WiMAX Security(簡介)- encryption- Public key infrastructure
Why encryption? • Encryption • a mechanism that protects data confidentiality and integrity • plaintext to ciphertext
Encryption • Encryption is always applied to the MAC PDU payload; • the generic MAC header is not encrypted; some • management messages are not encrypted.
Encryption -- WiMAX • WiMAX uses the Advanced Encryption Standard (AES) to produce ciphertext. • Receiver of the ciphertext simply reverses the process to recover the plaintext.
Public key infrastructure • The WiMAX 802.16e-2005 standard uses the Privacy and Key Management Protocol version 2 (PKMv2) for securely transferring keying material between the base station and the mobile station. • PKMv2’s components • X.509 digital certificates • RSA public-key algorithm • Strong encryption algorithm to perform key exchanges between SS to BS. • PKMv2 mechanism • Validates user identity and establishes an authorization key (AK) • AK is used to derive the encryption key described in the previous section.
Public key infrastructure • PKMv2 supports the use of the Rivest-Shamir-Adlerman (RSA) public key cryptographyexchange. • RSA public key exchange • requires that the mobile station establish identity using either a manufacturer-issued X.509 digital certificate or an operator-issued credential such as a subscriber identity module (SIM) card. • X.509 digital certificate contains the mobile station's Public-Key (PK) and its MAC address.
X.509 加密資料 (public key) 解密資料 (private key)
Public key infrastructure • The mobile station transfers the X.509 digital certificate to the WiMAX network, which then forwards the certificate to a certificate authority. The certificate authority validates the certificate, thus validating the user identity.
Public key infrastructure • Once the user identity is validated, the WiMAX network uses the public key to create the authorization key, and sends the authorization key to the mobile station. The mobile station and the base station use the authorization key to derive an identical encryption key that is used with the AES algorithm.
Privacy Key Management Subscriber Station Base Station 1. Authentication Information Message 2. Authorization Request (X.509(Public, Mac address), cryptographic , SS ID 3. Authentication Reply (public [AK], AK Sequence, AK lifetime, SAID) AK Encryption 4. Key Request (AK key Sequence, SAID, HMAC-Digest) 5. Key Reply (AK key Sequence , SAID, KEK [Old-TEK], KEK [New-TEK], HMAC-Digest) TEK Encryption 6. TEK Encryption
Keys in 802.16 1.public key -- issue by manufacturer 2.authorization key (AK) -- distributed by the BS; refreshed periodically; encrypted by SS’s public key 3.Key encryption key(KEK) -- derived from AK by BS and SS. 4.Traffic encryption key (TEK) -- distributed by the BS; refreshed periodically; encrypted by KEK 5.Traffic -- encrypted / decrypted by TEK