580 likes | 593 Views
Security in 802.16d and 802.16e. Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/04/2008. Outline. Overview of 802.16d Security Security Architecture in the 802.16e Authentication in the 802.16e Key hierarchy in the 802.16e Conclusion References.
E N D
Security in 802.16d and 802.16e Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/04/2008
Outline • Overview of 802.16d Security • Security Architecture in the 802.16e • Authentication in the 802.16e • Key hierarchy in the 802.16e • Conclusion • References
MAC Privacy Sub-layer • Provides secure communication • Data encrypted with cipher clock chaining mode of DES • Prevents theft of service • SSs authenticated by BS using key management protocol
Data SA 16-bit SA identifier Cipher to protect data: DES-CBC 2 TEK TEK key identifier (2-bit) TEK lifetime 64-bit IV Authorization SA X.509 certificate SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK = Truncate-128(SHA1(((AK| 044) xor 5364) Downlink HMAC key = SHA1((AK|044) xor 3A64) Uplink HMAC key = SHA1((AK|044) xor 5C64) A list of authorized data SAs Security Association
Security Association • BS use the X.509 certificate from SS to authenticate. • No BS authentication • Negotiate security capabilities between BS and SS • Authentication Key (AK) • exchange AK serves as authorization token • AK is encrypted using public key cryptography • Authentication is done when both SS and BS possess AK
Authentication Key lifetime: 1 to 70 days , usually 7days SS →BS: Cert(Manufacturer(SS)) SS →BS: Cert(SS) | Capabilities | SAID BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList
KEK = Truncate-128(SHA1(((AK| 044) xor 5364) Downlink HMAC key = SHA1((AK|044) xor 3A64) Uplink HMAC key = SHA1((AK|044) xor 5C64) Key Derivation
IEEE 802.16d Security Flaws • Lack of Explicit Definitions • Lack of the mutual authentication • Limited authentication method–SS certification • Authentication Key (AK) generation
Security Architecture • Encapsulation protocol • A set of cryptographic suites • The rules for applying those algorithm • Key management protocol • PKM for distributing key data • AK 160 bits share key for ss and bs • TEK 128bits PKM exchange key • Authentication (PKMv2 protocol) • To get AK (Authorization key) • RSA authentication • EAP authentication
RSA authentication protocol • 802.16d uses this one • BS uses the PKI mechanism to verify the Certificate • BS uses the CTL (Certificate trust list)
EAP authentication protocol • EAP is a authentication framework not a specially authentication mechanism • the four methods in 802.16e • RSA based authentication • One level EAP based authentication • Two level EAP based authentication • RSA based authentication followed by EAP authentication
EAP authentication protocol • RSA based authentication • Use the PKMv2 RSA-Request、PKMv2 RSA-Reply、PKMv2 RSA-Reject、PKMv2 RSA-acknowledgement messages to get pre-PAK • Using the public key of SS to encrypt the pre-PAK and send back to SS • pre-PAK generates the PAK (Primary Authorization key) and EIK(EAP integrity Key) • PAK generates the AK
EAP authentication protocol (Cont.) • RSA based authentication • EIK|PAK <= Dot16KDF (pre-PAK,SS MAC address | BSID | ”EIK+PAK” , 320) • AK<= Dot16KDF (PAK,SS MAC address | BSID | PAK|”AK” , 160)
EAP authentication protocol (Cont.) • One level EAP based authentication • Using the authentication exchange message to get MSK (Master session key) • PMK<= truncate(MSK,160) • AK<=Dot16KDF(PMK,SS MAC Address | BSID | “AK”,160)
EAP authentication protocol (Cont.) • Two level EAP based authentication • SS sent the PKEv2 EAP Start to BS • The first EAP negotiation will begin between BS and SS included the message of PKMv2 Transfer2(MSK) • After that BS will send the EAP-Success or EAP-failure. • If BS sent the EAP-Success then BS will send the PKMv2_EAP_Complete encrypted by EIK immediate • If SS gets the EIK and PMK successful then SS can verify the message • Otherwise the SS might get the EAP-failure or get no respond to show that BS is failure to authentication
