International Civil Aviation Organization CPWGI18 / WP-14 INFORMATION PAPER 06/23/15 ReProduced from WG-S/7 COMMUNICATIONS PANEL (CP) Seventh MEETING OF THE WORKING GROUP S Montreal, Canada 22 – 23 June 2015 (NOTE: THIS PAPER WAS FIRST PRESENTED AT WG-S/7). Agenda Item xx: Xxx Overview of Security Framework for Aeronautical Mobile Airport Communication Systems (AeroMACS) (Presented by Aloke Roy) SUMMARY This document provides a high level overview of the Security framework of Aeronautical Mobile Airport Communication System (AeroMACS) that are applicable to both the airborne radios and the ground systems. ACTION The CP WG-I and SDS WG are invited to consider the security framework described in this paper for the development of IPS security requirements such that synergies can be achieved across all ICAO communication datalinks to optimize ANSP & operator investments for security implementations. 1. INTRODUCTION This document provides a high level overview of the Security framework of Aeronautical Mobile Airport Communication System (AeroMACS) that are applicable to both the airborne radios and the ground systems. The intended purpose of this paper is to introduce AeroMACS security functions to ICAO WGI and SDS sub group such that overall security infrastructure requirements for all aeronautical data communication services can be aligned to reduce the deployment costs for ANSPs and aircraft operators’ implementations. 2. BACKGROUND (8 pages) Document1 ACP-WGWI18/IP14 -2- IEEE standard 802.16 defines multiple options for the security sub layer to accommodate various network deployments and service provider requirements. Hence it becomes necessary to standardize the minimum functional requirements of security sub layer for AeroMACS, in order to provide aircraft with seamless access to Airport Terminal Services across the globe. An analysis was performed on the security sub layer specifications of WiMAX to determine a set of requirements that would be applicable to the AeroMACS deployment contexts. 3. DISCUSSION Figure 3-1 represents various components of security sub layer of WIMAX as defined in IEEE 802.16 specifications. Figure 3-1 WiMAX Security Sub Layer (Source: IEEE 802.16 standards) The security sub layer provides subscribers with authentication and data privacy. Authorization/SA module is responsible for validating the authenticity of Subscriber Stations and management of Security Associations (SA) for WiMAX connections. SA associates encryption keys and algorithms with a traffic type, so that the packets belonging to a particular traffic type can be encrypted as per its SA definitions. WiMAX supports two methods of authentications namely, RSA based authentication and EAP Based authentication. RSA authentication method uses X.509 digital certificates and RSA encryption algorithm along with RSA keys, associated with the MAC address of a subscriber station. In this method, a base station authenticates subscriber stations, but the other way is not possible as mutual authentication is not supported in RSA scheme. ACP-WGWI18/IP-14 EAP method offers mutual authentication in which both BS and SS authenticate each other. EAP supports multiple authentication schemes and hence provides more flexibility to the network operators in choosing subscriber authentication methods. For example, EAP-TLS is based on X.509 certificates while, EAPSIM is based on Subscriber Identity Module used in mobile phones. EAP method definitions are kept outside the scope of WiMAX standards. AeroMACS specifies EAP-TLS as the authentication mechanism for security association to satisfy mutual authentication needs based on PKI X509 certificates to align with existing ATN security procedures defined in ICAO 9880. PKM protocol is responsible for deriving and managing the keys used by WiMAX layer. WiMAX supports two versions of PKM protocol namely, PKM 1 and PKM 2. PKM 1 works in conjunction with RSA scheme to authenticate a subscriber and derive keys for SS, while PKM2 supports EAP method for mutual authentication of both SS and BS and their key management. In addition to PKM2 in a typical deployment environment involving large networks, authentication and policy management for subscribers would be done at centralized locations instead of being managed locally at every BS level. In such scenarios, RADIUS protocol may be used in conjunction with EAP methods to authenticate/authorize subscribers to use network resources. The traffic encryption module supports a set of encryption algorithms to protect the message data. Depending upon the definitions in SA, this module performs encryption/decryption of the data that enters or leave the WiMAX device. 3.1 Security Sub-Layers for AeroMACS Figure 3-2 provides the security framework and architecture of Security Layers across various AeroMACS network components such as subscriber station (SS), base station (BS), access service network gateway (ASNGW) and accounting, authorization and access (AAA) server. A physical system may contain multiple functional entities available in the same unit. For example: ASN Gateway and BS can be present in a single system. MS and BS belong to access network (ASN) while AAA server belongs to customer service network (CSN). In a practical deployment, ASN and CSN may belong to separate organizations or may belong to a single organization. There may or may not be an involvement of Proxy server depending upon whether a Mobile Station is logging into a Visited Network or the Home Network. NAP AeroMACS AAA Proxy 802.16 BS 802.16 MS TLS EAP Transit EAP SA control PKM v2 PKM v2 Control Data Signing PHY Traffic Data encryption Control Data Signing EAP R6 RADIUS Client UDP IP Traffic Data encryption AAA Server ASN G/W TLS SA control Application NW AAA WAN I/F RADIUS Proxy RADIUS Server UDP UDP IP IP WAN Interface WAN Interface PHY TCP/IP NW ACP-WGWI18/IP14 -4- Figure 3-2 AeroMACS Security Framework & Protocol Architecture The scope of the AeroMACS security framework is to, 1. Authenticate a Mobile Station logging into the network. Authentication is based on mutual validation of digital certificates exchanged between the Mobile Stations and the AAA server. Hence AAA servers shall hold valid certificates of all AeroMACS Station root CAs ( not necessarily the certificates of all Mobile Stations ) in order to authenticate any genuine Mobile Station trying to log on the network, irrespective of its subscription with the CSN. Similarly devices shall hold certificates of all AeroMACS server root CAs. 2. Ensure privacy for Mobile User to communicate over the wireless medium. AeroMACS security framework supports multiple cryptographic suites to encrypt all kinds of data traffic (Unicast, Multicast and Broadcast) from/to the mobile station. It should be noted that current version of AeroMACS standards do not accommodate encryption of multicast/broadcast data flows. 