1 / 58

Security in 802.16d and 802.16e

Security in 802.16d and 802.16e. Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/04/2008. Outline. Overview of 802.16d Security Security Architecture in the 802.16e Authentication in the 802.16e Key hierarchy in the 802.16e Conclusion References.

thuy
Télécharger la présentation

Security in 802.16d and 802.16e

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in 802.16d and 802.16e Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/04/2008

  2. Outline • Overview of 802.16d Security • Security Architecture in the 802.16e • Authentication in the 802.16e • Key hierarchy in the 802.16e • Conclusion • References

  3. Overview of 802.16d Security

  4. MAC Privacy Sub-layer • Provides secure communication • Data encrypted with cipher clock chaining mode of DES • Prevents theft of service • SSs authenticated by BS using key management protocol

  5. IEEE 802.16 Security Architecture

  6. X.509 certificate

  7. Data SA 16-bit SA identifier Cipher to protect data: DES-CBC 2 TEK TEK key identifier (2-bit) TEK lifetime 64-bit IV Authorization SA X.509 certificate  SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK = Truncate-128(SHA1(((AK| 044) xor 5364) Downlink HMAC key = SHA1((AK|044) xor 3A64) Uplink HMAC key = SHA1((AK|044) xor 5C64) A list of authorized data SAs Security Association

  8. Security Association • BS use the X.509 certificate from SS to authenticate. • No BS authentication • Negotiate security capabilities between BS and SS • Authentication Key (AK) • exchange AK serves as authorization token • AK is encrypted using public key cryptography • Authentication is done when both SS and BS possess AK

  9. IEEE 802.16 Security Process

  10. Authentication Key lifetime: 1 to 70 days , usually 7days SS →BS: Cert(Manufacturer(SS)) SS →BS: Cert(SS) | Capabilities | SAID BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList

  11. Data Key Exchange

  12. Data Encryption

  13. KEK = Truncate-128(SHA1(((AK| 044) xor 5364) Downlink HMAC key = SHA1((AK|044) xor 3A64) Uplink HMAC key = SHA1((AK|044) xor 5C64) Key Derivation

  14. IEEE 802.16d Security Flaws • Lack of Explicit Definitions • Lack of the mutual authentication • Limited authentication method–SS certification • Authentication Key (AK) generation

  15. Security Architecture in the 802.16e

  16. Simple 802.16e Network topology

  17. 802.16e network reference model

  18. The reference model of ASN

  19. 802.16e Network topology

  20. Security Architecture • Encapsulation protocol • A set of cryptographic suites • The rules for applying those algorithm • Key management protocol • PKM for distributing key data • AK 160 bits share key for ss and bs • TEK 128bits PKM exchange key • Authentication (PKMv2 protocol) • To get AK (Authorization key) • RSA authentication • EAP authentication

  21. Security Architecture (Cont.)

  22. Authentication in the 802.16e

  23. RSA authentication protocol • 802.16d uses this one • BS uses the PKI mechanism to verify the Certificate • BS uses the CTL (Certificate trust list)

  24. RSA authentication protocol (Cont.)

  25. EAP authentication protocol • EAP is a authentication framework not a specially authentication mechanism • the four methods in 802.16e • RSA based authentication • One level EAP based authentication • Two level EAP based authentication • RSA based authentication followed by EAP authentication

  26. EAP authentication protocol

  27. EAP authentication protocol

  28. EAP authentication protocol • RSA based authentication • Use the PKMv2 RSA-Request、PKMv2 RSA-Reply、PKMv2 RSA-Reject、PKMv2 RSA-acknowledgement messages to get pre-PAK • Using the public key of SS to encrypt the pre-PAK and send back to SS • pre-PAK generates the PAK (Primary Authorization key) and EIK(EAP integrity Key) • PAK generates the AK

  29. EAP authentication protocol (Cont.) • RSA based authentication • EIK|PAK <= Dot16KDF (pre-PAK,SS MAC address | BSID | ”EIK+PAK” , 320) • AK<= Dot16KDF (PAK,SS MAC address | BSID | PAK|”AK” , 160)

  30. EAP authentication protocol (Cont.) • One level EAP based authentication • Using the authentication exchange message to get MSK (Master session key) • PMK<= truncate(MSK,160) • AK<=Dot16KDF(PMK,SS MAC Address | BSID | “AK”,160)

  31. EAP authentication protocol (Cont.) • Two level EAP based authentication • SS sent the PKEv2 EAP Start to BS • The first EAP negotiation will begin between BS and SS included the message of PKMv2 Transfer2(MSK) • After that BS will send the EAP-Success or EAP-failure. • If BS sent the EAP-Success then BS will send the PKMv2_EAP_Complete encrypted by EIK immediate • If SS gets the EIK and PMK successful then SS can verify the message • Otherwise the SS might get the EAP-failure or get no respond to show that BS is failure to authentication

