1. Security and the Protocol Reference Model Enhancements in IEEE 802.22
Month Year
doc.: IEEE yy/xxxxr0
May 2008
Security and the Protocol Reference Model Enhancements in IEEE
IEEE P Wireless RANs Date:
Authors:
Notice: This document has been prepared to assist IEEE It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair
Carl R. Stevenson as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE Working Group. If you have questions, contact the IEEE Patent Committee Administrator at
Apurva N. Mody, BAE Systems
John Doe, Some Company

2. Month Year
doc.: IEEE yy/xxxxr0
May 2008
Abstract
This presentation focuses on Protocol Reference Model (PRM) and Security enhancements in
The Spectrum Manager in the current PRM (802.22_Draftv1.0) resides in the MLME. However, the MLME falls outside the scope of the standard and as a result so does the Spectrum Manager
The current draft does not specify where the Security Sublayer resides and what its functions should be. Also, no security mechanisms are provided to authenticate the sensing and geolocation information as well as the information coming from the incumbent database.
Inadequate security features may expose wireless networks to be misused by anti-social elements and terrorists, resulting in Denial of Service attacks and Information Operations.
IEEE based networks are even more susceptible since they are likely to operate in un-licensed bands with cognitive radio techniques.
Hence, in order to overcome the shortfalls mentioned above, we propose a Modification to the PRM which separates the Cognitive Plane from the Data, Control and Management planes, allowing functionality specific attributes to be defined for each plane.
The Data/ Control and Management Plane functionality remains unchanged.
The Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation function and the Spectrum Manager / Spectrum Automaton.
We suggest security feature enhancements for the Cognitive Plane, as well as some additional features which are based on the new m SDD call for proposals
Apurva N. Mody, BAE Systems
John Doe, Some Company

3. The IEEE 802.16 Protocol Reference Model (PRM)
May 2008
The IEEE Protocol Reference Model (PRM)
In the IEEE PRM, the MLME falls outside the scope of the standard
Apurva N. Mody, BAE Systems

4. May 2008
Shortfalls of the Current BS/ CPE Protocol Reference Model (PRM)
In the current PRM, (802.22_Draftv1.0) Spectrum Manager resides in the MLME. However, MLME falls outside the scope of the standard and as a result so does the Spectrum Manager
Information from the SSF and Geolocation is not provided to the SM directly.
Security Sub-layer and its features are not defined
No security functionalities are specified to authenticate the sensing (DTV, TG1 beacon) and geolocation information
No security functionalities are specified to authenticate the information coming from the incumbent database.
Apurva N. Mody, BAE Systems

5. Proposed Cognitive Radio PRM for 802.22
May 2008
Proposed Cognitive Radio PRM for
Apurva N. Mody, BAE Systems

6. Features of the Proposed Cognitive Radio PRM for 802.22
May 2008
Features of the Proposed Cognitive Radio PRM for
Separates the Cognitive Plane from the Data, Control and Management planes, allowing functionality specific attributes to be defined for each plane.
The Data/ Control and Management Plane functionality remains unchanged.
The Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation function and the Spectrum Manager / Spectrum Automaton.
Spectrum Manager resides in the Cognitive Plane at the same layer as the MAC in the Data/ Control Plane.
Spectrum manager interfaces directly with the Spectrum Sensing and the Geolocation functions.
Modular security features may be added to protect the data, authenticate the sensing and geo-location information, as well as authenticate the information coming from the incumbent database.
Apurva N. Mody, BAE Systems

7. May 2008
Cognitive Radio Interface Diagram with Security Sub-Layer Modularization
A cognitive communications device must include security and authentication features for the Cognitive Plane, in addition to the Data and Control / Management Planes
A Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation Function and the Spectrum Manager
The proposed PRM creates Four Security Sub-layers with dedicated and modular security functionality. The detailed functionality of each of the layers needs to be defined (Security Ad-Hoc)
Apurva N. Mody, BAE Systems

8. Sensing using multiple cognitive devices and / or
May 2008
Suggested Security and Authentication Features for Spectrum Sensing – Authenticating the TV Signals
NTSC, ATSC DTV and DVB-T signals must be authenticated to avoid unwanted Denial of Service (DoS) attacks
Authentication of the NTSC, ATSC DTV and DVB-T signals may be carried out using
Multiple sources for confirmation such as sensing and the incumbent database, and / or
Sensing using multiple cognitive devices and / or
Sensing for a long continuous period of time to ensure that the signal is indeed originating from a valid source.
Apurva N. Mody, BAE Systems

9. Beacon sensing using multiple cognitive devices and / or
May 2008
Suggested Security and Authentication Features for Spectrum Sensing – Authenticating Wireless Microphones and TG1 Beacons
Signals originating Wireless Microphones and TG1 Beacons must be authenticated to avoid unwanted Denial of Service (DoS) attacks
Authentication of the SPDs such as wireless microphone signals may be carried out
At the Security Sub-layer in the Cognitive Plane using the security features embedded in the TG1 beaconing signal
Multiple sources such as beacon sensing and the incumbent database, and / or
Beacon sensing using multiple cognitive devices and / or
Control information handshake between the cognitive device and the PPD / SPD / NPD.
Apurva N. Mody, BAE Systems

