security in 802 16d and 802 16e l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security in 802.16d and 802.16e PowerPoint Presentation
Download Presentation
Security in 802.16d and 802.16e

Loading in 2 Seconds...

play fullscreen
1 / 58

Security in 802.16d and 802.16e - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

Security in 802.16d and 802.16e. Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/04/2008. Outline. Overview of 802.16d Security Security Architecture in the 802.16e Authentication in the 802.16e Key hierarchy in the 802.16e Conclusion References.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security in 802.16d and 802.16e' - thuy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security in 802 16d and 802 16e

Security in 802.16d and 802.16e

Advisor: Dr. Kai-Wei Ke

Speaker: Yen-Jen Chen

Date: 03/04/2008

outline
Outline
  • Overview of 802.16d Security
  • Security Architecture in the 802.16e
  • Authentication in the 802.16e
  • Key hierarchy in the 802.16e
  • Conclusion
  • References
mac privacy sub layer
MAC Privacy Sub-layer
  • Provides secure communication
    • Data encrypted with cipher clock chaining mode of DES
  • Prevents theft of service
    • SSs authenticated by BS using key management protocol
security association
Data SA

16-bit SA identifier

Cipher to protect data: DES-CBC

2 TEK

TEK key identifier (2-bit)

TEK lifetime

64-bit IV

Authorization SA

X.509 certificate  SS

160-bit authorization key (AK)

4-bit AK identification tag

Lifetime of AK

KEK for distribution of TEK

= Truncate-128(SHA1(((AK| 044) xor 5364)

Downlink HMAC key

= SHA1((AK|044) xor 3A64)

Uplink HMAC key

= SHA1((AK|044) xor 5C64)

A list of authorized data SAs

Security Association
security association8
Security Association
  • BS use the X.509 certificate from SS to authenticate.
  • No BS authentication
  • Negotiate security capabilities between BS and SS
  • Authentication Key (AK)
    • exchange AK serves as authorization token
    • AK is encrypted using public key cryptography
  • Authentication is done when both SS and BS possess AK
authentication
Authentication

Key lifetime: 1 to 70 days , usually 7days

SS →BS: Cert(Manufacturer(SS))

SS →BS: Cert(SS) | Capabilities | SAID

BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList

key derivation
KEK = Truncate-128(SHA1(((AK| 044) xor 5364)

Downlink HMAC key = SHA1((AK|044) xor 3A64)

Uplink HMAC key = SHA1((AK|044) xor 5C64)