  32. EAP authentication protocol (Cont.) • Two level EAP based authentication • After SS finished the first EAP negotiation successful ,the SS will send “PKMv2 Authenticated EAP Start” to start the second EAP negotiation • When BS got this message, BS will check the message by EIK. • If BS check ok then BS will start the second EAP negotiation, otherwise BS will think the Authenticated failure. • The related messages of PKM is protected by EIK in the second EAP negotiation • If BS and SS competed second EAP negotiation, then BS and SS can get the AK form PMK( pairwise authorization key) and PMK2

  33. EAP authentication protocol (Cont.) • Two level EAP based authentication • EIK|PMK <= truncate (MSK,320) • PMK2 <= truncate(MSK,160) • AK <= Dot 16KDF(PMK + PMK2, SS MAC Address| BSID|” AK” , 160)

  34. EAP authentication protocol (Cont.) • RSA based authentication followed by EAP authentication • First execute RSA-based authorization and execute the second round of Double EAP mode • EIK|PAK <= Dot16KDF(pre-PAK, SS MAC Address | BSID | “EIK+PAK”,320) • AK <= Dot16KDF(PAK⊕PMK, SS MAC Address| BSID |PAK “AK” 160)

  35. Key hierarchy in the 802.16e

  36. Key hierarchy in the 802.16e • AK (Authorization Key) • KEK (Key Encryption Key) • KEK is generated by AK • Using it to encrypt the TEK or GKEK etc

  37. Key hierarchy in the 802.16e • GKEK (group KEK) • One GSA has one GKEK • GKEK is generated by random number of BS • BS uses the KEK to encrypt GKEK and send to SS • GKEK encrypted the GTEK when GTEK updated and send it to all SS in the group

  38. Key hierarchy in the 802.16e • TEK (Traffic Encryption Key) • TEK is generated by random number of BS • BS use the KEK to encrypt the TEK and send to SS • TEK is used to encrypt the message or data between BS and SS

  39. Key hierarchy in the 802.16e • GTEK (Group TEK) • TEK is generated by random number of BS or some nodes in the group • GTEK is used to encrypt the broadcast messages • Using the KEK as the encryption key When request the GTEK • Using the GKEK as the encryption key When update the GTEK

  40. Key hierarchy in the 802.16e • MTK (MBS traffic Key) • It comes from MAK(MBS AK) but do not have any generate method in 802.16e • MTK = Dot16KDF (MAK,MGTEK|”MTK”,128)

  41. Key hierarchy in the 802.16e • HMAC (HMAC Digests) • Using the AK as the material • HMAC_KEY_U | HMAC_KEY_D | KEK <=Dot16KDF(AK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,448) • HMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP HMAC KEY”,160)

  42. Key hierarchy in the 802.16e • HMAC (HMAC Digests) • Using the EIK as the material • HMAC_KEY_U | HMAC_KEY_D | KEK <=Dot16KDF(EIK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,320)

  43. Key hierarchy in the 802.16e • CMAC (Cipher-based MAC) • Using the AK as the material • CMAC_KEY_U | CMAC_KEY_D | KEK <=Dot16KDF(AK, SS MAC Address | BSID | “CMAC_KEYS+KEK”,384) • CMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP CMAC KEY”,128)

  44. Key hierarchy in the 802.16e • CMAC (Cipher-based MAC) • Using the EIK as the material • CMAC_KEY_U | CMAC_KEY_D | KEK<=Dot16KDF(EIK, SS MAC Address | BSID | “CMAC_KEYS + KEK” , 256)

  45. Key hierarchy in the 802.16e

  46. Key hierarchy in the 802.16e

  47. Conclusion

  48. 認證資訊(authentication information)X.509 certificate 授權請求(authorization request)X.509 certificate, capability, Basic CID AK exchange 授權答覆(authorization reply)encrypted AK, SAIDs, SQNAK,… 密鑰請求(key request)SAID, HMAC-Digest,… TEK exchange(每一個資料傳輸連線都必須先做此動作) 密鑰答覆(key reply)encrypted TEK, CBC IV, HMAC-Digest,… 資料交換(利用TEK加密) WiMAX PKM Protocol BS SS 1.確認SS身分 2.產生AK, 並用憑證中的public key將之加密 將AK解開 1.利用SHA演算法驗證HMAC-Digest 2.產生TEK 3.由AK產生KEK用以加密TEK 1.利用SHA驗證HMAC-Digest 2.由AK計算出KEK以解開TEK HMAC-Digest:用以驗證資料的完整性

  49. WiMAX PKMv2 Protocol

  50. Conclusion • Authentication & Authorization more robust • Using the bidirectional Authentication to avoid the rude base station and support the different Authentication policy。 • Data Privacy • 802.16e add more encryption algorithm (Advanced Encryption Standard, AES) to enhance the security • Key’s generation • Using the robust solution to generate the AK

More Related