1 / 40

Overview of IEEE 802.16 Security

Overview of IEEE 802.16 Security. Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/26/2007. Outline. Introduction to IEEE 802.16 IEEE 802.16 Security Architecture IEEE 802.16 Security Issues IEEE 802.16 Security Flaws Conclusion References. Introduction to IEEE 802.16.

ancelin
Download Presentation

Overview of IEEE 802.16 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of IEEE 802.16 Security Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/26/2007

  2. Outline • Introduction to IEEE 802.16 • IEEE 802.16 Security Architecture • IEEE 802.16 Security Issues • IEEE 802.16 Security Flaws • Conclusion • References

  3. Introduction to IEEE 802.16

  4. IEEE 802.16 WiMAX • For the wide area( ranging up to 50 Km) • Last mile connectively • Provide the higher speed connectively for the data, voice and video(32-134Mbps) • Low cast

  5. IEEE 802.16 WiMAX

  6. IEEE 802.16 WiMAX

  7. IEEE 802.16 WiMAX

  8. Comparing Technologies

  9. IEEE 802.16 Security Architecture

  10. 802.16 MAC Protocol Stack

  11. MAC CS Sub-layer • CS Layer: • Receives data from higher layers • Classifies the packet • Forwards frames to CPS layer

  12. MAC CPS Sub-layer • Performs typical MAC functions such as addressing • Each SS assigned 48-bit MAC address • Connection Identifiers used as primary address after initialization • MAC policy determined by direction of transmission • Uplink is DAMA-TDM • Downlink is TDM • Data encapsulated in a common format facilitating interoperability • Fragment or pack frames as needed • Changes transparent to receiver

  13. MAC Privacy Sub-layer • Provides secure communication • Data encrypted with cipher clock chaining mode of DES • Prevents theft of service • SSs authenticated by BS using key management protocol

  14. IEEE 802.16 Security Architecture

  15. IEEE 802.16 Security Issues

  16. WMAN Threat Model • PHY threats • Water torture attack, jammings • No protection under 802.16 • MAC threats • Typical threats of any wireless network • Sniffing, Masquerading, Content modification, Rouge Base Stations, DoS attacks, etc

  17. IEEE 802.16 Security Model • DOCSIS (Data Over Cable Service Interface Specifications) • Assumption : All equipments are controlled by the service provider. • Flaw : May not be suitable for wireless environment. • Connection oriented (e.g. basic CID, SAID) • Connection • Management connection • Transport connection • Identified by connection ID (CID) • Security Association (SA) • Cryptographic suite (i.e. encryption algorithm) • Security info. (i.e. key, IV) • Identified by SAID

  18. Data SA 16-bit SA identifier Cipher to protect data: DES-CBC 2 TEK TEK key identifier (2-bit) TEK lifetime 64-bit IV Authorization SA X.509 certificate  SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK = Truncate-128(SHA1(((AK| 044) xor 5364) Downlink HMAC key = SHA1((AK|044) xor 3A64) Uplink HMAC key = SHA1((AK|044) xor 5C64) A list of authorized data SAs Security Association

  19. X.509 certificate

  20. Security Association • BS use the X.509 certificate from SS to authenticate. • No BS authentication • Negotiate security capabilities between BS and SS • Authentication Key (AK) • exchange AK serves as authorization token • AK is encrypted using public key cryptography • Authentication is done when both SS and BS possess AK

  21. IEEE 802.16 Security Process

  22. Authentication Key lifetime: 1 to 70 days , usually 7days SS →BS: Cert(Manufacturer(SS)) SS →BS: Cert(SS) | Capabilities | SAID BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList

  23. Authorization state machine flow diagram

  24. Authorization FSM state transition matrix

  25. Data Key Exchange • Data encryption requires data key called Transport Encryption key (TEK). • TEK is generated by BS randomly • TEK is encrypted with • Triple-DES (use 128 bits KEK) • RSA (use SS’s public key) • AES (use 128 bits KEK) • Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation)

