260 likes | 442 Views
Improving MBMS Security in 3G. Wenyuan Xu wenyuan@winlab.rutgers.edu Rutgers University. Outline . Motivation The security problem The existing MBMS scheme Our improved scheme Experimental results. MB-SC. 3G Networks. Motivation.
E N D
Improving MBMS Security in 3G Wenyuan Xu wenyuan@winlab.rutgers.edu Rutgers University
Outline • Motivation • The security problem • The existing MBMS scheme • Our improved scheme • Experimental results
MB-SC 3G Networks Motivation • The coming future: group-oriented applications on wireless networks • Network basis: multicast • 3G: Multimedia Broadcast/Multicast Service (MBMS) • Security problem: control access to multicast data MB-SC: Broadcast Multicast - Service Center
Session Key MB-SC 3G Networks Security Goal – Access Control MB-SC: Broadcast Multicast - Service Center
Session Key MBSC MB-SC 3G Networks 3G Networks Security Goal – Access Control
Dilemmas in 3G Networks • Underlying Scenario: • Mobile Equipment (ME) • Powerful • Not a secure device to store session key • An attacker who is a subscribed user can distribute the decryption keys to others. • User Services Identity Module (USIM): SIM card • Not powerful enough to decrypt bulk data • Secure device to store session key
Dilemmas in 3G Networks • Attacks: • An adversarial subscriber find out the Session Key (SK) and send it out to non-paying users. • In summary: • The need to store decryption keys in insecure memory makes it impossible to design a scheme where non-subscribed users CANNOT access the data • What can we do?
What can we do? • Dissuade our potential market from using illegitimate methods to access the multicast content • What is the potential market? • Users that desire cheap access to multicast services while being mobile. • Attacks we should not be concerned about: • Attacks that are expensive to mount (per-user basis) • Attacks that assume the user is not mobile.
What can we do? (cont.) • Assumption • It is not easy for an adversarial subscriber to send out the Session key (SK). Thus, we assume there is a underlying cost associated with sharing the Session Key. • There is a Registration Key established once the user subscribes to the service. • Strategy for protecting Keys • Make the Session Key change so frequently that the cost of attacking is more expensive than the cost of subscribing to the service. • This strategy is used in Qualcomm’s S3-030040 proposal to 3GPP. • Requirement • The overhead of changing the SK should be modest.
Qualcomm’s Key Hierarchy Radio Access Network 3G Core Network MB-SC Random number RK (Registration key) f BAK (Broadcast access key) SK (Session key)
3G Core Network MB-SC Qualcomm’sSK Distribution Scheme • BM-SC send out the encrypted multicast data together with SK_RAND, BAK_ID, BAK_EXP • CipherText = ESK(content) Radio Access Network CipherText || SK_RAND || BAK_ID || BAK_EXP
Radio Access Network 3G Core Network MB-SC CipherText || SK_RAND || BAK_ID || BAK_EXP SK Distribution (Cont.) • Once ME finds that a new SK is used: • ME asks USIM to calculate the new SK • If USIM has BAK corresponding to BAK_ID • USIM: SK = f (SK_RAND, BAK) • USIM sends the new SK to ME
3G Core Network MB-SC Qualcomm’s BAK Distribution Scheme • Each USIM sends out a BAK request to MB-SC from the ME Radio Access Network BAK request || USIM_ID
3G Core Network MB-SC BAK Distribution (Cont.) Radio Access Network • Once the request passes the legality check, BM-SC: • Generates temporary key: TK = f (TK_RAND, RK) • Sends: ETK(BAK) || TK_RAND Session Key
Drawbacks • Bandwidth: network resources will be wasted on sending out SK_RAND. • SK_RAND has to be appended to each package. • For higher level of security, SK_RAND has to be large. • BAK update problem: at the moment that a new BAK is used, every USIM will send out a BAK request to BMSC • BAK implosion problem • High peak bandwidth
Radio Access Network 3G Core Network MB-SC CipherText || SK_RAND || BAK_ID || BAK_EXP Improvements: One Way Function • Using one way function to generate SKs within USIM • SK0 = SK_SEED • SK1 = f (SK0,BAK) • … • SKi+1 = f (SKi, BAK)
Improvements: BAK Distribution • At the moment that a new BAK is used, every USIM will request BAK from BAK distributor almost at the same time • BAK distributor pushes the new BAK to USIM instead of pulling by USIM
Improvements: Key Tree • Using additional set of keys (Key Encryption Keys KEK) to achieve key hierarchy • Join: Use old shared key (SEK) to encrypt and distribute new session key • Leave: Use lower level old key (KEK) to encrypt the higher level key, and only change the keys known by the leaving user
U1 Network U2 B1 Link 1 N1 Link2 N2 Queue length (l) Service rate (u) Bottleneck bandwidth Loss rate Delay Ui Users’ inter arrival time Duration time Wired link Simulation Setup • NS-2 • Simulation Topology • Use two nodes to represent the Network since we are primarily concerned with capturing the bottleneck effect in the Network.
Simulation Setup (cont.) • Movie session • Multicast traffic: statistical data from Star Wars IV • Group member join/leave behavior: • Inter-arrival times and session durations are modeled as exponential distributions • Inter-arrival time consists of two phases: • Beginning of movie (first 150 seconds): Users arrive more frequently • Remainder of movie: Users arrive less frequently • Session durations: • Mean duration = 46min
Simulation Results:Bandwidth Used for Group Size 760 Bandwidth (kb/s) Bandwidth (kb/s) Our improved scheme Qualcomm’s scheme
Conclusions: • An improved security framework was presented that involves: • The use of chained one-way functions for generating SKs • The BM-SC pushing new BAKs to the users based on a key-tree • These improvements: • Reduce amount of bandwidth needed for updating keys • Avoid potential BAK implosion problems associated with rekeying 3G multicasts • Scales well as group size increases • The proposed mechanisms can be mapped to other network scenarios.
Future work: • We plan to formulate the relationship between the group join/leave behavior and the amount of communication overhead associated with rekeying? • Our simulations only captured the bottleneck effect in 3G Core Networks • We plan to study different multicast strategies at the Radio Access Network and how key management affects RAN network performance.