Improving MBMS Security in 3G Wenyuan Xu Rutgers University
2 Outline Motivation The security problem The existing MBMS scheme Our improved scheme Experimental results
3 Motivation The coming future: group-oriented applications on wireless networks Network basis: multicast 3G: Multimedia Broadcast/Multicast Service (MBMS) Security problem: control access to multicast data 3G Networks MB-SC MB-SC: Broadcast Multicast - Service Center
4 3G Networks MB-SC Session Key Security Goal – Access Control MB-SC: Broadcast Multicast - Service Center
5 Security Goal – Access Control 3G Networks MBSC 3G Networks MB-SC Session Key
6 Dilemmas in 3G Networks Underlying Scenario: –Mobile Equipment (ME) Powerful Not a secure device to store session key An attacker who is a subscribed user can distribute the decryption keys to others. –User Services Identity Module (USIM): SIM card Not powerful enough to decrypt bulk data Secure device to store session key
7 Dilemmas in 3G Networks Attacks: –An adversarial subscriber find out the Session Key (SK) and send it out to non-paying users. In summary: –The need to store decryption keys in insecure memory makes it impossible to design a scheme where non- subscribed users CANNOT access the data What can we do?
8 What can we do? Dissuade Dissuade our potential market from using illegitimate methods to access the multicast content What is the potential market? –Users that desire cheap access to multicast services while being mobile. Attacks we should not be concerned about: –Attacks that are expensive to mount (per-user basis) –Attacks that assume the user is not mobile.
9 What can we do? (cont.) Assumption –It is not easy for an adversarial subscriber to send out the Session key (SK). Thus, we assume there is a underlying cost associated with sharing the Session Key. –There is a Registration Key established once the user subscribes to the service. Strategy for protecting Keys –Make the Session Key change so frequently that the cost of attacking is more expensive than the cost of subscribing to the service. –This strategy is used in Qualcomm ’ s S proposal to 3GPP. Requirement –The overhead of changing the SK should be modest.
10 3G Core Network MB-SC Radio Access Network Qualcomm’s Key Hierarchy BAK (Broadcast access key) SK (Session key) f Random number RK (Registration key)
11 Qualcomm’s SK Distribution Scheme BM-SC send out the encrypted multicast data together with SK_RAND, BAK_ID, BAK_EXP –CipherText = E SK (content) 3G Core Network MB-SC Radio Access Network CipherText || SK_RAND || BAK_ID || BAK_EXP
12 SK Distribution (Cont.) Once ME finds that a new SK is used: –ME asks USIM to calculate the new SK If USIM has BAK corresponding to BAK_ID –USIM: SK = f (SK_RAND, BAK) –USIM sends the new SK to ME 3G Core Network MB-SC Radio Access Network CipherText || SK_RAND || BAK_ID || BAK_EXP
13 Qualcomm’s BAK Distribution Scheme Each USIM sends out a BAK request to MB-SC from the ME 3G Core Network MB-SC Radio Access Network BAK request || USIM_ID
14 BAK Distribution (Cont.) 3G Core Network MB-SC Session Key Radio Access Network Once the request passes the legality check, BM-SC: –Generates temporary key: TK = f (TK_RAND, RK) –Sends: E TK (BAK) || TK_RAND
15 Drawbacks Bandwidth: network resources will be wasted on sending out SK_RAND. SK_RAND has to be appended to each package. For higher level of security, SK_RAND has to be large. BAK update problem: at the moment that a new BAK is used, every USIM will send out a BAK request to BMSC BAK implosion problem High peak bandwidth
16 Improvements: One Way Function Using one way function to generate SKs within USIM –SK 0 = SK_SEED –SK 1 = f (SK 0,BAK) – … –SK i+1 = f (SK i, BAK) 3G Core Network MB-SC Radio Access Network CipherText || SK_RAND || BAK_ID || BAK_EXP
17 Improvements: BAK Distribution At the moment that a new BAK is used, every USIM will request BAK from BAK distributor almost at the same time BAK distributor pushes the new BAK to USIM instead of pulling by USIM
18 Improvements: Key Tree Using additional set of keys (Key Encryption Keys KEK) to achieve key hierarchy Join: Use old shared key (SEK) to encrypt and distribute new session key Leave: Use lower level old key (KEK) to encrypt the higher level key, and only change the keys known by the leaving user
19 Simulation Setup NS-2 Simulation Topology –Use two nodes to represent the Network since we are primarily concerned with capturing the bottleneck effect in the Network. B1N1N2 U1 U2 Ui Wired link Queue length (l) Service rate (u) Link 1Link2 Bottleneck bandwidth Loss rate Delay Users’ inter arrival time Duration time Network
20 Simulation Setup (cont.) Movie session –Multicast traffic: statistical data from Star Wars IV –Group member join/leave behavior: Inter-arrival times and session durations are modeled as exponential distributions Inter-arrival time consists of two phases: –Beginning of movie (first 150 seconds): Users arrive more frequently –Remainder of movie: Users arrive less frequently Session durations: –Mean duration = 46min
21 Simulation Results: Bandwidth Used for Group Size 760 Qualcomm’s scheme Our improved scheme Bandwidth (kb/s)
22 Simulation Results: Peak bandwidth vs. Group size......
23 Conclusions: An improved security framework was presented that involves: –The use of chained one-way functions for generating SKs –The BM-SC pushing new BAKs to the users based on a key- tree These improvements: –Reduce amount of bandwidth needed for updating keys –Avoid potential BAK implosion problems associated with rekeying 3G multicasts –Scales well as group size increases The proposed mechanisms can be mapped to other network scenarios.
24 Future work: We plan to formulate the relationship between the group join/leave behavior and the amount of communication overhead associated with rekeying? Our simulations only captured the bottleneck effect in 3G Core Networks –We plan to study different multicast strategies at the Radio Access Network and how key management affects RAN network performance.
25 Questions?
Thank you!