qcom 1xev-do white paper - 1xev-do security

8/10/2019 QCOM 1xEV-DO White Paper - 1xEV-DO Security

http://slidepdf.com/reader/full/qcom-1xev-do-white-paper-1xev-do-security 1/6

1xEV-DO Web Paper

1xEV-DO Security

Wireless and Wireline Security

As the Internet is used for transmission of sensitive information, it is very important to have

secure connections. This is true in case of both wireline and wireless Internet. There are a

number of security measures that have already been developed for wireline Internet that are also

applicable to wireless Internet.

First let’s look at the contrast between security requirements for voice and Internet services in

general. In order to eavesdrop on a wireline voice call, one would have to access the physical

wires of PSTN. Voice traffic is rarely encrypted due to the fact the PSTN networks are relatively

secure. Although analog transmissions are easily decipherable, there are physical constraints in

place on neighborhood junction boxes and circuits. This provides a sense of security to most

consumers, who transmit sensitive information over the wireline voice network.

In a cellular voice network, again the PSTN portion of the network is considered secure from

external access. In some instances, such as government applications, the wireless portion of the

cellular voice network may be further protected with encryption. However, in contrast to analog

wireless systems, CDMA is inherently very secure, and typically CDMA voice services intended

for consumers are not encrypted.

Looking back at the wireline Internet, it is relatively easy to access and monitor other Users’

traffic. Switched wireline environments allow traffic destined to all users to be easily monitored

from a User’s computer, and shared environments allow all network traffic to be monitored.

This is the reason many security mechanisms have already been built into Web Browser, web

server applications (i.e., Secure Socket Layer, Transport Layer Security) and Operating system

have integrated VPN’s (i.e., PPTP, L2TP, IPSEC). These security mechanisms have been

heavily scrutinized by the security experts worldwide and have proven to be robust and secure.

Because each link in the Internet’s distributed architecture is equally vulnerable, end-to-end

Copyright 2003, QUALCOMM Incorporated 1



1xEV-DO Web Paper

encryption is required for secure Internet connections (Diagram 1). In addition, the User is

authenticated and authorized by the Internet Service Provider (ISP).

1xEV-DO

Airlink

ISP Firewall allows only authenticated User

traffic and the VPN encrypts the data

1xEV-DO

Airlink

ISP Firewall allows all

data to and from Users

Normal Packet PathNo Protection

VPN AppliedData is Protected

Firewall

Server

Server

Intranet

Corp.

LAN

Wireless ISP Internet

Wireless ISPInternet

Diagram 1

This model can easily be extended to the wireless realm, and all the same well-tested security

mechanisms, can be used in cellular wireless Internet systems (Diagram 2). It is important to

note that once again end-to-end encryption is required. If only the airlink is encrypted, and notthe remaining paths through the Internet, then the User’s traffic is still vulnerable and added

protection on the airlink has been circumvented. It is extremely important to utilize VPN

techniques that encrypt and protect the entire path.




1xEV-DO Web Paper

1xEV-DO

Local Server

Remote Server

End-to-End Encryption

Air-link Encryption

Network or Application

Layer

Network or Application

Layer

Wireless ISP

Internet

Diagram 2

Following the wireline Internet model, benefits providers by allowing the use of the same well-

tested security mechanisms. It has been shown in the past that new security mechanisms devised

by GSM and Wireless LAN communities have not been as successful, since they have not had

the same level of testing and scrutiny as the well-established Internet security protocols.

1xEV-DO Security

1xEV-DO, the IS-856 standard, offers authentication, authorization and the capability to add

encryption mechanisms. The standard provides provisions such as protocol type and crypto-sync

to define an encryption protocol to the airlink. The provisions in the IS-856 standard that allow

encryption to be added, provide the manufacturers flexibility to encrypt all the information

transferred over the airlink or only specific channels. This is left to the implementer’s discretion.