3. Ensure integrity of the packets exchanged in the wireless medium so that only the intended packets from the authentic source are accepted at the destinations. This is achieved by adding an Authentication Code at the end of payload generated using Traffic Encryption Key along with the cyber suite defined in the Security Association. Public Key Management (PKM) module is responsible for the overall management of the security framework. AeroMACS shall be using only PKM Version 2, as the support of mutual authentication is available only in PKMV2. PKM v2 supports EAP_TLS protocol for mutual authentication. The digital certificates and other credentials are exchanged as TLS records between MS and AAA server. The exchanged certificates are validated by both the parties to establish the trust. EAP_TLS also has a robust mechanism for arriving at a shared secret between the negotiating peers. At the end of EAP_TLS transaction MS and AAA server arrive at MSK (Master Session Key) to be used for the session. MSK is the primary key from which all other keys are derived. (For certificates to be valid, the certificates are to be issued by the CAs authorized for AeroMACS. The certificate issuance and management is beyond the scope of this document). In AeroMACS environment EAP negotiations need to happen before the establishment or wireless link and IP connectivity. But, EAP peer applications run between SS and AAA server, located remotely in the network, while ASN Gateway acts as a transit point forwarding packets between SS and AAA server. RADIUS is used as a transport mechanism, between the ASN Gateway (Authenticator) and the AAA server, for transferring EAP_TLS packets through internet to/from AAA server. RADIUS uses a secured connection between ASN Gateway and AAA server to ensure privacy. At the end of EAP_TLS transaction the MSK arrived at AAA server is transferred to ASN Gateway (authenticator) for further processing. From MSK, ASNGW and MS derive pairwise master key (PMK) and from PMK authentication key (AK) is derived independently. ASN Gateway updates Base Station with AK. From AK the whole set of keys like, key encryption key (KEK), group KEK (GKEK), Traffic Encryption Keys (TEK) etc., are derived ACP-WGWI18/IP-14 as per the rules defined in 802.16 specifications independently at BS and MS. PKM has a 3-way SA-TEK handshake mechanism for BS and MS to verify the final TEK that are derived independently at BS and MS. TEK keys are derived for every SAID as per the associated cryptographic suite requirements. PKM also periodically refreshes AK and TEKs between MS and BS in order to have robust privacy. SA module is responsible managing the Security Associations of various data traffic. These SAs have cryptographic suite identified for each connection. TEK process is initiated for every SAID to arrive at TEK keys and refresh them periodically. After authentication, MS continues with registration, optional TFTP configuration (in case of IP managed nodes) and data connection establishment procedures. Encryption module secures the traffic through the connection as per the associated SAID. It uses the TEK keys derived from the above process along with the configured cryptographic suite to encrypt/decrypt the outgoing/incoming data packets through the connection. Thus a secure connection is established at 802.16 MAC layer between MS and BS. After data connection establishment between MS and BS, the data path is completed between ASN gateway and RAS server for the higher layer protocols to negotiate IP connectivity with the Remote Access Servers of CSN. Figures 3-3 and 3-4 show the message sequence charts for AeroMACS security association and key derivation process. 4. ACTION BY THE MEETING The CP WG-I and SDS WG are invited to consider the security framework described in this paper for the development of IPS security requirements such that synergies can be achieved across all ICAO communication datalinks to optimize ANSP & operator investments for security implementations. ACP-WGWI18/IP-14 Figure 3-3: Message Flow Charts AAA Server Airborne Router Airborne Radio Base Station MS Initialize AeroMACS Synchronization, Ranging, Capability Negotiation ASN Gateway NSP Access Router BS S Context Initialization EAP_REQ/Identify EAP_RSP/Identify (My ID) EAP_TLS (TLS_Client_hello) EAP_TLS (TLS_Certificate, TLS_client_key_exchange,TL S_certificate_verify, TLS_change cipher spec, TLS_Finsshed EAP_TYPE=TLS, (No data) PKM:EAP EAP_TLS _Start RADIUS:EAP PKM:EAP EAP Response RADIUS:EAP PKM:EAP EAP Request RADIUS:EAP PKM:EAP EAP Response RADIUS:EAP PKM:EAP EAP Request PKM:EAP EAP Request PKM:EAP PMK, AK Derived RADIUS ACCESS REQ: ID RADIUS:EAP EAP_TYPE=TLS, (No data) EAP_TLS (TLS_Server_Hello, TLS_Certificate, {TLS_Server_Key_exchange}, TLS_Certificate Req, TLS_Server_Hello_Done EAP_TLS (TLS_change_cipher_spec, TLS finished) RADIUS:EAP EAP Success RADIUS_SUCCESS (AK Transferred) PMK, AK Derived (MSK Transferred) -2- ACP-WGWI18/IP14 Figure 3-4: Message Flow Charts (Cont.) AAA Server Airborne Router Airborne Radio ASN Gateway Base Station MS NSP Access Router BS HMAC/CMAC/ KEK derivation HMAC/CMAC/ KEK derivation SA-TEK Challenge Data Plane DHCP Server SA-TEK Request SA-TEK Response Key Request Key Response DHCP server Registration AeroMACS link Established Data connections GRE Tunnels Data plane Dynamic IP Address configuration (Optional) DHCP Proxy IP Traffic Pkt forwarding