1. Overview of IEEE 802.16 Security Advisor: Dr. Kai-Wei Ke Speaker: Yen-Jen Chen Date: 03/26/2007

2. Outline Introduction to IEEE 802.16 IEEE 802.16 Security Architecture IEEE 802.16 Security Issues IEEE 802.16 Security Flaws Conclusion References

3. Introduction to IEEE 802.16

4. IEEE 802.16 WiMAX For the wide area( ranging up to 50 Km) Last mile connectively Provide the higher speed connectively for the data, voice and video(32-134Mbps) Low cast

5. IEEE 802.16 WiMAX

8. Comparing Technologies 802.11 WiFi 802.16 WiMAX 802.20 Mobile-FI UMTS 3G Bandwidth 11-54 Mbps sharedShare up to 70 Mbps Up to 1.5 Mbps each 384 Kbps – 2 Mbps Range (LOS) Range (NLOS) 100 meters 30 meters 30 – 50 km 2 - 5 km (’07) 3 – 8 km Coverage is overlaid on wireless infrastructure Mobility PortableFixed (Mobile - 16e)Full mobility Frequency/ Spectrum 2.4 GHz for 802.11b/g 5.2 GHz for 802.11a 2-11 GHz for 802.16a 11-60 GHz for 802.16 <3.5 GHz Existing wireless spectrum Standardization 802.11a, b and g standardized 802.16, 802.16a and 802.16 REVd standardized, other under development 802.20 in development Part of GSM standard Backers Industry-wide Intel, Fujitsu, Alcatel, Siemens, BT, AT&T, Qwest, McCaw Cisco, Motorola, Qualcom and Flarion GSM Wireless Industry

9. IEEE 802.16 Security Architecture

10. 802.16 MAC Protocol Stack

11. MAC CS Sub-layer ● CS Layer: Receives data from higher layers Classifies the packet Forwards frames to CPS layer

12. MAC CPS Sub-layer ● Performs typical MAC functions such as addressing Each SS assigned 48-bit MAC address Connection Identifiers used as primary address after initialization ● MAC policy determined by direction of transmission Uplink is DAMA-TDM Downlink is TDM ● Data encapsulated in a common format facilitating interoperability Fragment or pack frames as needed Changes transparent to receiver

13. MAC Privacy Sub-layer ● Provides secure communication Data encrypted with cipher clock chaining mode of DES ● Prevents theft of service SSs authenticated by BS using key management protocol

14. IEEE 802.16 Security Architecture

15. IEEE 802.16 Security Issues

16. WMAN Threat Model PHY threats Water torture attack, jammings No protection under 802.16 MAC threats Typical threats of any wireless network Sniffing, Masquerading, Content modification, Rouge Base Stations, DoS attacks, etc

17. IEEE 802.16 Security Model DOCSIS (Data Over Cable Service Interface Specifications) Assumption : All equipments are controlled by the service provider. Flaw : May not be suitable for wireless environment. Connection oriented (e.g. basic CID, SAID) Connection Management connection Transport connection Identified by connection ID (CID) Security Association (SA) Cryptographic suite (i.e. encryption algorithm) Security info. (i.e. key, IV) Identified by SAID

18. Security Association Data SA 16-bit SA identifier Cipher to protect data: DES-CBC 2 TEK TEK key identifier (2-bit) TEK lifetime 64-bit IV Authorization SA X.509 certificate  SS 160-bit authorization key (AK) 4-bit AK identification tag Lifetime of AK KEK for distribution of TEK = Truncate-128(SHA1(((AK| 0 44 ) xor 53 64 ) Downlink HMAC key = SHA1((AK|0 44 ) xor 3A 64 ) Uplink HMAC key = SHA1((AK|0 44 ) xor 5C 64 ) A list of authorized data SAs

19. X.509 certificate

20. Security Association BS use the X.509 certificate from SS to authenticate. No BS authentication Negotiate security capabilities between BS and SS Authentication Key (AK) exchange AK serves as authorization token AK is encrypted using public key cryptography Authentication is done when both SS and BS possess AK

21. IEEE 802.16 Security Process

22. Authentication SS →BS: Cert(Manufacturer(SS)) SS →BS: Cert(SS) | Capabilities | SAID BS →SS: RSA-Encrypt(PubKey(SS), AK) | Lifetime | SeqNo | SAIDList Key lifetime: 1 to 70 days, usually 7days

