IEEE C802.16m-08/1167 Project Title

advertisement

Project

IEEE C802.16m-08/1167

IEEE 802.16 Broadband Wireless Access Working Group < http://ieee802.org/16 >

Title

Date

Submitted

Initial Capability Negotiation Procedure for IEEE 802.16m

2008-09-05

Source(s)

Re:

Abstract

Purpose

Notice

Release

Patent

Policy

Kiran Thakare, Sten Ingemar Sjöberg

Ericsson AB

SE-164 80 Stockholm, Sweden

Voice:

E-mail:

+46 8 58532591 kiran

.thakare@ericsson.com

IEEE 802.16m-08/033 Call for Contributions on Project 802.16m System Description

Document. For “Security: MAC”

The 802.16m SRD [1] requires that the security shall be enhanced for IEEE 802.16m systems.

In the Reference System, the Basic Capability negotiation procedure is executed in a non-secure manner prior to the AA procedure, during the network entry procedure. Additionally the security capability in AA Request message is sent in non-secure manner also. We propose to improve system security by performing the Authentication and Authorization before the Basic Capability negotiation procedure is executed. Additionally the security capabilities sent in Authentication and Authorization Request can also be protected. The proposed solution improves the protection and the confidentiality of the system.

We propose to include the proposed SDD text in the security section of the SDD.

This document does not represent the agreed views of the IEEE 802.16 Working Group or any of its subgroups . It represents only the views of the participants listed in the “Source(s)” field above. It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the right to add, amend or withdraw material contained herein.

The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.16.

The contributor is familiar with the IEEE-SA Patent Policy and Procedures:

< http://standards.ieee.org/guides/bylaws/sect6-7.html#6 > and

< http://standards.ieee.org/guides/opman/sect6.html#6.3

>.

Further information is located at < http://standards.ieee.org/board/pat/pat-material.html

> and

< http://standards.ieee.org/board/pat >.

Initial Capability Negotiation Procedure for IEEE 802.16m

Kiran Thakare, Sten Ingemar Sjöberg

Ericsson AB Sweden

1. Introduction

The 802.16m SRD [1] requires that the security shall be enhanced for IEEE 802.16m systems. In the Reference

System, the Basic Capability negotiation procedure is executed in a non-secure manner prior to the AA procedure, during the network entry procedure. Additionally the security capability in PKMv2 message is sent in non-secure manner also. We propose to improve system security by performing the Authentication and

Authorization before the Basic Capability negotiation procedure is executed. Additionally the security capabilities sent in Authentication/Authorization Request message can also be protected. The proposed solution

1

improves the protection and the confidentiality of the system.

IEEE C802.16m-08/1167

2. Background

In chapter 6.2, Access State, of the 802.16m SDD [2] it is stated that the MS performs the authentication and authorization process after it has performed basic capability negotiation with the BS. This is the way it is done in the Reference System. The IEEE 802.16 standard [3] section 6.2.9.7 states: “ Immediately after completion of ranging, the SS informs the BS of its basic capabilities by transmitting an SBC-REQ message with its capabilities set to “on”. The BS responds with an SBC-RSP message with the intersection of the SS’s and the

BS’s capabilities set to “on”” This is shown in figure 1.

MS BS

Network Detection & Initial Access (RNG-REQ)

(SBC REQ )

( SBC-RSP)

Authentication Authorization

Registration

GateWay HA

Netw ork entry

S e r v i c e s e t u p s i g n a l i n g

Bearer Path established

Service

Establishment

Figure 1: Showing SBC procedure executed before the AA procedure & after the Initial ranging procedure.

Section 11.8 of [3] identifies various parameters that are negotiated with the basic capability procedures and it includes the radio capabilities as well as basic security capabilities. The capability request message carries the

MS security capabilities that are used during the authentication and authorization procedure.

The security capabilities are also included in the PKM-REQ message in the Reference System.

3. Problem statement

In the Reference System, and in the present 802.16m SDD [2], the Basic Capability negotiation procedure is executed by the MS just after the initial ranging procedure during network entry procedure, as identified above.

The following problems exist with this approach:

The MS capability is sent in non-secure manner and the BS & MS capability negotiation is carried out in an non-secure manner –prior to establishment of AA. Additionally the PKMV2 authentication message also contains the security capabilities of the MS, these capabilities are also carried out in non-secure manner.

Attacker could modify the capabilities in SBC messages and also the capabilities sent in PKMV2 AA Request

2

message, opening up a bidding attack as described below.

IEEE C802.16m-08/1167

Figure 2 below shows an example where MS capabilities are intervene by the intruder. Suppose the MS supports algorithms S (“secure:”) and L (“less secure: ”). Suppose furthermore that a malicious party intervenes and changes the MS’s capability signaling from {S, L} to {L}.

MS ” BAD GUY ” Network

{S, L}

X {L}

Figure 2: Showing the malicious party intervening and changing the MS capabilities

The network will believe the MS only supports L and therefore choose the less secure L. This means that the security obtained will be less that it could have been. Even worse, the attacked could forward { }, meaning that the MS supports no security at all.

Consequently there is a need to protect the message containing the MS’s security related and other capabilities such as radio.

4. Proposed solution for 802.16m

We propose to solve the above mentioned problem as follows.

 Move the basic capability procedure in the network access state to take place after the MS

Authentication and Authorization as shown in figure 3. After the AA procedures all the messages can be integrity protected. Thus moving the Basic Capability message to after the AA protects the MS and BS capabilities and respective messages. The same Basic Capability message exchange, after AA, can be used to update capabilities e.g. in handover as it is done in the Reference System.

 The security essential capabilities, authentication capabilities of Authentication & Authorization messages shall be protected

3

IEEE C802.16m-08/1167

MS BS/ASN

Network Detection & Initial Access (RNG-REQ)

Authentication Authorization

Capability Negotiation

GateWay HA

Network

Entry

Registration

S e r v i c e s e t u p s i g n a l i n g

Bearer Path established

Service

Establishment

Capability Update

Confirm the update

Figure 3: Showing that the AA procedure is executed before the Capability

Negotiation procedure.

5. Text Proposal for SDD (security section)

“The MS Authentication, Authorization and Key Exchange shall be carried out before the Basic Capability

Negotiation procedure. The whole set or a subset of the capability procedure may be exchanged between the

MS & BS after Authentication, Authorization and Key Exchange. The same Basic Capability message exchange, after AA, can be used to update capabilities. The procedure is illustrated in following figure x below.

The security essential capabilities, authentication capabilities of Authentication Authorization message shall be protected .”

4

MS BS/ASN

Network Detection & Initial Access (RNG-REQ)

Authentication Authorization

Capability Negotiation

GateWay HA

IEEE C802.16m-08/1167

Network

Entry

Registration

S e r v i c e s e t u p s i g n a l i n g

Bearer Path established

Service

Establishment

Capability Update

Confirm the update

Figure x: Showing that the AA procedure is executed before the Capability

Negotiation procedure.

In section 6.2 of the SDD [2], sentence number four has to be moved ahead of sentence number three and “MS

Authentication, Authorization & Key Exchange” must change place with “Basic Capability Negotiation (SBC-

REQ/RSP)” in Figure 6 to reflect the changed order of AA and SBC.

6. References

1.

IEEE 802.16m System Requirements, IEEE 802.16m-07/002r4

2.

IEEE 802.16m System Description Document, IEEE 802.16m-08/003r4

3.

IEEE Std. 802.16, IEEE Draft Standard P802.16Rev2/D6

5

Download