  26. KEK = Truncate-128(SHA1(((AK| 044) xor 5364) Downlink HMAC key = SHA1((AK|044) xor 3A64) Uplink HMAC key = SHA1((AK|044) xor 5C64) Key Derivation

  27. Data Key Exchange

  28. Data Encryption

  29. Data Encryption • Encrypt only data message not management message • DES in CBC Mode • 56 bit DES key (TEK) • No Message Integrity Detection • No Replay Protection

  30. Data Encryption

  31. IEEE 802.16 Security Flaws

  32. IEEE 802.16 Security Flaws • Lack of Explicit Definitions • Authorization SA not explicitly defined • SA instances not distinguished: open to replay attacks • Solution: Need to add nonces from BS and SS to the authorization SA • Data SA treats 2-bit key as circular buffer • Attacker can interject reused TEKs • SAID: 2 bits  at least 12 bits (AK lasts 70 days while TEK lasts for 30 minutes) • TEKs need expiration due to DES-CBC mode • Determine the period: 802.16 can safely produce 2^32 64-bit blocks only.

  33. IEEE 802.16 Security Flaws • Lack of the mutual authentication • Authentication is one way • BS authenticates SS • No way for SS to authenticate BS • Rouge BS  possible because all information's are public • Possible enhancement : BS certificate • Limited authentication method–SS certification

  34. IEEE 802.16 Security Flaws • Authentication Key (AK) generation • BS generates AK • No contribution from SS • SS must trust BS for the generation of AK

  35. IEEE 802.16 Security Flaws • Data protection errors • 56-bit DES… does not offer strong data confidentiality( Brute force attack) • Uses a PREDICTABLE initialization vector (while DES-CBC requires a random IV) • CBC-IV = [IV Parameter from TEK exchange]XOR [ PHY Synchronization field] • Chosen Plaintext Attack to recover the original plaintext • Generates each per-frame IV randomly and inserts into the payload. • Though increases overhead, no other choice.

  36. IEEE 802.16 Security Flaws • No Message Integrity Detection, No replay protection • Active attack • AES in CCM Mode • 128 bit key (TEK) • Message Integrity Check • Replay Protection using Packet Number

  37. Conclusion

  38. 認證資訊(authentication information)X.509 certificate 授權請求(authorization request)X.509 certificate, capability, Basic CID AK exchange 授權答覆(authorization reply)encrypted AK, SAIDs, SQNAK,… 密鑰請求(key request)SAID, HMAC-Digest,… TEK exchange(每一個資料傳輸連線都必須先做此動作) 密鑰答覆(key reply)encrypted TEK, CBC IV, HMAC-Digest,… 資料交換(利用TEK加密) WiMAX PKM Protocol BS SS 1.確認SS身分 2.產生AK, 並用憑證中的public key將之加密 將AK解開 1.利用SHA演算法驗證HMAC-Digest 2.產生TEK 3.由AK產生KEK用以加密TEK 1.利用SHA驗證HMAC-Digest 2.由AK計算出KEK以解開TEK HMAC-Digest:用以驗證資料的完整性

  39. Conclusion • It need the bidirectional authorization • Require more flexible authentication method • EAP Authentication • Improve Key derivation • Include the system identity (i.e., SSID) • Key freshness –include random number from both SS and BS • Prefer AES to DES for data encryption

  40. References • IEEE Std 802.16-2001 standard for the local and metropolitan Area Networks,part 16 “ZAir interface for Fixed BroadBand Wireless Access Systems,” IEEE Press , 2001 • IEEE Std 802.16-2004(Revision of IEEE Std 802.16-2001) • Johnson, David and Walker, Jesse of Intel (2004), “Overview of IEEE 802.16 Security” ,published by the IEEE computer society • http://www.seas.gwu.edu/~cheng/388/LecNotes2006/

More Related