EAP authentication protocol (Cont.) • Two level EAP based authentication • After SS finished the first EAP negotiation successful ,the SS will send “PKMv2 Authenticated EAP Start” to start the second EAP negotiation • When BS got this message, BS will check the message by EIK. • If BS check ok then BS will start the second EAP negotiation, otherwise BS will think the Authenticated failure. • The related messages of PKM is protected by EIK in the second EAP negotiation • If BS and SS competed second EAP negotiation, then BS and SS can get the AK form PMK( pairwise authorization key) and PMK2
EAP authentication protocol (Cont.) • Two level EAP based authentication • EIK|PMK <= truncate (MSK,320) • PMK2 <= truncate(MSK,160) • AK <= Dot 16KDF(PMK + PMK2, SS MAC Address| BSID|” AK” , 160)
EAP authentication protocol (Cont.) • RSA based authentication followed by EAP authentication • First execute RSA-based authorization and execute the second round of Double EAP mode • EIK|PAK <= Dot16KDF(pre-PAK, SS MAC Address | BSID | “EIK+PAK”,320) • AK <= Dot16KDF(PAK⊕PMK, SS MAC Address| BSID |PAK “AK” 160)
Key hierarchy in the 802.16e • AK (Authorization Key) • KEK (Key Encryption Key) • KEK is generated by AK • Using it to encrypt the TEK or GKEK etc
Key hierarchy in the 802.16e • GKEK (group KEK) • One GSA has one GKEK • GKEK is generated by random number of BS • BS uses the KEK to encrypt GKEK and send to SS • GKEK encrypted the GTEK when GTEK updated and send it to all SS in the group
Key hierarchy in the 802.16e • TEK (Traffic Encryption Key) • TEK is generated by random number of BS • BS use the KEK to encrypt the TEK and send to SS • TEK is used to encrypt the message or data between BS and SS
Key hierarchy in the 802.16e • GTEK (Group TEK) • TEK is generated by random number of BS or some nodes in the group • GTEK is used to encrypt the broadcast messages • Using the KEK as the encryption key When request the GTEK • Using the GKEK as the encryption key When update the GTEK
Key hierarchy in the 802.16e • MTK (MBS traffic Key) • It comes from MAK(MBS AK) but do not have any generate method in 802.16e • MTK = Dot16KDF (MAK,MGTEK|”MTK”,128)
Key hierarchy in the 802.16e • HMAC (HMAC Digests) • Using the AK as the material • HMAC_KEY_U | HMAC_KEY_D | KEK <=Dot16KDF(AK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,448) • HMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP HMAC KEY”,160)
Key hierarchy in the 802.16e • HMAC (HMAC Digests) • Using the EIK as the material • HMAC_KEY_U | HMAC_KEY_D | KEK <=Dot16KDF(EIK, SS MAC Address | BSID | “HMAC_KEYS+KEK”,320)
Key hierarchy in the 802.16e • CMAC (Cipher-based MAC) • Using the AK as the material • CMAC_KEY_U | CMAC_KEY_D | KEK <=Dot16KDF(AK, SS MAC Address | BSID | “CMAC_KEYS+KEK”,384) • CMAC_KEY_GD <= Dot16KDF (GKEK,”GROUP CMAC KEY”,128)
Key hierarchy in the 802.16e • CMAC (Cipher-based MAC) • Using the EIK as the material • CMAC_KEY_U | CMAC_KEY_D | KEK<=Dot16KDF(EIK, SS MAC Address | BSID | “CMAC_KEYS + KEK” , 256)
認證資訊(authentication information)X.509 certificate 授權請求(authorization request)X.509 certificate, capability, Basic CID AK exchange 授權答覆(authorization reply)encrypted AK, SAIDs, SQNAK,… 密鑰請求(key request)SAID, HMAC-Digest,… TEK exchange(每一個資料傳輸連線都必須先做此動作) 密鑰答覆(key reply)encrypted TEK, CBC IV, HMAC-Digest,… 資料交換(利用TEK加密) WiMAX PKM Protocol BS SS 1.確認SS身分 2.產生AK, 並用憑證中的public key將之加密 將AK解開 1.利用SHA演算法驗證HMAC-Digest 2.產生TEK 3.由AK產生KEK用以加密TEK 1.利用SHA驗證HMAC-Digest 2.由AK計算出KEK以解開TEK HMAC-Digest:用以驗證資料的完整性
Conclusion • Authentication & Authorization more robust • Using the bidirectional Authentication to avoid the rude base station and support the different Authentication policy。 • Data Privacy • 802.16e add more encryption algorithm (Advanced Encryption Standard, AES) to enhance the security • Key’s generation • Using the robust solution to generate the AK