23. Authorization state machine flow diagram

24. Authorization FSM state transition matrix

25. Data Key Exchange Data encryption requires data key called Transport Encryption key (TEK). TEK is generated by BS randomly TEK is encrypted with Triple-DES (use 128 bits KEK) RSA (use SS ’ s public key) AES (use 128 bits KEK) Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation)

26. Key Derivation KEK = Truncate-128(SHA1(((AK| 0 44 ) xor 53 64 ) Downlink HMAC key = SHA1((AK|0 44 ) xor 3A 64 ) Uplink HMAC key = SHA1((AK|0 44 ) xor 5C 64 )

27. Data Key Exchange

28. Data Encryption

29. Encrypt only data message not management message DES in CBC Mode 56 bit DES key (TEK) No Message Integrity Detection No Replay Protection

30. Data Encryption

31. IEEE 802.16 Security Flaws

32. Lack of Explicit Definitions Authorization SA not explicitly defined SA instances not distinguished: open to replay attacks Solution: Need to add nonces from BS and SS to the authorization SA Data SA treats 2-bit key as circular buffer Attacker can interject reused TEKs SAID: 2 bits  at least 12 bits (AK lasts 70 days while TEK lasts for 30 minutes) TEKs need expiration due to DES-CBC mode Determine the period: 802.16 can safely produce 2^32 64-bit blocks only.

33. IEEE 802.16 Security Flaws Lack of the mutual authentication Authentication is one way BS authenticates SS No way for SS to authenticate BS Rouge BS  possible because all information's are public Possible enhancement : BS certificate Limited authentication method – SS certification

34. IEEE 802.16 Security Flaws Authentication Key (AK) generation BS generates AK No contribution from SS SS must trust BS for the generation of AK

35. IEEE 802.16 Security Flaws Data protection errors 56-bit DES … does not offer strong data confidentiality( Brute force attack) Uses a PREDICTABLE initialization vector (while DES- CBC requires a random IV) CBC-IV = [IV Parameter from TEK exchange]XOR [ PHY Synchronization field] Chosen Plaintext Attack to recover the original plaintext Generates each per-frame IV randomly and inserts into the payload. Though increases overhead, no other choice.

36. IEEE 802.16 Security Flaws No Message Integrity Detection, No replay protection Active attack AES in CCM Mode 128 bit key (TEK) Message Integrity Check Replay Protection using Packet Number

37. Conclusion

38. WiMAX PKM Protocol SS BS 認證資訊 (authentication information) X.509 certificate 授權請求 (authorization request) X.509 certificate, capability, Basic CID 1. 確認 SS 身分 2. 產生 AK, 並用憑證中 的 public key 將之加密 授權答覆 (authorization reply) encrypted AK, SAIDs, SQN AK,… AK exchange 密鑰請求 (key request) SAID, HMAC-Digest,… 密鑰答覆 (key reply) encrypted TEK, CBC IV, HMAC-Digest,… 將 AK 解開 1. 利用 SHA 演算法驗證 HMAC-Digest 2. 產生 TEK 3. 由 AK 產生 KEK 用以 加密 TEK 1. 利用 SHA 驗證 HMAC-Digest 2. 由 AK 計算出 KEK 以解開 TEK 資料交換 ( 利用 TEK 加密 ) TEK exchange ( 每一個資料傳輸連 線都必須先做此動作 ) HMAC-Digest ：用以驗證資料的完整性

39. Conclusion It need the bidirectional authorization Require more flexible authentication method EAP Authentication Improve Key derivation Include the system identity (i.e., SSID) Key freshness – include random number from both SS and BS Prefer AES to DES for data encryption

40. References IEEE Std 802.16-2001 standard for the local and metropolitan Area Networks,part 16 “ ZAir interface for Fixed BroadBand Wireless Access Systems, ” IEEE Press, 2001 IEEE Std 802.16-2004(Revision of IEEE Std 802.16- 2001) Johnson, David and Walker, Jesse of Intel (2004), “ Overview of IEEE 802.16 Security ”,published by the IEEE computer society http://www.seas.gwu.edu/~cheng/388/LecNotes2006/