Security Issues in Mobile WiMAX (IEEE 802.16e)
description
Transcript of Security Issues in Mobile WiMAX (IEEE 802.16e)
![Page 1: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/1.jpg)
Security Issues in Mobile WiMAX(IEEE
802.16e)Frank, A Ibikunle
Covenant University, Electrical and Information Engineering Department, Ota.
2009 IEEE Mobile WiMAX Symposium
![Page 2: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/2.jpg)
Wimax☺802.16x☺802.16d (fixed)☺802.16e (mobile)
☺802.16e ----3G : 韓國 (WiBro), 美國 , 中國大陸 ( 專利 )☺802.16m ---- 4G : 起步
![Page 4: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/4.jpg)
和 WiFi 的不同http://www.youtube.com/watch?v=chlGqhRKVjQ
![Page 5: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/5.jpg)
基本名詞ỚMain roles involved in 802.16:ỚBase Station (BS)ỚMobile Station (MS) / Subscriber
Station (SS)ỚTwo security protocols of interest:
ỚAuthentication/Authorization protocol, establishes a shared Authorization Key (AK)
Ớ3-way Traffic Encryption Key (TEK) Handshake
![Page 6: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/6.jpg)
ỚAK used to derive various other keys
ỚTraffic Encryption Keys are used to encrypt message data between the BS and MS
ỚKEK: key encryption key
ỚMBS: Multicast and Broadcast Service
![Page 7: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/7.jpg)
3-way TEK HandshakeAfter authentication, BS initiates a 3-way handshake to transfer TEKs to MS
TEKs generated by BSHave a specified lifetime, after which new TEK is requested by MS
Structure of the 3-way handshake:Challenge: BS → MSRequest: MS → BSResponse: BS → MS
![Page 8: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/8.jpg)
DefineSecurity: protection of data being transmitted over a wireless networks.
![Page 9: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/9.jpg)
CIAConfidentiality: Allowing only that the intended legitimate recipients to read encrypted messages(information).Integrity: is referred to as ensuring that another party has not altered messages after it has been sent.Authentication: This is making sure that parties sending messages or receiving messages are who they say they are, and have the right to undertake such actions.
![Page 10: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/10.jpg)
On wired networks:VPNsIPSecIDSFirewalls…
![Page 11: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/11.jpg)
Major ProblemSecuring wireless signal is in its mode of transmission communicated through the air.
![Page 12: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/12.jpg)
802.16e provides 2 authentication
RSA加密演算法 : 因數分解難度和 bits 有關EAP(Extensible Authentication Protocol)
![Page 13: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/13.jpg)
EAP常用在無線網路Data link layerPacketAn authentication framework: only define message format and has many methods.Using EAP can define a way to encapsulate EAP messages.Provides some common functions and negotiation of authentication methods called EAP methods.
![Page 14: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/14.jpg)
MACMessage Authentication CodeLike Digital Signature, but using symmetry key.
![Page 15: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/15.jpg)
Initial network1. EAP-based authentication.2. The BS and BS set up a common AK.3. KEK is derived from the AK. (and AK is
used to securely transfer further keys)4. MAC digest and the transferred TEK is
encrypted by the KEK.5. After above, the 3-way TEK-exchange for
each data connection is executed.AK – KEK - TEK
![Page 16: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/16.jpg)
Security Flaws1. Unauthenticated messages2. Unencrypted management
communication3. Shared keys in Multicast and
Broadcast Service
![Page 17: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/17.jpg)
Unauthenticated messages
Most of the management messages defined in IEEE 802.16e are integrity protected. Done by:
HMAC: Hash based message authentication codeCMAC: Cipher based message authentication code
But some messages are not covered by any authentication mechanism.
![Page 18: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/18.jpg)
Unauthenticated messages1. MOB_TRF-IND: Traffic Indication message2. MOB_NBR-ADV: Neighbor Advertisement message3. FPC: Fast Power Control message4. MSC-REQ: Multicast Assignment Request message5. DBPC-REQ: Downlink Burst Profile Change
Request message6. PMC-REQ: 7. MOB_ASC-REP: Association Result Report8. RNG-REQ: Ranging Request message
![Page 19: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/19.jpg)
Unencrypted management communicationIn Mobile WiMAX management messages are still sent in the clear.Nearly all management information exchanged between MS and BS can be accessed by a listening adversary.Collecting management info can create detailed profiles about MSs.
Including capabilities of devices, security settings, associations with base stations…
Also can determine the movement and approximate position of the MS.
![Page 20: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/20.jpg)
Shared keys in Multicast and Broadcast Service
Encrypted symmetrically with a shared key.Also message authentication is based on the same shared key.This alg. Contains the vulnerability that every group member can also encrypt and authenticate broadcast messages as if they originate from the real BS(be forged).
![Page 21: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/21.jpg)
Shared keys in Multicast and Broadcast Service
GTEK: Group TEKMBRA: Multicast and Broadcast Rekeying Algorithm
![Page 22: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/22.jpg)
The Solutions1. For Unauthenticated messages:
1. Easily using a HMAC or CMAC digit as well.2. But most messages are very short, a
tradeoff between the security and the effectiveness of the protocol has to be found.
3. Suggestion: use CMAC and Short HMAC to 64bits, and with all other needed parameters (i.e., packet number, key sequence number and reserved fields), both will be 104 bits in total.
![Page 23: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/23.jpg)
HMAC詳細請看 : http://en.wikipedia.org/wiki/HMACUse SHA-1 (128bits ?)SHA: Secure Hash Algorithm
![Page 24: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/24.jpg)
CMAC詳細請看 :
http://en.wikipedia.org/wiki/CMAC , too.( 有點複雜 ......)Use AES-128 ( 感覺也很偉大…… )AES: Advanced Encryption Standard
A symmetric-key encryption standard adopted by the U.S. government.
![Page 25: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/25.jpg)
2. For Unencrypted management communication:
1. Encrypt directly after both sides have established a common key.
2. Doesn’t introduce any overhead to the connection.
3. Possible to use a symmetric key, decryption can be processed very fast.
![Page 26: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/26.jpg)
3. For broadcasted/multicasted messages(shared keys):
1. From outside the group.2. Use asymmtric cryptography(but may
not effective).3. And for the MBS, see Figures as
followings.
![Page 27: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/27.jpg)
Figure 1. Possible solutions to transmit GTEK in a secure way
![Page 28: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/28.jpg)
Figure 2. Avoiding key forgery by a GTEK hash chain
![Page 29: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/29.jpg)
Contributions1. Describe different security
vulnerabilities found in IEEE 802.16e.
2. Proffer possible solutions to eliminate them.
![Page 30: Security Issues in Mobile WiMAX (IEEE 802.16e)](https://reader035.fdocument.pub/reader035/viewer/2022062305/56816741550346895ddbf4a9/html5/thumbnails/30.jpg)
ThanksQ & A