents theft of service SSs authenticated by BS using
key management protocol
IEEE 802.16 Security Architecture
IEEE 802.16 Security Issues
WMAN Threat Model
PHY threats Water torture attack, jammings No protection under 802.16
MAC threats Typical threats of any wireless network
Sniffing, Masquerading, Content modification, Rouge Base Stations, DoS attacks, etc
IEEE 802.16 Security Model
DOCSIS (Data Over Cable Service Interface Specifications)
Assumption : All equipments are controlled by the service provider.
Flaw : May not be suitable for wireless environment. Connection oriented (e.g. basic CID, SAID)
Connection Management connection Transport connection Identified by connection ID (CID)
Security Association (SA) Cryptographic suite (i.e. encryption algorithm) Security info. (i.e. key, IV) Identified by SAID
Security Association Data SA
16-bit SA identifier Cipher to protect
data: DES-CBC 2 TEK TEK key identifier (2-
bit) TEK lifetime 64-bit IV
Authorization SA X.509 certificate SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK
= Truncate-128(SHA1(((AK| 044) xor 5364)
Downlink HMAC key = SHA1((AK|044) xor 3A64)
Uplink HMAC key= SHA1((AK|044) xor 5C64)
A list of authorized data SAs
X.509 certificate
Security Association BS use the X.509 certificate from SS to
authenticate. No BS authentication Negotiate security capabilities between
BS and SS Authentication Key (AK)
exchange AK serves as authorization token AK is encrypted using public key
cryptography Authentication is done when both SS
and BS possess AK
IEEE 802.16 Security Process
Authentication
Key lifetime: 1 to 70 days , usually 7days
Authorization state machine flow diagram
Authorization FSM state transition matrix
Data Key Exchange
Data encryption requires data key called Transport Encryption key (TEK).
TEK is generated by BS randomly TEK is encrypted with
Triple-DES (use 128 bits KEK) RSA (use SS’s public key) AES (use 128 bits KEK)
Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation)
Key Derivation
KEK = Truncate-128(SHA1(((AK| 044) xor 5364)Downlink HMAC key = SHA1((AK|044) xor 3A64)Uplink HMAC key = SHA1((AK|044) xor 5C64)
Data Key Exchange
Data Encryption
Data Encryption
Encrypt only data message not management message
DES in CBC Mode 56 bit DES key (TEK) No Message Integrity Detection No Replay Protection
Data Encryption
IEEE 802.16 Security Flaws
IEEE 802.16 Security Flaws Lack of Explicit Definitions
Authorization SA not explicitly defined SA instances not distinguished: open to replay attacks Solution: Need to add nonces from BS and SS to the authorization
SA
Data SA treats 2-bit key as circular buffer Attacker can interject reused TEKs
SAID: 2 bits at least 12 bits (AK lasts 70 days while TEK lasts for 30 minutes)
TEKs need expiration due to DES-CBC mode Determine the period: 802.16 can safely produce 2^32 64-bit blocks o
nly.
IEEE 802.16 Security Flaws
Lack of the mutual authentication
Authentication is one way BS authenticates SS No way for SS to authenticate BS Rouge BS possible because all information's are
public Possible enhancement : BS certificate
Limited authentication method–SS certification
IEEE 802.16 Security Flaws
Authentication Key (AK) generation BS generates AK No contribution from SS SS must trust BS for the generation of
AK
IEEE 802.16 Security Flaws
Data protection errors 56-bit DES… does not offer strong data confidential
ity( Brute force attack) Uses a PREDICTABLE initialization vector (while DE
S-CBC requires a random IV) CBC-IV = [IV Parameter from TEK exchange]XOR [ PHY Syn
chronization field] Chosen Plaintext Attack to recover the original plaintext
Generates each per-frame IV randomly and inserts into the payload.
Though increases overhead, no other choice.
IEEE 802.16 Security Flaws
No Message Integrity Detection, No replay protection Active attack
AES in CCM Mode 128 bit key (TEK) Message Integrity Check Replay Protection using Packet Number
Conclusion
WiMAX PKM ProtocolSS BS
認證資訊 (authentication information)
X.509 certificate授權請求 (authorization request)X.509 certificate, capability, Basic CID
1.確認 SS身分2.產生 AK, 並用憑證中的 public key將之加密
授權答覆 (authorization reply)encrypted AK, SAIDs, SQNAK,…
AK exchange
密鑰請求 (key request)SAID, HMAC-Digest,…
密鑰答覆 (key reply)encrypted TEK, CBC IV,
HMAC-Digest,…
將 AK解開
1.利用 SHA演算法驗證 HMAC-Digest2.產生 TEK3.由 AK產生 KEK用以加密 TEK
1.利用 SHA驗證 HMAC-Digest2.由 AK計算出 KEK以解開 TEK
資料交換 (利用 TEK加密 )
TEK exchange(每一個資料傳輸連線都必須先做此動
作 )
HMAC-Digest:用以驗證資料的完整性
Conclusion It need the bidirectional authorization Require more flexible authentication
method EAP Authentication
Improve Key derivation Include the system identity (i.e., SSID) Key freshness –include random number
from both SS and BS Prefer AES to DES for data encryption
References IEEE Std 802.16-2001 standard for the local and
metropolitan Area Networks,part 16 “ZAir interface for Fixed BroadBand Wireless Access Systems,” IEEE Press , 2001
IEEE Std 802.16-2004(Revision of IEEE Std 802.16-2001) Johnson, David and Walker, Jesse of Intel (2004), “Overview of
IEEE 802.16 Security” ,published by the IEEE computer society http://www.seas.gwu.edu/~cheng/388/LecNotes2006/