IEEE C80216m-09/0397 Project IEEE 802.16 Broadband Wireless Access Working Group <http://ieee802.org/16> Title Management Message Protection in 802.16m Date Submitted 2009-2-27 Source(s) Chengyan Feng ZTE Corporation Email: feng.chengyan@zte.com.cn *<http://standards.ieee.org/faqs/affiliationFAQ.html> Re: TGm SDD: 10.6.5.2.1 Management Message Protection Abstract Propose management message protection to support the selective confidentiality protection over MAC management messages. Purpose For discussion and adoption in 802.16m SDD Notice Release Patent Policy This document does not represent the agreed views of the IEEE 802.16 Working Group or any of its subgroups. It represents only the views of the participants listed in the “Source(s)” field above. It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.16. The contributor is familiar with the IEEE-SA Patent Policy and Procedures: <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and <http://standards.ieee.org/guides/opman/sect6.html#6.3>. Further information is located at <http://standards.ieee.org/board/pat/pat-material.html> and <http://standards.ieee.org/board/pat>. IEEE C80216m-09/0397 Management Message Protection in 802.16m Chengyan Feng ZTE Corporation 1. Introduction IEEE 802.16m supports the selective confidentiality protection over MAC management messages. Through capability negotiation, AMS and ABS know whether the selective confidentiality protection is applied or not. If the selective confidentiality protection is activated, the negotiated keying materials and cipher suites are used to encrypt the management messages. And three levels of selective confidentiality protection over management messages in SDD have been defined. They are NO Protection, CMAC based integrity protection and AES-CCM based authenticated encryption. Which key is used to encrypt management messages is not clear in SDD. If we use TEK, it seems that there are some problems. First of all, only after TEK is derived (eg. during Key-Agreement procedure), the management messages can be encrypted by TEK. So the messages during Key-Agreement procedure can’t be encrypted. But some important parameters are negotiated during this process, such as SA-Descriptor, Security Negotiation parameters, which need to be encryted better. And then if TEK update is delayed because of some error, it will cause communication between AMS and ABS interrupted. For example, if new TEK isn’t updated timely when old TEK has been expired or PN has reached its range, how does the network do? Because both the management messages and transport data are encrypted by TEK, TEK update can’t be executed in this situation. While if management messages and transport data are encrypted by different keys, this problem can’t occur. Only traffic transmission is effected, but management messages (eg. TEK update messages) can still be transmitted. So the transport communications can be halted until new TEKs are installed. Based on the reasons above, we propose that management messages and transport data should be encrypted by different keys. And this also accommodates the trend that control plane and user plane develop independently. Moreover, no matter CMAC based integrity protection is required or AES-CCM based authenticated encryption is required, we can use the same key to protect management messages, which can reduce the overheads of the network. In SDD, CMAC Keys are defined to protect integrity of management messages, which are CMAC_KEY_U and CMAC_KEY_D in 802.16-2005. We can extend these keys’ function to both authenticate and encrypt the messages. IEEE C80216m-09/0397 2. Solution In this section, we propose a method to support the selective confidentiality protection over MAC management messages. We use CMAC keys to protect management messages no matter CMAC based integrity protection is required or AES-CCM based authenticated encryption is required. Maybe we can call the CMAC keys Message Encryption Key(MEK) better. During SBC procedure, AMS and ABS negotiate the management message protection policy: NO Protection, CMAC based integrity protection or AES-CCM based authenticated encryption. When NO Protection is selected, the management messages are neither encrypted nor authenticated. When CMAC based integrity protection or AES-CCM based authenticated encryption is selected, AMS and ABS use MEK to protect the management messages. When only CMAC is required, MEK is used as the CMAC key to protect integrity of the messages. And after the successful initial authentication, MEK can be used to authenticate the Key Agreement messages. When authenticated encryption is required, MEK is used as the encryption and authentication key based on AES CCM mode. And after the successful initial authentication, MEK can be used to encrypt and authenticate the Key Agreement messages. MEK is derived locally by using the AK, the KEY_COUNT, BSID and SAID of SA concerned with control plane/management signaling, as well as other identity parameters. MEK is divided into MEK_U and MEK_D. And MEK_U is used to protect UL management messages, while MEK_D is used to protect DL management messages. IEEE C80216m-09/0397 AMS ABS RNG-REQ/RSP SBC-REQ/RSP (management message protection policy) Authentication AK generation AK generation MEK generation MEK generation Key Agreement (Protected) REG-REQ/RSP (Protected) Figure 1 Management Message Protection 3. Text Proposal ============================== Start of Proposed Text =============== 10.6.3.1 Key Derivation All IEEE 802.16m security keys are either derived directly / indirectly from the MSK or generated randomly by the ABS. The Pairwise Master Key (PMK) is derived from the MSK and then this PMK is used to derive the Authorization Key (AK). Some security keys are respectively derived and updated by both the ABS and the AMS. The Authorization Key (AK) is used to derive other keys: • Key Encryption Key (KEK) • Transmission Encryption Key (TEK) • Management Message Encryption Key(MEK) IEEE C80216m-09/0397 After completing (re)authentication process and obtaining an AK, key agreement is performed to verify the newly created AK and exchange other required security parameters. KEK derivation follows procedures as defined in the WirelessMAN-OFDMA Reference system.. TEK is derived at AMS and ABS by feeding identity parameters into a key derivation function. Parameters such as AK, Security Association ID (SAID), NONCE, KEY_COUNT, BSID, AMS MAC address can be used. NONCE is generated by ABS and distributed to AMS. If more than one TEK is to be created for an SA, separate KEY_COUNTs are maintained for each TEK. The MEK is derived locally by using the AK, the KEY_COUNT and SAID of SA concerned with control plane/management signaling, as well as other identity parameters. TEK(s) and MEK(s) are derived in the following situations: • • • • Initial authentication Re-authentication Key update procedure for unicast connection. Network re-entry to new ABS. In the last two cases, KEY_COUNT value is incremented prior derivation. 10.6.5.2 Control Plane Signaling Protection 10.6.5.2.1 Management Message Protection IEEE 802.16m supports the selective confidentiality protection over MAC management messages. Through capability negotiation, AMS and ABS negotiate the management message protection policy: NO Protection, CMAC based integrity protection and AES-CCM based authenticated encryption. When only CMAC is required, MEK is used as the CMAC key to protect integrity of the messages.When AES-CCM based authenticated encryption is selected, AMS and ABS use MEK to encryt and authenticate the management messages. How to contain information required for selective confidentiality support is FFS. ============================== End of Proposed Text ===============