1xEV-DO Air-Link Authentication

The 1xEV-DO System provides strong authentication mechanisms at the air-link layer that are

effective against theft-of-service attacks. The airlink authentication verifies that the two entities,

the Radio Access Network “RAN“ and the 1xEV-DO device are who they say they are. The

Diffie-Hellman Exchange protocol requires the BSC function within the RAN and the 1xEV-DO




1xEV-DO Web Paper

Access Terminal to exchange ephemeral keys using the Diffie-Hellman algorithm. The BSC

and RADIUS server derive a session key (referred to as, AirInterfaceSessionKey), then exchange

the keys. If the keys match, then the PPP and LCP negotiation is initiated. The device passes

it’s Username to the RAN where the RADIUS server authenticates the device. Upon a positive

authentication the BSC binds the AirInterfaceSessionKey to the IMSI and the RADIUS server

binds the NAI to the IMSI ( Diagram 3). If the User is not located at their home network, the

serving carrier’s RADIUS server proxies with the Home Network’s RADIUS server to

authenticate the device (See section: Authentication for Roaming). Once the device is

authenticated on the airlink it initiates the User Authentication process . The session keys are

good for the lifetime of each session. New keys are regenerated with every new session.

1 x E V - D O A i r lin k A u t h e n t ic a t io n

B S CR A D I U S

S e r v e r

E a c h e n d - p o i n t

b e g i n s w i t h a

P r i v a t e K e y

R A D I U S S e r v e r

s t o r e s

P r i v a t e K e y s

E x c h a n g e P u b l ic K e y E x c h a n g e P u b l ic K e y

E x c h a n g e

A i r I n t e r f a c e S e s s i o n K e y

( S h a r e d S e c r e t )

E x c h a n g eA i r I n t e r f a c e S e s s i o n K e y

( S h a r e d S e c r e t )

P P P a n d L C P n e g o t i a ti o n s P P P a n d L C P n e g o t i a ti o n s

C H A P n e g o t ia t io n :

N A I –

d e v i c e @ w i r e l e ss i s p .c o m

C H A P n e g o t i a ti o n :

P o s i t i v e A u t h e n t i c a t io n -

R A D I U S b i n d s N A I to I M S I

P o s i t i v e A u t h :

B S C b in d s

S e s s io n K e y t o

I M S I

“ A i r lin k ” A u t h e n t ic a t io n C o m p l e te

Diagram 3




1xEV-DO Web Paper

User Authentication and Authorization

After the device is granted access to the RAN the User is authenticated with CHAP, and the PPP

and LCP negotiations are established between the device and the PDSN ( Diagram 4 ).

After the User Authenticates on the network, information regarding the User’s ‘Authorized’

Services is sent from the RADIUS server to the PDSN in the form of an “Access-Accept”

message. The User’s services have now been authorized and they are free to use the network in

accordance with their Authorized RAN services.

User Authentication and Authorization

PDSN RADIUSServer

PPP and LCP negotiations

CHAP Negotiation:

NAI and PasswordCHAP Negotiation:

NAI and Password matches,

then Positive Authentication

Positive

Authentication

“User” Authentication Starts

PPP and LCP negotiations

Authorization Process:

RADIUS server forwards

the User’s Authorized

Services to PDSN

PDSN allows

Authorized

Services

Diagram 4




1xEV-DO Web Paper

Authentication for Roaming

The RADIUS server supports RADIUS proxy operation ( Diagram 5) and can be used for

authenticating in a roaming situation. RADIUS proxy allows the serving RADIUS server to

forward all messages to the home RADIUS server based on the Realm in the User’s identifier.

Therefore, all RADIUS Authentication, Authorization and Accounting messages for a User

homed in a different Access Network are automatically forwarded by the serving Access

Network to the home Access Network.

RADIUS Server(User’s Profile)

1xEV-DO

RADIUS Server

(Proxy Mode)

Roaming

Subscriber

Home System

Serving System

1xEV-DO

Wireless ISP

Wireless ISP

Internet

Diagram 5


qcom 1xev-do white paper - 1xev-do security

Documents