Overview of IEEE 802.16
Security
Advisor: Dr. Kai-Wei Ke
Speaker: Yen-Jen Chen
Date:
03/26/2007
Outline






Introduction
IEEE 802.16
IEEE 802.16
IEEE 802.16
Conclusion
References
to IEEE 802.16
Security Architecture
Security Issues
Security Flaws
Introduction to IEEE 802.16
IEEE 802.16 WiMAX




For the wide area( ranging up to 50 Km)
Last mile connectively
Provide the higher speed connectively for the
data, voice and video(32-134Mbps)
Low cast
IEEE 802.16 WiMAX
IEEE 802.16 WiMAX
IEEE 802.16 WiMAX
Comparing Technologies
802.11
WiFi
802.16
WiMAX
802.20
Mobile-FI
UMTS
3G
Bandwidth
11-54 Mbps shared
Share up to 70 Mbps
Up to 1.5 Mbps
each
384 Kbps – 2
Mbps
Range (LOS)
Range (NLOS)
100 meters
30 meters
30 – 50 km
2 - 5 km (’07)
3 – 8 km
Coverage is
overlaid on
wireless
infrastructure
Mobility
Portable
Fixed (Mobile - 16e)
Full mobility
Full mobility
Frequency/
Spectrum
2.4 GHz for
802.11b/g
5.2 GHz for
802.11a
2-11 GHz for 802.16a
11-60 GHz for 802.16
<3.5 GHz
Existing wireless
spectrum
802.11a, b and g
standardized
802.16, 802.16a and
802.16 REVd
standardized, other
under development
802.20 in
development
Part of GSM
standard
Industry-wide
Intel, Fujitsu, Alcatel,
Siemens, BT, AT&T,
Qwest, McCaw
Cisco, Motorola,
Qualcom and
Flarion
GSM Wireless
Industry
Standardization
Backers
IEEE 802.16 Security Architecture
802.16 MAC Protocol Stack
MAC CS Sub-layer
●
CS Layer:



Receives data from higher
layers
Classifies the packet
Forwards frames to CPS
layer
MAC CPS Sub-layer
●
Performs typical MAC functions such as
addressing


●
●
Each SS assigned 48-bit MAC address
Connection Identifiers used as primary
address after initialization
MAC policy determined by direction of
transmission

Uplink is DAMA-TDM

Downlink is TDM
Data encapsulated in a common format
facilitating interoperability

Fragment or pack frames as needed

Changes transparent to receiver
MAC Privacy Sub-layer
●
Provides secure communication

●
Data encrypted with cipher clock
chaining mode of DES
Prevents theft of service

SSs authenticated by BS using key
management protocol
IEEE 802.16 Security Architecture
IEEE 802.16 Security Issues
WMAN Threat Model


PHY threats

Water torture attack, jammings

No protection under 802.16
MAC threats

Typical threats of any wireless network

Sniffing, Masquerading, Content modification,
Rouge Base Stations, DoS attacks, etc
IEEE 802.16 Security Model

DOCSIS (Data Over Cable Service Interface Specifications)



Assumption : All equipments are controlled by the service provider.
Flaw : May not be suitable for wireless environment.
Connection oriented (e.g. basic CID, SAID)

Connection




Management connection
Transport connection
Identified by connection ID (CID)
Security Association (SA)



Cryptographic suite (i.e. encryption algorithm)
Security info. (i.e. key, IV)
Identified by SAID
Security Association

Data SA



16-bit SA identifier
Cipher to protect data:
DES-CBC

2 TEK

TEK key identifier (2-bit)

TEK lifetime

64-bit IV
Authorization SA








X.509 certificate  SS
160-bit authorization key (AK)
4-bit AK identification tag
Lifetime of AK
KEK for distribution of TEK
= Truncate-128(SHA1(((AK| 044)
xor 5364)
Downlink HMAC key
= SHA1((AK|044) xor 3A64)
Uplink HMAC key
= SHA1((AK|044) xor 5C64)
A list of authorized data SAs
X.509 certificate
Security Association




BS use the X.509 certificate from SS to
authenticate.
No BS authentication
Negotiate security capabilities between BS
and SS
Authentication Key (AK)



exchange AK serves as authorization token
AK is encrypted using public key cryptography
Authentication is done when both SS and BS
possess AK
IEEE 802.16 Security Process
Authentication
Key lifetime: 1 to 70 days , usually 7days
Authorization state machine flow
diagram
Authorization FSM state transition
matrix
Data Key Exchange