10. WRAN discovery must be authenticated using
May 2008
Suggested Security and Authentication Features for Spectrum Sensing – Authenticating WRAN Discovery
WRAN discovery must be authenticated using
Capture of a valid Superframe Control Header (SCH)
Three-way confirmation handshake with the WRAN that is currently occupying the current channel
Periodic updates and refresh to ensure continued usage
Local (country dependent) database
Apurva N. Mody, BAE Systems

11. The geolocation information must be authenticated for its validity.
May 2008
Suggested Security and Authentication Features for Geolocation – Authenticating Geolocation Info.
The geolocation information must be authenticated for its validity.
The geolocation authentication may be device and / or algorithm dependent
The underlying signals used as a reference for geolocation must be authenticated.
Authentication features for both the Global Positioning System (GPS) based geolocation as well as other soft algorithms should be clearly defined in the standard.
Apurva N. Mody, BAE Systems

12. May 2008
Suggested Security and Authentication Features between the Spectrum Manager – MAC Common Part Sublayer Interface
The interface diagram shows a modular format with the data / control plane and the cognitive plane.
The information provided to the SM from the incumbent database must be authenticated
The information provided by the spectrum manager to the MAC Common Part Sublayer must be authenticated and protected through various security and privacy features.
The sensing and geolocation information transmitted to various other devices in the network must be encrypted.
Apurva N. Mody, BAE Systems

13. Management message protection (encryption and integrity protection)
May 2008
Other Security, Authentication and Privacy Features Recommended for
Management message protection (encryption and integrity protection)
MAC header protection (encryption and integrity protection)
Key management enhancement with secure and efficient key establishments and distribution
Certificate revocation enhancement
Mitigations of network attacks including authentication attacks (BS and SS impersonations and passive eaves dropping attack), replay attacks (key reuse attack), denial of service (packet forgery), weak key attack, and man-in-the-middle-attack
Apurva N. Mody, BAE Systems

14. Security at Various Stages of the Network Entry in 802.22
May 2008
Security at Various Stages of the Network Entry in
Authentication, security association, enabling the MAC management message transmission, and establishment of traffic encryption keys (PKM-REQ/PKM-RSP)
The SS searches the preamble; once found, it decodes the Frame Control Header (FCH)
Once the DL is synchronized, the SS decodes MAP/DCD and MAP/UCD to learn the timing of the UL initial ranging (contention) slot and the DL/UL transmission parameters. DL/UL-MAP goes in every frame to inform and schedule SSs.
(REG-REQ/REG-RSP)
The SS acquires an IP address. The establishment of IP connectivity shall be performed on the SS's Secondary Management Connection (SMC).
Ranging (RNG-REQ/RNG-RSP) is to obtain correct frequency offset, timing and power adjustments
The SS negotiates the following capabilities (SBC-REQ/SBC-RSP) with the BS: Max. transmit power, modulation/coding schemes, H-ARQ using management connections.
Set up transport connections that will carry e.g. IP traffic (DSA-REQ/DSA-RSP/DSA-RVD)
MAP contains allocation for both initial ranging and periodic ranging.
SBC: SS Basic Capability
DCD: DL channel descriptor
UCD: UL channel descriptor
Apurva N. Mody, BAE Systems

15. Security at Various Stages of the Network Entry in 802.22
May 2008
Security at Various Stages of the Network Entry in
MAP and FCH can be protected
This is optional
Use the pre-shared key (via vendor or user certificate)
Once the pre-shared key is installed, the user is able to scan the DL
If you do not do this step initially, follow default.
No need to protect RNG-REQ - Signatures may be used to protect malicious flooding attack
Need to protect RNG-RSP since the basic CID and primary management uniquely identify the station
No need to protect SBC-REQ - Signatures may be used to protect malicious flooding attack
Need to protect SBC-RSP since it carries basic CID
No change for authentication since the contents of PKM are protected
No change for registration since the contents of REG are protected
DSA messages are required for path set up and admission control
DSA messages can be protected
The MAC header has only CRC – MAC headers need to be protected
Periodic ranging needs to be protected in the same manner as the initial ranging
Apurva N. Mody, BAE Systems

16. May 2008
Conclusions
This presentation focused on Protocol Reference Model (PRM) and Security enhancements in
The Spectrum Manager in the current PRM (802.22_Draftv1.0) resides in the MLME. However, the MLME falls outside the scope of the standard and as a result so does the Spectrum Manager
The current draft does not specify where the Security Sublayer resides and what its functions should be. Also, no security mechanisms are provided to authenticate the sensing and geolocation information as well as the information coming from the incumbent database.
Inadequate security features may expose wireless networks to be misused by anti-social elements and terrorists, resulting in Denial of Service attacks and Information Operations.
IEEE based networks are even more susceptible since they are likely to operate in un-licensed bands with cognitive radio techniques.
Hence, in order to overcome the shortfalls mentioned above, we proposed a Modification to the PRM which separated the Cognitive Plane from the Data, Control and Management planes, allowing functionality specific attributes to be defined for each of the planes.
The Data/ Control and Management Plane functionality remained unchanged.
The Cognitive Plane consisted of the Spectrum Sensing Function, the Geolocation function and the Spectrum Manager / Spectrum Automaton.
We suggested security feature enhancements for the Cognitive Plane, as well as some additional features which are based on the new m SDD call for proposals
Apurva N. Mody, BAE Systems

17. May 2008
References
WRAN Protocol Reference Model – Contribution _WRAN_PRM.ppt
Security Enhancement for e - A SDD Proposal for m
Apurva N. Mody, BAE Systems