Key Derivation
ieee 802 16d security flaws
IEEE 802.16d Security Flaws
  • Lack of Explicit Definitions
  • Lack of the mutual authentication
  • Limited authentication method–SS certification
  • Authentication Key (AK) generation
security architecture
Security Architecture
  • Encapsulation protocol
    • A set of cryptographic suites
    • The rules for applying those algorithm
  • Key management protocol
    • PKM for distributing key data
      • AK 160 bits share key for ss and bs
      • TEK 128bits PKM exchange key
  • Authentication (PKMv2 protocol)
    • To get AK (Authorization key)
    • RSA authentication
    • EAP authentication
rsa authentication protocol
RSA authentication protocol
  • 802.16d uses this one
  • BS uses the PKI mechanism to verify the Certificate
  • BS uses the CTL (Certificate trust list)
eap authentication protocol
EAP authentication protocol
  • EAP is a authentication framework not a specially authentication mechanism
  • the four methods in 802.16e
    • RSA based authentication
    • One level EAP based authentication
    • Two level EAP based authentication
    • RSA based authentication followed by EAP authentication
eap authentication protocol28
EAP authentication protocol
  • RSA based authentication
    • Use the PKMv2 RSA-Request、PKMv2 RSA-Reply、PKMv2 RSA-Reject、PKMv2 RSA-acknowledgement messages to get pre-PAK
    • Using the public key of SS to encrypt the pre-PAK and send back to SS
    • pre-PAK generates the PAK (Primary Authorization key) and EIK(EAP integrity Key)
    • PAK generates the AK
eap authentication protocol cont
EAP authentication protocol (Cont.)
  • RSA based authentication
    • EIK|PAK <= Dot16KDF (pre-PAK,SS MAC address | BSID | ”EIK+PAK” , 320)
    • AK<= Dot16KDF (PAK,SS MAC address | BSID | PAK|”AK” , 160)
eap authentication protocol cont30
EAP authentication protocol (Cont.)
  • One level EAP based authentication
    • Using the authentication exchange message to get MSK (Master session key)
    • PMK<= truncate(MSK,160)
    • AK<=Dot16KDF(PMK,SS MAC Address | BSID | “AK”,160)
eap authentication protocol cont31
EAP authentication protocol (Cont.)
  • Two level EAP based authentication
    • SS sent the PKEv2 EAP Start to BS
    • The first EAP negotiation will begin between BS and SS included the message of PKMv2 Transfer2(MSK)
    • After that BS will send the EAP-Success or EAP-failure.
    • If BS sent the EAP-Success then BS will send the PKMv2_EAP_Complete encrypted by EIK immediate
    • If SS gets the EIK and PMK successful then SS can verify the message
    • Otherwise the SS might get the EAP-failure or get no respond to show that BS is failure to authentication
eap authentication protocol cont32
EAP authentication protocol (Cont.)
  • Two level EAP based authentication
    • After SS finished the first EAP negotiation successful ,the SS will send “PKMv2 Authenticated EAP Start” to start the second EAP negotiation
    • When BS got this message, BS will check the message by EIK.
    • If BS check ok then BS will start the second EAP negotiation, otherwise BS will think the Authenticated failure.
    • The related messages of PKM is protected by EIK in the second EAP negotiation
    • If BS and SS competed second EAP negotiation, then BS and SS can get the AK form PMK( pairwise authorization key) and PMK2
eap authentication protocol cont33
EAP authentication protocol (Cont.)
  • Two level EAP based authentication
    • EIK|PMK <= truncate (MSK,320)
    • PMK2 <= truncate(MSK,160)
    • AK <= Dot 16KDF(PMK + PMK2, SS MAC Address| BSID|” AK” , 160)
eap authentication protocol cont34
EAP authentication protocol (Cont.)
  • RSA based authentication followed by EAP authentication
    • First execute RSA-based authorization and execute the second round of Double EAP mode
    • EIK|PAK <= Dot16KDF(pre-PAK, SS MAC Address | BSID | “EIK+PAK”,320)
    • AK <= Dot16KDF(PAK⊕PMK, SS MAC Address| BSID |PAK “AK” 160)
key hierarchy in the 802 16e36
Key hierarchy in the 802.16e
  • AK (Authorization Key)
  • KEK (Key Encryption Key)
    • KEK is generated by AK
    • Using it to encrypt the TEK or GKEK etc
key hierarchy in the 802 16e37
Key hierarchy in the 802.16e
  • GKEK (group KEK)
    • One GSA has one GKEK
    • GKEK is generated by random number of BS
    • BS uses the KEK to encrypt GKEK and send to SS
    • GKEK encrypted the GTEK when GTEK updated and send it to all SS in the group
key hierarchy in the 802 16e38
Key hierarchy in the 802.16e
  • TEK (Traffic Encryption Key)
    • TEK is generated by random number of BS
    • BS use the KEK to encrypt the TEK and send to SS
    • TEK is used to encrypt the message or data between BS and SS
key hierarchy in the 802 16e39
Key hierarchy in the 802.16e
  • GTEK (Group TEK)
    • TEK is generated by random number of BS or some nodes in the group
    • GTEK is used to encrypt the broadcast messages
    • Using the KEK as the encryption key When request the GTEK
    • Using the GKEK as the encryption key When update the GTEK
key hierarchy in the 802 16e40
Key hierarchy in the 802.16e
  • MTK (MBS traffic Key)
    • It comes from MAK(MBS AK) but do not have any generate method in 802.16e
    • MTK = Dot16KDF (MAK,MGTEK|”MTK”,128)
key hierarchy in the 802 16e41
Key hierarchy in the 802.16e
  • HMAC (HMAC Digests)
    • Using the AK as the material
    • HMAC_KEY_U | HMAC_KEY_D | KEK <=Dot16KDF(AK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,448)
    • HMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP HMAC KEY”,160)
key hierarchy in the 802 16e42
Key hierarchy in the 802.16e
  • HMAC (HMAC Digests)
    • Using the EIK as the material
    • HMAC_KEY_U | HMAC_KEY_D | KEK <=Dot16KDF(EIK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,320)
key hierarchy in the 802 16e43
Key hierarchy in the 802.16e
  • CMAC (Cipher-based MAC)
    • Using the AK as the material
    • CMAC_KEY_U | CMAC_KEY_D | KEK <=Dot16KDF(AK, SS MAC Address | BSID | “CMAC_KEYS+KEK”,384)
    • CMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP CMAC KEY”,128)
key hierarchy in the 802 16e44
Key hierarchy in the 802.16e
  • CMAC (Cipher-based MAC)
    • Using the EIK as the material
    • CMAC_KEY_U | CMAC_KEY_D | KEK<=Dot16KDF(EIK, SS MAC Address | BSID | “CMAC_KEYS + KEK” , 256)
wimax p km protocol

