Security in Wireless Metropolitan Area Networks (802.16)
Broadband Wireless Access MANs link commercial and residential buildings to the Internet through a high-speed connection. Typically, an Internet service provider (ISP) supplies the MAN. The links can be dedicated high-speed lines, such as T1 (1.54 Mbps), T3 (45 Mbps), OC3 (155 Mbps), OC12 (622 Mbps), and beyond, or they can be a broadband link, i.e., a link (wire) that carries more than one channel at once, such as cable modem or a digital subscriber line (DSL). Dedicated lines provide more reliable connections and higher speeds but generally are very expensive. 10/27/2019
Cable modem and DSL, two popular, inexpensive options for Internet service for residential users and smaller businesses, currently provide around 3 Mbps (i.e., twice T1 speed) at a fraction of the cost of a dedicated line. However, a third option has become available recently and is growing in popularity: broadband wireless access (BWA). 10/27/2019
IEEE 802.16 In late January 2003, the IEEE approved IEEE 802.16 as a standard. The first certified products are planned to be available by the end of 2004 [wimax]. 802.16 is the Working Group on broadband wireless access standards for MANs [IEEE 802.16]. The goal of the group is to provide fixed BWA to large areas. They are, in essence, competing with DSLs and cable modems. 10/27/2019
802. 16 provides fixed wireless connectivity; i. e 802.16 provides fixed wireless connectivity; i.e., the source and destination do not move, typically using line-of-sight antennas. 802.16 supports communication from 2- to 66-GHz bands in both licensed and unlicensed bands. 802.16 is the only 802 protocol that supports transmission on licensed bands. Task Group A covers the 2- to 11-GHz bands, and Task Group C covers the 10- to 66-GHz bands. Task Group 2a covers the coexistence of 802.16 and 802.11 protocols on the same unlicensed frequencies. 10/27/2019
The unlicensed bands use OFDM, which 802.11a uses as well. 802.16 supports three types of transmission methods at the physical layer: single-carrier modulation (SC), orthogonal frequency division multiplex (OFDM), and orthogonal frequency division multiple access (OFDMA). The unlicensed bands use OFDM, which 802.11a uses as well. Security for 802.16 is provided by a privacy sub layer. 10/27/2019
802.16 Security Protects the transmitted data by providing security mechanisms for authentication and data encryption. Since MANs provide Internet connectivity service from a provider to a paying subscriber, the provider must verify the identify of the subscriber. A key management protocol, Privacy Key Management (PKM), allows the BS to control access to the network and the SS and BS to exchange keys. The encapsulation protocol encrypts the packet data that are transmitted. The packet data (the MAC PDU payload) is encrypted; the header information is not. MAC management messages also are not encrypted [IEEE 802.16]. 10/27/2019
The privacy sublayer is based on the Baseline Privacy Interface Plus (BPI+) specification for Data Over Cable System Interface Specification (DOCSIS). Each customer transceiver, the SS, has its own digital certificate, which it uses for authentication and key exchange. 10/27/2019
Key management The PKM protocol uses X.509 digital certificates, the RSA public key encryption algorithm , and strong symmetric encryption for key exchange between the BS and the SS. As in many other systems, it uses a hybrid approach of public and symmetric encryption. 10/27/2019
In the initial authorization exchange, the BS (server) authenticates the SS (client) through use of the X.509 certificate. Each SS is issued a certificate by the manufacturer, which contains the SS’s public key and MAC address. When the BS receives a certificate from an SS, it verifies the certificate and then uses the SS’s public key to encrypt the authorization key. By using the certificate for authentication, the BS prevents an attacker from using a cloned SS to masquerade as a legitimate subscriber and steal service from the BS. An attacker that does not have the SS’s private key from the SS’s certificate could not decrypt the authorization key sent by the BS and therefore not steal service successfully from the BS. 10/27/2019
10/27/2019
Security associations A security association (SA) is the set of security information shared by the BS and one or more SSs to support secure communications. 802.16 defines three types of SAs: Primary- A primary security association is established during the initialization process of the SS. Static- Static SAs are provisioned within the BS. Dynamic- Dynamic SAs are created and destroyed as specific service flows are created and destroyed. 10/27/2019
Currently, 802.16 supports the following two cryptographic suites: The SA’s shared information may include the cryptographic suite employed, as well as the traffic encryption key (TEK) and initialization vectors (IVs). An SAID identifies each SA. A cryptographic suite is the SA’s set of methods for data encryption, data authentication, and TEK exchange. Currently, 802.16 supports the following two cryptographic suites: No encryption, no authentication, and 3-DES with a 128-bit key CBC mode, 56-bit DES, no authentication, and 3- DES with a 128-bit key 10/27/2019
Keying material lifetime The SA’s keying material includes the data encryption standard (DES) key and the CBC IV and has a limited lifetime. The BS informs the SS of the remaining lifetime of the keying material when it is delivered to the SS. The SS must request new keying material from the BS before the current one expires. If the current one does expire before a new one is received, the SS must perform a network entry (i.e., reinitialize and start over). 10/27/2019
The AK lifetime is 7 days, and the grace time timer is 1 hour. The grace time provides the SS with enough time to reauthorize, allowing for delays, before the current authorization key expires. The grace time specifies the time before the AK expires when reauthorization is scheduled to begin. 10/27/2019
Subscriber station (SS) authorization The SS first sends an authentication information message to the BS containing the manufacturer’s X.509 certificate. The SS then sends an authorization request to the BS containing: The SS’s X.509 certificate issued by the manufacturer A description of supported cryptographic algorithms A connection identifier (CID) 10/27/2019
A 4-bit sequence number to distinguish different AKs After the BS has validated the request, it creates an authorization key and encrypts it with the SS’s public key. The reply includes: The encrypted AK A 4-bit sequence number to distinguish different AKs The key’s lifetime The identifier for the SA (SAID) 10/27/2019
The SS and BS can have two simultaneously active AKs. After initial authorization, an SS reauthorize itself periodically with the BS. Successive generations of AKs have overlapping lifetimes to avoid service interruptions. The SS and BS can have two simultaneously active AKs. Once the BS has an AK, it can obtain a TEK. 10/27/2019
Encryption For each SA, the SS requests a key from the BS. The SS sends a key request message, and the BS sends a key reply containing the keying material. The TEK in the message is triple DES encrypted using a two key triple DES key encryption key derived from the AK. The reply also contains the CBC IV and the lifetime of the key. Similar to the authorization key, the SS maintains two overlapping keys. The second key becomes active halfway through the life of the first key, and the first expires halfway through the life of the second, causing the SS to send a new key request to the BS. Each successive key maintains this half step synchronization. 10/27/2019
Problems and Limitations Authentication occurs only in one direction; specifically, the base authenticates the subscriber, but not vice versa. Authentication is based on X.509 certificates, which are difficult to administer. The RSA algorithm is used for key establishment which may be too compute intensive and slow for some devices or require more expensive hardware. 10/27/2019
DES is used for one of the encryption suites, which is not regarded as secure. There is no data authentication, which is regarded as mandatory in the wireless environment. In addition, there is no data replay protection. 10/27/2019