Project
IEEE C802.16m-08/1167
IEEE 802.16 Broadband Wireless Access Working Group < http://ieee802.org/16 >
Title
Date
Submitted
Initial Capability Negotiation Procedure for IEEE 802.16m
2008-09-05
Source(s)
Re:
Abstract
Purpose
Notice
Release
Patent
Policy
Kiran Thakare, Sten Ingemar Sjöberg
Ericsson AB
SE-164 80 Stockholm, Sweden
Voice:
E-mail:
+46 8 58532591 kiran
.thakare@ericsson.com
IEEE 802.16m-08/033 Call for Contributions on Project 802.16m System Description
Document. For “Security: MAC”
The 802.16m SRD [1] requires that the security shall be enhanced for IEEE 802.16m systems.
In the Reference System, the Basic Capability negotiation procedure is executed in a non-secure manner prior to the AA procedure, during the network entry procedure. Additionally the security capability in AA Request message is sent in non-secure manner also. We propose to improve system security by performing the Authentication and Authorization before the Basic Capability negotiation procedure is executed. Additionally the security capabilities sent in Authentication and Authorization Request can also be protected. The proposed solution improves the protection and the confidentiality of the system.
We propose to include the proposed SDD text in the security section of the SDD.
This document does not represent the agreed views of the IEEE 802.16 Working Group or any of its subgroups . It represents only the views of the participants listed in the “Source(s)” field above. It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.16.
The contributor is familiar with the IEEE-SA Patent Policy and Procedures:
< http://standards.ieee.org/guides/bylaws/sect6-7.html#6 > and
< http://standards.ieee.org/guides/opman/sect6.html#6.3
>.
Further information is located at < http://standards.ieee.org/board/pat/pat-material.html
> and
< http://standards.ieee.org/board/pat >.
Kiran Thakare, Sten Ingemar Sjöberg
Ericsson AB Sweden
The 802.16m SRD [1] requires that the security shall be enhanced for IEEE 802.16m systems. In the Reference
System, the Basic Capability negotiation procedure is executed in a non-secure manner prior to the AA procedure, during the network entry procedure. Additionally the security capability in PKMv2 message is sent in non-secure manner also. We propose to improve system security by performing the Authentication and
Authorization before the Basic Capability negotiation procedure is executed. Additionally the security capabilities sent in Authentication/Authorization Request message can also be protected. The proposed solution
1

improves the protection and the confidentiality of the system.
IEEE C802.16m-08/1167
In chapter 6.2, Access State, of the 802.16m SDD [2] it is stated that the MS performs the authentication and authorization process after it has performed basic capability negotiation with the BS. This is the way it is done in the Reference System. The IEEE 802.16 standard [3] section 6.2.9.7 states: “ Immediately after completion of ranging, the SS informs the BS of its basic capabilities by transmitting an SBC-REQ message with its capabilities set to “on”. The BS responds with an SBC-RSP message with the intersection of the SS’s and the
BS’s capabilities set to “on”” This is shown in figure 1.
MS BS
Network Detection & Initial Access (RNG-REQ)
(SBC REQ )
( SBC-RSP)
Authentication Authorization
Registration
GateWay HA
Netw ork entry
S e r v i c e s e t u p s i g n a l i n g
Bearer Path established
Service
Establishment
Figure 1: Showing SBC procedure executed before the AA procedure & after the Initial ranging procedure.
Section 11.8 of [3] identifies various parameters that are negotiated with the basic capability procedures and it includes the radio capabilities as well as basic security capabilities. The capability request message carries the
MS security capabilities that are used during the authentication and authorization procedure.
The security capabilities are also included in the PKM-REQ message in the Reference System.
In the Reference System, and in the present 802.16m SDD [2], the Basic Capability negotiation procedure is executed by the MS just after the initial ranging procedure during network entry procedure, as identified above.
The following problems exist with this approach:
The MS capability is sent in non-secure manner and the BS & MS capability negotiation is carried out in an non-secure manner –prior to establishment of AA. Additionally the PKMV2 authentication message also contains the security capabilities of the MS, these capabilities are also carried out in non-secure manner.
Attacker could modify the capabilities in SBC messages and also the capabilities sent in PKMV2 AA Request
2

message, opening up a bidding attack as described below.
IEEE C802.16m-08/1167
Figure 2 below shows an example where MS capabilities are intervene by the intruder. Suppose the MS supports algorithms S (“secure:”) and L (“less secure: ”). Suppose furthermore that a malicious party intervenes and changes the MS’s capability signaling from {S, L} to {L}.
MS ” BAD GUY ” Network
{S, L}
X {L}
Figure 2: Showing the malicious party intervening and changing the MS capabilities
The network will believe the MS only supports L and therefore choose the less secure L. This means that the security obtained will be less that it could have been. Even worse, the attacked could forward { }, meaning that the MS supports no security at all.
Consequently there is a need to protect the message containing the MS’s security related and other capabilities such as radio.
We propose to solve the above mentioned problem as follows.
 Move the basic capability procedure in the network access state to take place after the MS
Authentication and Authorization as shown in figure 3. After the AA procedures all the messages can be integrity protected. Thus moving the Basic Capability message to after the AA protects the MS and BS capabilities and respective messages. The same Basic Capability message exchange, after AA, can be used to update capabilities e.g. in handover as it is done in the Reference System.
 The security essential capabilities, authentication capabilities of Authentication & Authorization messages shall be protected
3

IEEE C802.16m-08/1167
MS BS/ASN
Network Detection & Initial Access (RNG-REQ)
Authentication Authorization
Capability Negotiation
GateWay HA
Network
Entry
Registration
S e r v i c e s e t u p s i g n a l i n g
Bearer Path established
Service
Establishment
Capability Update
Confirm the update
Figure 3: Showing that the AA procedure is executed before the Capability
Negotiation procedure.
“The MS Authentication, Authorization and Key Exchange shall be carried out before the Basic Capability
Negotiation procedure. The whole set or a subset of the capability procedure may be exchanged between the
MS & BS after Authentication, Authorization and Key Exchange. The same Basic Capability message exchange, after AA, can be used to update capabilities. The procedure is illustrated in following figure x below.
The security essential capabilities, authentication capabilities of Authentication Authorization message shall be protected .”
4

MS BS/ASN
Network Detection & Initial Access (RNG-REQ)
Authentication Authorization
Capability Negotiation
GateWay HA
IEEE C802.16m-08/1167
Network
Entry
Registration
S e r v i c e s e t u p s i g n a l i n g
Bearer Path established
Service
Establishment
Capability Update
Confirm the update
Figure x: Showing that the AA procedure is executed before the Capability
Negotiation procedure.
In section 6.2 of the SDD [2], sentence number four has to be moved ahead of sentence number three and “MS
Authentication, Authorization & Key Exchange” must change place with “Basic Capability Negotiation (SBC-
REQ/RSP)” in Figure 6 to reflect the changed order of AA and SBC.
1.
IEEE 802.16m System Requirements, IEEE 802.16m-07/002r4
2.
IEEE 802.16m System Description Document, IEEE 802.16m-08/003r4
3.
IEEE Std. 802.16, IEEE Draft Standard P802.16Rev2/D6
5