1. Air-Interface Application Layer Security (A 2 LS) Wireless secure communications group, Whippany

2. EVDO Security layer moving to BTS  MAC layer in forward link does channel sensitive scheduling – Turn around time between DRC report by mobile and scheduling by network is between 3 to 4 slots Lower turn around time results in higher capacity – This forces implementing the MAC layer at the BTS  Rev 0 designed for best effort data (tolerate delay) – Layers above MAC can be implemented at RNC  Rev A designed for best effort and delay sensitive services (VoIP/IP Video/PTT) – Granular MAC layer formats introduced Single user multiple packets and multi user packets – Size of MAC payload decided by scheduling – Cannot use preformatted Application layer packets, I.e., RLP/SLP is implemented in BTS for efficient packing – Consequently, security layer implemented at BTS

3. Issues to evaluate  Encryption at BTS exposes traffic/signaling between anchor point and serving network element –Forces sharing of keys with many base stations (simultaneously due to soft handoff)  In the reverse link, every network element that decodes the packet will also have to decrypt –Cannot leave decryption to the anchor point if reverse link security is also performed at the base station  Inefficiencies due to explicit cryptosync and message authentication –Current standard adds 16 bits per MAC packet for cryptographic synchronization –Message authentication performed on MAC packets (as opposed to higher layer packets) leading to high overheads with multi user and multi stream MAC in Rev A and beyond, overhead is even more pronounced  Current Security Layer cannot distinguish streams –No distinction between signaling and traffic and no distinction within traffic streams

4. Bit Budget for VoIP (Air interface)  Full rate EVRC frame 176 bits (byte boundaries)  RTP+UDP+IP replaced by ROHC header –ROHC adds 8 bits (type 0 packet) or 16 bits (type 1 packet) or 24 bits (type 0 packet with UDP CRC) or 32 bits (type 1 packet with UDP CRC), where Type 1 = first packet after “silence”  RLP overhead plus Stream plus MAC header = 18 bits  Total MAC layer packet could be 226 bits long  Physical layer 256 bits (includes 30 CRC + tail bits)  If encrypted at Security Layer (current std) then extra 16 bits of Crypto-sync must be added –PHY layer will be forced to use next larger size (512 bit) packet; may lead to drop in capacity.

5. VoIP with ROHC and Air Interface Encryption EVRC<=176PADRTP=96UDP=64 IP=160 Multiple of 32 EVRC<=176ROHC<=32 EVRC<=176ROHC<=32 RLP+STR 14+2=16 EVRC<=176ROHC<=32 RLP+STR 16 CRC+Tail=30 SEC 16 MAC 2 EVRC<=176ROHC<=32 RLP+STR 16 SEC 16 UP TO 516 bits UP TO 208 bits UP TO 224 bits UP TO 240 bits UP TO 272 bits RLPLength LinkFlowID5 Route1 First1 Last1 SEQ6 (VoIP) Extra bits needed for Encryption

6. Air-Interface Application Layer Security (A 2 LS)  A 2 LS function is placed in the same layer as RLP/SLP but performed prior to fragmentation in transmitter and after reassembly in receiver. –EVDO - A 2 LS can be implemented at the anchor point Addresses disadvantages of BTS encryption. –A 2 LS Prevents degradation in capacity due to security Synchronized with RLP layer (between RNC and BTS) Creates a cryptosync by relying on a “byte stream” numbering of RLP/SLP frame Requires no explicit transmission of extra cryptosync bits –“Air-Interface Application Layer” is the network ingress/egress point (logical layer) More flexible: selective and differentiated application of security primitives depending on stream and type of data

7. Logical layering and implementation Physical Layer EVDO MAC Layer EVDO Security Layer Connection Layer Session Layer Stream Layer Air-interface Application Layer (RLP, SLP) PPP Layer (for data) IP Layer Transport Layer (UDP, TCP) Application Layer (HTTP, RTP, RTSP, etc.) BTS RNC PDSN Client/Server Introduce security = A 2 LS

8. Three Concepts of A 2 LS  Link Layer Assisted Encryption  Link Layer Assisted Implicit Message Authentication (IMA) –Mechanism to “authenticate” packets without a MAC tag, I.e., no overhead  Link Layer Assisted Explicit Message Authentication  All of the above concepts use an implicit cryptosync, I.e., no overhead