Data encryption requires data key called
Transport Encryption key (TEK).
TEK is generated by BS randomly
TEK is encrypted with




Triple-DES (use 128 bits KEK)
RSA (use SS’s public key)
AES (use 128 bits KEK)
Key Exchange message is authenticated by
HMAC-SHA1 – (provides Message Integrity
and AK confirmation)
Key Derivation
KEK = Truncate-128(SHA1(((AK| 044) xor 5364)
Downlink HMAC key = SHA1((AK|044) xor 3A64)
Uplink HMAC key = SHA1((AK|044) xor 5C64)
Data Key Exchange
Data Encryption
Data Encryption


Encrypt only data message not management
message
DES in CBC Mode

56 bit DES key (TEK)

No Message Integrity Detection

No Replay Protection
Data Encryption
IEEE 802.16 Security Flaws
IEEE 802.16 Security Flaws

Lack of Explicit Definitions


Authorization SA not explicitly defined

SA instances not distinguished: open to replay attacks

Solution: Need to add nonces from BS and SS to the authorization SA
Data SA treats 2-bit key as circular buffer

Attacker can interject reused TEKs


SAID: 2 bits  at least 12 bits (AK lasts 70 days while TEK lasts for 30
minutes)
TEKs need expiration due to DES-CBC mode

Determine the period: 802.16 can safely produce 2^32 64-bit blocks only.
IEEE 802.16 Security Flaws

Lack of the mutual authentication


Authentication is one way

BS authenticates SS

No way for SS to authenticate BS

Rouge BS  possible because all information's are public

Possible enhancement : BS certificate
Limited authentication method–SS
certification
IEEE 802.16 Security Flaws

Authentication Key (AK) generation

BS generates AK

No contribution from SS

SS must trust BS for the generation of AK
IEEE 802.16 Security Flaws

Data protection errors


56-bit DES… does not offer strong data
confidentiality( Brute force attack)
Uses a PREDICTABLE initialization vector (while DESCBC requires a random IV)



CBC-IV = [IV Parameter from TEK exchange]XOR [ PHY
Synchronization field]
Chosen Plaintext Attack to recover the original plaintext
Generates each per-frame IV randomly and inserts
into the payload.

Though increases overhead, no other choice.
IEEE 802.16 Security Flaws

No Message Integrity Detection, No replay
protection


Active attack
AES in CCM Mode



128 bit key (TEK)
Message Integrity Check
Replay Protection using Packet Number
Conclusion
WiMAX
PKM
Protocol
BS
SS
認證資訊(authentication information)
X.509 certificate
AK exchange
授權請求(authorization request)
X.509 certificate, capability, Basic CID
授權答覆(authorization reply)
encrypted AK, SAIDs, SQNAK,…
將AK解開
TEK exchange
(每一個資料傳輸連
線都必須先做此動作)
1.利用SHA驗證
HMAC-Digest
2.由AK計算出KEK
以解開TEK
1.確認SS身分
2.產生AK, 並用憑證中
的public key將之加密
密鑰請求(key request)
SAID, HMAC-Digest,…
密鑰答覆(key reply)
encrypted TEK, CBC IV,
HMAC-Digest,…
資料交換(利用TEK加密)
HMAC-Digest：用以驗證資料的完整性
1.利用SHA演算法驗證
HMAC-Digest
2.產生TEK
3.由AK產生KEK用以
加密TEK
Conclusion


It need the bidirectional authorization
Require more flexible authentication
method


Improve Key derivation



EAP Authentication
Include the system identity (i.e., SSID)
Key freshness –include random number
from both SS and BS
Prefer AES to DES for data encryption
References




IEEE Std 802.16-2001 standard for the local and
metropolitan Area Networks,part 16 “ZAir interface for
Fixed BroadBand Wireless Access Systems,” IEEE
Press , 2001
IEEE Std 802.16-2004(Revision of IEEE Std 802.162001)
Johnson, David and Walker, Jesse of Intel (2004),
“Overview of IEEE 802.16 Security” ,published by the
IEEE computer society
http://www.seas.gwu.edu/~cheng/388/LecNotes2006/