Overview of IEEE Security Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/26/2007
Outline Introduction to IEEE IEEE Security Architecture IEEE Security Issues IEEE Security Flaws Conclusion References
Introduction to IEEE
IEEE WiMAX For the wide area( ranging up to 50 Km) Last mile connectively Provide the higher speed connectively for the data, voice and video(32-134Mbps) Low cast
IEEE WiMAX
Comparing Technologies WiFi WiMAX Mobile-FI UMTS 3G Bandwidth Mbps sharedShare up to 70 Mbps Up to 1.5 Mbps each 384 Kbps – 2 Mbps Range (LOS) Range (NLOS) 100 meters 30 meters 30 – 50 km km (’07) 3 – 8 km Coverage is overlaid on wireless infrastructure Mobility PortableFixed (Mobile - 16e)Full mobility Frequency/ Spectrum 2.4 GHz for b/g 5.2 GHz for a 2-11 GHz for a GHz for <3.5 GHz Existing wireless spectrum Standardization a, b and g standardized , a and REVd standardized, other under development in development Part of GSM standard Backers Industry-wide Intel, Fujitsu, Alcatel, Siemens, BT, AT&T, Qwest, McCaw Cisco, Motorola, Qualcom and Flarion GSM Wireless Industry
IEEE Security Architecture
MAC Protocol Stack
MAC CS Sub-layer ● CS Layer: Receives data from higher layers Classifies the packet Forwards frames to CPS layer
MAC CPS Sub-layer ● Performs typical MAC functions such as addressing Each SS assigned 48-bit MAC address Connection Identifiers used as primary address after initialization ● MAC policy determined by direction of transmission Uplink is DAMA-TDM Downlink is TDM ● Data encapsulated in a common format facilitating interoperability Fragment or pack frames as needed Changes transparent to receiver
MAC Privacy Sub-layer ● Provides secure communication Data encrypted with cipher clock chaining mode of DES ● Prevents theft of service SSs authenticated by BS using key management protocol
IEEE Security Architecture
IEEE Security Issues
WMAN Threat Model PHY threats Water torture attack, jammings No protection under MAC threats Typical threats of any wireless network Sniffing, Masquerading, Content modification, Rouge Base Stations, DoS attacks, etc
IEEE Security Model DOCSIS (Data Over Cable Service Interface Specifications) Assumption : All equipments are controlled by the service provider. Flaw : May not be suitable for wireless environment. Connection oriented (e.g. basic CID, SAID) Connection Management connection Transport connection Identified by connection ID (CID) Security Association (SA) Cryptographic suite (i.e. encryption algorithm) Security info. (i.e. key, IV) Identified by SAID
Security Association Data SA 16-bit SA identifier Cipher to protect data: DES-CBC 2 TEK TEK key identifier (2-bit) TEK lifetime 64-bit IV Authorization SA X.509 certificate SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK = Truncate-128(SHA1(((AK| 0 44 ) xor ) Downlink HMAC key = SHA1((AK|0 44 ) xor 3A 64 ) Uplink HMAC key = SHA1((AK|0 44 ) xor 5C 64 ) A list of authorized data SAs
X.509 certificate
Security Association BS use the X.509 certificate from SS to authenticate. No BS authentication Negotiate security capabilities between BS and SS Authentication Key (AK) exchange AK serves as authorization token AK is encrypted using public key cryptography Authentication is done when both SS and BS possess AK
IEEE Security Process
Authentication SS →BS: Cert(Manufacturer(SS)) SS →BS: Cert(SS) | Capabilities | SAID BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList Key lifetime: 1 to 70 days, usually 7days
Authorization state machine flow diagram
Authorization FSM state transition matrix
Data Key Exchange Data encryption requires data key called Transport Encryption key (TEK). TEK is generated by BS randomly TEK is encrypted with Triple-DES (use 128 bits KEK) RSA (use SS ’ s public key) AES (use 128 bits KEK) Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation)
Key Derivation KEK = Truncate-128(SHA1(((AK| 0 44 ) xor ) Downlink HMAC key = SHA1((AK|0 44 ) xor 3A 64 ) Uplink HMAC key = SHA1((AK|0 44 ) xor 5C 64 )
Data Key Exchange
Data Encryption
Encrypt only data message not management message DES in CBC Mode 56 bit DES key (TEK) No Message Integrity Detection No Replay Protection
Data Encryption
IEEE Security Flaws
Lack of Explicit Definitions Authorization SA not explicitly defined SA instances not distinguished: open to replay attacks Solution: Need to add nonces from BS and SS to the authorization SA Data SA treats 2-bit key as circular buffer Attacker can interject reused TEKs SAID: 2 bits at least 12 bits (AK lasts 70 days while TEK lasts for 30 minutes) TEKs need expiration due to DES-CBC mode Determine the period: can safely produce 2^32 64-bit blocks only.
IEEE Security Flaws Lack of the mutual authentication Authentication is one way BS authenticates SS No way for SS to authenticate BS Rouge BS possible because all information's are public Possible enhancement : BS certificate Limited authentication method – SS certification
IEEE Security Flaws Authentication Key (AK) generation BS generates AK No contribution from SS SS must trust BS for the generation of AK
IEEE Security Flaws Data protection errors 56-bit DES … does not offer strong data confidentiality( Brute force attack) Uses a PREDICTABLE initialization vector (while DES- CBC requires a random IV) CBC-IV = [IV Parameter from TEK exchange]XOR [ PHY Synchronization field] Chosen Plaintext Attack to recover the original plaintext Generates each per-frame IV randomly and inserts into the payload. Though increases overhead, no other choice.
IEEE Security Flaws No Message Integrity Detection, No replay protection Active attack AES in CCM Mode 128 bit key (TEK) Message Integrity Check Replay Protection using Packet Number
Conclusion
WiMAX PKM Protocol SS BS 認證資訊 (authentication information) X.509 certificate 授權請求 (authorization request) X.509 certificate, capability, Basic CID 1. 確認 SS 身分 2. 產生 AK, 並用憑證中 的 public key 將之加密 授權答覆 (authorization reply) encrypted AK, SAIDs, SQN AK,… AK exchange 密鑰請求 (key request) SAID, HMAC-Digest,… 密鑰答覆 (key reply) encrypted TEK, CBC IV, HMAC-Digest,… 將 AK 解開 1. 利用 SHA 演算法驗證 HMAC-Digest 2. 產生 TEK 3. 由 AK 產生 KEK 用以 加密 TEK 1. 利用 SHA 驗證 HMAC-Digest 2. 由 AK 計算出 KEK 以解開 TEK 資料交換 ( 利用 TEK 加密 ) TEK exchange ( 每一個資料傳輸連 線都必須先做此動作 ) HMAC-Digest :用以驗證資料的完整性
Conclusion It need the bidirectional authorization Require more flexible authentication method EAP Authentication Improve Key derivation Include the system identity (i.e., SSID) Key freshness – include random number from both SS and BS Prefer AES to DES for data encryption
References IEEE Std standard for the local and metropolitan Area Networks,part 16 “ ZAir interface for Fixed BroadBand Wireless Access Systems, ” IEEE Press, 2001 IEEE Std (Revision of IEEE Std ) Johnson, David and Walker, Jesse of Intel (2004), “ Overview of IEEE Security ”,published by the IEEE computer society