認證資訊(authentication information)X.509 certificate

授權請求(authorization request)X.509 certificate, capability, Basic CID

AK exchange

授權答覆(authorization reply)encrypted AK, SAIDs, SQNAK,…

密鑰請求(key request)SAID, HMAC-Digest,…

TEK exchange(每一個資料傳輸連線都必須先做此動作)

密鑰答覆(key reply)encrypted TEK, CBC IV, HMAC-Digest,…

資料交換(利用TEK加密)

WiMAX PKM Protocol

BS

SS

1.確認SS身分

2.產生AK, 並用憑證中的public key將之加密

將AK解開

1.利用SHA演算法驗證HMAC-Digest

2.產生TEK

3.由AK產生KEK用以加密TEK

1.利用SHA驗證HMAC-Digest

2.由AK計算出KEK以解開TEK

HMAC-Digest:用以驗證資料的完整性

conclusion50
Conclusion
  • Authentication & Authorization more robust
    • Using the bidirectional Authentication to avoid the rude base station and support the different Authentication policy。
  • Data Privacy
    • 802.16e add more encryption algorithm (Advanced Encryption Standard, AES) to enhance the security
  • Key’s generation
    • Using the robust solution to generate the AK
references
References
  • IEEE Std 802.16-2001 standard for the local and metropolitan Area Networks,part 16 “ZAir interface for Fixed BroadBand Wireless Access Systems,” IEEE Press , 2001
  • IEEE Std 802.16-2004(Revision of IEEE Std 802.16-2001)
  • Johnson, David and Walker, Jesse of Intel (2004), “Overview of IEEE 802.16 Security” ,published by the IEEE computer society
  • http://www.seas.gwu.edu/~cheng/388/LecNotes2006/
  • IEEE Std 802.16e
  • WiMAX 安全問題之研究
  • IEEE 802.16e-2005 WiMAX安全子層初探
public key infrastructure pki
Public Key Infrastructure(PKI)
  • It is a security mechanism which uses the public and private keys
  • The five components of PKI
    • Security Policy
    • Certificate Authority;CA
    • Registration Authority;RA
    • Certificate Revocation List;CRL
    • Directory Service; DS
public key infrastructure cont
Public Key Infrastructure(Cont.)

CA

RA

Publish the certification / Certificate Revocation List

Send the request to RA / cancel the request of certification

DS

Check the certification/

Certificate Revocation List

Security channel

Usual channel

applicant

public key infrastructure cont55

The CA of B

The CA of A

John’s Trust List

B

D

……

Tom

John

Cherry

Chris

Public Key Infrastructure(Cont.)
  • Simple Trust List
dot16kdf algorithm
Dot16KDF algorithm
  • CRT (counter mode encryption) uses the input material to generate the designed length key
  • input material (key,astring,keylength)
  • Output key length is keylength*2
dot16kdf algorithm cont
Dot16KDF algorithm (Cont.)
  • CMAC
    • Kin = Truncate (key,128) get the leftmost 128 bits of key as the Kin
    • Output key = (CMAC(Kin,0| astring | keylength) || CMAC(Kin,1| astring | keylength) || CMAC(Kin,2| astring | keylength) …………)
dot16kdf algorithm cont58
Dot16KDF algorithm (Cont.)
  • HMAC
    • Kin = Truncate (key,160) get the leftmost 160 bits of key as the Kin
    • Output key = SHA-1(Kin , i | astring | keylength)