1 / 26

Improving MBMS Security in 3G

Improving MBMS Security in 3G. Wenyuan Xu wenyuan@winlab.rutgers.edu Rutgers University. Outline . Motivation The security problem The existing MBMS scheme Our improved scheme Experimental results. MB-SC. 3G Networks. Motivation.

elsu
Download Presentation

Improving MBMS Security in 3G

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improving MBMS Security in 3G Wenyuan Xu wenyuan@winlab.rutgers.edu Rutgers University

  2. Outline • Motivation • The security problem • The existing MBMS scheme • Our improved scheme • Experimental results

  3. MB-SC 3G Networks Motivation • The coming future: group-oriented applications on wireless networks • Network basis: multicast • 3G: Multimedia Broadcast/Multicast Service (MBMS) • Security problem: control access to multicast data MB-SC: Broadcast Multicast - Service Center

  4. Session Key MB-SC 3G Networks Security Goal – Access Control MB-SC: Broadcast Multicast - Service Center

  5. Session Key MBSC MB-SC 3G Networks 3G Networks Security Goal – Access Control 

  6. Dilemmas in 3G Networks • Underlying Scenario: • Mobile Equipment (ME) • Powerful • Not a secure device to store session key • An attacker who is a subscribed user can distribute the decryption keys to others. • User Services Identity Module (USIM): SIM card • Not powerful enough to decrypt bulk data • Secure device to store session key

  7. Dilemmas in 3G Networks • Attacks: • An adversarial subscriber find out the Session Key (SK) and send it out to non-paying users. • In summary: • The need to store decryption keys in insecure memory makes it impossible to design a scheme where non-subscribed users CANNOT access the data • What can we do?

  8. What can we do? • Dissuade our potential market from using illegitimate methods to access the multicast content • What is the potential market? • Users that desire cheap access to multicast services while being mobile. • Attacks we should not be concerned about: • Attacks that are expensive to mount (per-user basis) • Attacks that assume the user is not mobile.

  9. What can we do? (cont.) • Assumption • It is not easy for an adversarial subscriber to send out the Session key (SK). Thus, we assume there is a underlying cost associated with sharing the Session Key. • There is a Registration Key established once the user subscribes to the service. • Strategy for protecting Keys • Make the Session Key change so frequently that the cost of attacking is more expensive than the cost of subscribing to the service. • This strategy is used in Qualcomm’s S3-030040 proposal to 3GPP. • Requirement • The overhead of changing the SK should be modest.

  10. Qualcomm’s Key Hierarchy Radio Access Network 3G Core Network MB-SC Random number RK (Registration key) f BAK (Broadcast access key) SK (Session key)

  11. 3G Core Network MB-SC Qualcomm’sSK Distribution Scheme • BM-SC send out the encrypted multicast data together with SK_RAND, BAK_ID, BAK_EXP • CipherText = ESK(content) Radio Access Network CipherText || SK_RAND || BAK_ID || BAK_EXP

  12. Radio Access Network 3G Core Network MB-SC CipherText || SK_RAND || BAK_ID || BAK_EXP SK Distribution (Cont.) • Once ME finds that a new SK is used: • ME asks USIM to calculate the new SK • If USIM has BAK corresponding to BAK_ID • USIM: SK = f (SK_RAND, BAK) • USIM sends the new SK to ME

  13. 3G Core Network MB-SC Qualcomm’s BAK Distribution Scheme • Each USIM sends out a BAK request to MB-SC from the ME Radio Access Network BAK request || USIM_ID

  14. 3G Core Network MB-SC BAK Distribution (Cont.) Radio Access Network • Once the request passes the legality check, BM-SC: • Generates temporary key: TK = f (TK_RAND, RK) • Sends: ETK(BAK) || TK_RAND Session Key

  15. Drawbacks • Bandwidth: network resources will be wasted on sending out SK_RAND. • SK_RAND has to be appended to each package. • For higher level of security, SK_RAND has to be large. • BAK update problem: at the moment that a new BAK is used, every USIM will send out a BAK request to BMSC • BAK implosion problem • High peak bandwidth

  16. Radio Access Network 3G Core Network MB-SC CipherText || SK_RAND || BAK_ID || BAK_EXP Improvements: One Way Function • Using one way function to generate SKs within USIM • SK0 = SK_SEED • SK1 = f (SK0,BAK) • … • SKi+1 = f (SKi, BAK)

  17. Improvements: BAK Distribution • At the moment that a new BAK is used, every USIM will request BAK from BAK distributor almost at the same time • BAK distributor pushes the new BAK to USIM instead of pulling by USIM

  18. Improvements: Key Tree • Using additional set of keys (Key Encryption Keys KEK) to achieve key hierarchy • Join: Use old shared key (SEK) to encrypt and distribute new session key • Leave: Use lower level old key (KEK) to encrypt the higher level key, and only change the keys known by the leaving user

  19. U1 Network U2 B1 Link 1 N1 Link2 N2 Queue length (l) Service rate (u) Bottleneck bandwidth Loss rate Delay Ui Users’ inter arrival time Duration time Wired link Simulation Setup • NS-2 • Simulation Topology • Use two nodes to represent the Network since we are primarily concerned with capturing the bottleneck effect in the Network.

  20. Simulation Setup (cont.) • Movie session • Multicast traffic: statistical data from Star Wars IV • Group member join/leave behavior: • Inter-arrival times and session durations are modeled as exponential distributions • Inter-arrival time consists of two phases: • Beginning of movie (first 150 seconds): Users arrive more frequently • Remainder of movie: Users arrive less frequently • Session durations: • Mean duration = 46min

  21. Simulation Results:Bandwidth Used for Group Size 760 Bandwidth (kb/s) Bandwidth (kb/s) Our improved scheme Qualcomm’s scheme

  22. Simulation Results: Peak bandwidth vs. Group size . . .

  23. Conclusions: • An improved security framework was presented that involves: • The use of chained one-way functions for generating SKs • The BM-SC pushing new BAKs to the users based on a key-tree • These improvements: • Reduce amount of bandwidth needed for updating keys • Avoid potential BAK implosion problems associated with rekeying 3G multicasts • Scales well as group size increases • The proposed mechanisms can be mapped to other network scenarios.

  24. Future work: • We plan to formulate the relationship between the group join/leave behavior and the amount of communication overhead associated with rekeying? • Our simulations only captured the bottleneck effect in 3G Core Networks • We plan to study different multicast strategies at the Radio Access Network and how key management affects RAN network performance.

  25. Questions?

  26. Thank you!

More Related