Authenticated Validity for M2M devices IEEE 802.16 Presentation Submission Template (Rev. 9) Document Number: IEEE S802.16p-11/0251r1 Date Submitted: 2011-09-09 Source: Eldad Zeira InterDigital Voice: E-mail: eldad.zeira@interdigital.com Venue: IEEE 802.16n at session #75 Base Contribution: C802.16p-11/0251 Purpose: To be discussed and adopted by 802.16p Notice: This document does not represent the agreed views of the IEEE 802.16 Working Group or any of its subgroups. It represents only the views of the participants listed in the “Source(s)” field above. It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.16. Patent Policy: The contributor is familiar with the IEEE-SA Patent Policy and Procedures: <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and <http://standards.ieee.org/guides/opman/sect6.html#6.3>. Further information is located at <http://standards.ieee.org/board/pat/pat-material.html> and <http://standards.ieee.org/board/pat >. 1 Authenticated Validity for M2M devices IEEE S802.16p-11/0251r1 M2M networks are vulnerable • M2M networks are more vulnerable to security threats due to longevity and field updates / provisioning • M2M networks are required to handle critical missions without human intervention • Attacks can lead to false situational awareness, loss of privacy, DOS • In some cases network attacks = physical attacks • EAP doesn’t protect from tampering IEEE S802.16p-11/0251r1 M2M Vulnerabilities IEEE S802.16p-11/0251r1 802.16p Requirements: SRD 6.4 Security Support The 802.16p system shall support integrity and authentication of M2M devices, as well as integrity and privacy of M2M application traffic which requires a secure connection. 6.4.1 The 802.16p system shall support a device validity check between the device and the network. 6.4.2 The 802.16p system shall enable a flexible security suite that can be adjusted per the security requirements of the M2M application IEEE S802.16p-11/0251r1 We need to: • Prevents a potentially tampered device from accessing services (e.g. multicast) and performing DOS attacks • Provides the network with evidence of tampering – So owner can take action • Imposes minimal burden on devices that do not require integrity validation: optionality of integrity validation – Must be able to mix different device types in single network IEEE S802.16p-11/0251r1 The basis: • Devices which need integrity validation have an (unspecified) difficult to tamper with module which can test the validity of the device as a whole. • Failed devices must not attempt to connect… but that in itself does not provide the network with any validity proof IEEE S802.16p-11/0251r1 What are our alternatives? A. Prevent release of EAP certificate if test failed B. Prevent release of EAP certificate if test failed + add information regarding this capability of the device Both require that EAP is made mandatory and used for key derivation C. Send certificate confirming the passing of the validity test after keys are established 1. In RNG-REQ 2. “higher layer” messages IEEE S802.16p-11/0251r1 Network behavior: Network behavior for Alt-A: Device type Not applicable EAP certificate sent Authorize device EAP certificate NOT sent Do not authorize device Network behavior for Alt-B: Device type Validity test capability indicated Validity test capability NOT indicated EAP certificate sent Authorize device N/A EAP certificate NOT sent Do not authorize device alert for rogue device Do not authorize device Network behavior for Alt-C: Device type Validity test capability indicated Validity test capability NOT indicated validity certificate sent Authorize device for sensitive information N/A validity certificate NOT sent Expire keys alert for rogue device Do not authorize device for sensitive information, BUT allow other services No difference between C-1 & C-2, as long as validity information is timely and there is a mechanism for retries if message fails. These already exist for RNG-REQ/RSP IEEE S802.16p-11/0251r1 Conclusions: • If EAP is used for the validity test then EAP must be mandatory • Use of EAP does not allow to mix devices which have validity testing and those which have not. – A device that doesn’t have validity test implemented will be able to present itself as valid and have access to all sensitive information. • Sending a separate certificate (in addition to EAP or RSA) plus information regarding device type: – Allows to differentiate between devices with and without validity testing and offer different services to each in the same deployment – Doesn’t make EAP mandatory – Provides confidentiality to device type IEEE S802.16p-11/0251r1 Elements of tamper detection & mitigation • A Trusted Element (TE) tests for tampering – TE is NOT mandatory for all devices; Capability & implementation are out of scope – TE, if implemented, should be tamper resistant • A device that fails the test does not attempt to access network • Send Device Validity Information to network: within time limit, confidentially and with integrity protection, – Validity testing capability information (e.g. as H/W, S/W certificates) – Validation certificate (if implemented) - The only requirement mandatory to all devices in the network; -Needed to prevent tampered devices from pretending it doesn’t have the capability -Provides tampering evidence to network IEEE S802.16p-11/0251r1 The network MAY, if device validity check IS: Successful, • Establish additional keys that may be used for additional services – Multicast access – Sensitive user payload Unsuccessful, • Cause key(s) to expire • Send an (unspecified) command that affects device behavior (e.g. re-boot, “safe mode”, etc.) IEEE S802.16p-11/0251r1 MS behavior for device integrity validation Validity Self Test Passed? Y Un-touched Boot - Up - Synchronization - Capability Exchange, network parameters - Authorization & Key exchange Validity information sent to network with registration N Network examines validity information Safe mode behavior N Validity accepted? Keys expired Retries possible Y Normal Op (new keys may be exchanged) IEEE S802.16p-11/0251r1 The procedure (1/2) 1. AMS that has a TE and failed the validity test shall not attempt to enter the network. 1. Provides protection from DOS attacks on AAA server; nature of protection depends on implementation. 2. The AMS sends its validity testing capability information (e.g. as H/W & S/W build certificates) and optionally its validation (integrity) certificate in AAI-REG-REQ. 1. 2. 3. Shifts integrity responsibility to network Provides network with tampering attempt information Part of the network access state machine 3. Out of scope for 802.16p: 1. 2. 3. ABS forwards the received information to the network. If device validity is not acceptable, the network may expire keys. Otherwise the network or AMS may initiate new services and new keys IEEE S802.16p-11/0251r1 The procedure (2/2) 4. The ABS response in AAI-REG-RSP indicates whether the device validity has been accepted or not. 4. Prevents need to wait until next transmission to find out keys have been expired 5. AAI-REG-RSP with negative confirmation shall be interpreted as an abort. The AMS behavior in this case is FFS.