Authenticated Validity for M2M devices

advertisement
Authenticated Validity for M2M devices
IEEE 802.16 Presentation Submission Template (Rev. 9)
Document Number:
IEEE S802.16p-11/0134
Date Submitted:
2011-07-05
Source:
Eldad Zeira
InterDigital
Voice:
E-mail: eldad.zeira@interdigital.com
Venue:
IEEE 802.16n at session #73
Base Contribution:
C802.16p-11/0134
Purpose:
To be discussed and adopted by 802.16p
Notice:
This document does not represent the agreed views of the IEEE 802.16 Working Group or any of its subgroups. It represents only the views of the participants listed in
the “Source(s)” field above. It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the right to add, amend or withdraw material
contained herein.
Release:
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an
IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s
sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this
contribution may be made public by IEEE 802.16.
Patent Policy:
The contributor is familiar with the IEEE-SA Patent Policy and Procedures:
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and <http://standards.ieee.org/guides/opman/sect6.html#6.3>.
Further information is located at <http://standards.ieee.org/board/pat/pat-material.html> and <http://standards.ieee.org/board/pat >.
1
Authenticated Validity for M2M devices
IEEE S802.16p-11/0134
M2M networks are vulnerable
• M2M networks are more vulnerable to security threats
due to longevity and field updates / provisioning
• M2M networks are required to handle critical missions
without human intervention
• Attacks can lead to false situational awareness, loss of
privacy, DOS
• In some cases network attacks = physical attacks
• EAP doesn’t protect from tampering
IEEE S802.16p-11/0134
M2M Vulnerabilities
IEEE S802.16p-11/0134
802.16p Requirements: PAR Scope
• 5.2 Scope: This amendment specifies IEEE Std
802.16 medium access control (MAC)
enhancements and minimal orthogonal frequency
division multiple access (OFDMA) physical layer
(PHY) modifications in licensed bands to support
lower power consumption at the device, support
by the base station of significantly larger numbers
of devices, efficient support for small burst
transmissions, and improved device
authentication.
IEEE S802.16p-11/0134
802.16p Requirements: SRD
6.4 Security Support
The 802.16p system shall support integrity and
authentication of M2M devices, as well as integrity and
privacy of M2M application traffic which requires a
secure connection.
6.4.1 The 802.16p system shall support a device validity
check between the device and the network.
6.4.2 The 802.16p system shall enable a flexible security
suite that can be adjusted per the security requirements
of the M2M application
IEEE S802.16p-11/0134
This proposal:
• Prevents a potentially tampered device from
accessing services (e.g. multicast) and performing
DOS attacks
• Provides the network with evidence of tampering
– So owner can take action
• Imposes minimal burden on devices that do not
require integrity validation
IEEE S802.16p-11/0134
Elements of tamper detection & mitigation
• A Trusted Element (TE) tests for tampering
– TE is NOT mandatory for all devices; Capability & implementation are out of
scope
– TE, if implemented, should be tamper resistant
• A device that fails the test does not attempt to access network
• Send Device Validity Information to network: within time limit,
confidentially and with integrity protection,
– Validity testing capability information (e.g. as H/W, S/W certificates)
– Validation certificate (if implemented)
- The only requirement mandatory to all devices in the network;
-Needed to prevent tampered devices from pretending it doesn’t
have the capability
-Provides tampering evidence to network
IEEE S802.16p-11/0134
The network MAY, if device validity check IS:
Successful,
• Establish additional keys
that may be used for
additional services
– Multicast access
– Sensitive user payload
Unsuccessful,
• Cause key(s) to expire
• Send an (unspecified)
command that affects device
behavior (e.g. re-boot, “safe
mode”, etc.)
IEEE S802.16p-11/0134
MS behavior for device integrity validation
Validity
Self Test
Passed?
Y
Un-touched
Boot - Up
- Synchronization
- Capability Exchange, network
parameters
- Authorization & Key exchange
Validity information sent to
network with registration
N
Network examines validity
information
Safe mode behavior
N
Validity accepted?
Keys expired
Retries possible
Y
Normal Op
(new keys may be
exchanged)
IEEE S802.16p-11/0134
The procedure (1/2)
1. AMS that has a TE and failed the validity test shall not attempt to
enter the network.
1.
Provides protection from DOS attacks on AAA server; nature of protection
depends on implementation.
2. The AMS sends its validity testing capability information (e.g. as
H/W & S/W build certificates) and optionally its validation
(integrity) certificate in AAI-REG-REQ.
1.
2.
3.
Shifts integrity responsibility to network
Provides network with tampering attempt information
Part of the network access state machine
3. Out of scope for 802.16p:
1.
2.
3.
ABS forwards the received information to the network.
If device validity is not acceptable, the network may expire keys.
Otherwise the network or AMS may initiate new services and new keys
IEEE S802.16p-11/0134
The procedure (2/2)
4. The ABS response in AAI-REG-RSP indicates whether
the device validity has been accepted or not.
4. Prevents need to wait until next transmission to find out keys
have been expired
5. AAI-REG-RSP with negative confirmation shall be
interpreted as an abort. The AMS behavior in this case
is FFS.
Download