‘abe 1 Secunns WIMAX WitLEss oamunenions Executlve Summary WIMAX technology is a wireless metropolitan area network WMAN commusicatons wehnology that is largely has onthe wicless inter
Trang 1NIST Special Publication 800-127 Notional Institute of
Standards and Technology
US Department of Commerce
Guide to Securing WiMAX
Wireless Communications
Recommendations of the National Institute of
Standards and Technology
Karen Scarfone
Cytus Tibbs
Matthew Sexton
Trang 2NIST Special Publication 800-127 Guide to Securing WIMAX Wireless
Communications, Recommendations of the National Institute of Standards and Technology Karen Scarfone
Cyrus Tibbs Matthew Sexton
September 2010
Trang 3
‘uber Secure WIMAX WitLEss GommunenTons
Reports on Computer Systems Technology
‘The Information Technology Laboratory (FTL) atthe National astute of Standards ad Teehaology (NIST) promote the US economy and public welfare by providing tecnica leadership forthe nation's
‘measurement and standatds infrastructure TL develops tests, test methods reference data, proof of concept implementations, and technical analysis to advance the developmest and productive use of Information technology ITL's responsibilities include the developnca of tecnica, physica
‘ministrative, and management standards and guidelines for the eost-efletve security and privacy of
‘ensiive unclassified informatio in Federal computer systems, Ths Special Puliation 8 series reports on L's research, guidance and eiteachelferts i computer security and its callabortive
‘Sctviis with indasty, government, and academe organizations
ational Intute f Standards and Technology Speca Publiatlon 800-127
‘Natl ns, Stand, Technol, Spec, Publ 0-127, 44 pages (September 2010)
‘Ceaia comme ena, equip or manele may e Heniikdin ND
socament in nero descent exponent procedure concep adel
‘Sih entation sot intend to ply resommendaton or enema byte Natal Insite of Standard and Teshnogs, ns tinted pla he
‘hie, mitral or epment ae neces the es aval or te parse
Trang 4‘uber Secure WIMAX WitLEss GommunenTons
Acknowledgments
“The sutors, Karen Scarfone ofthe National Iasitueof Standard and Technology (NIST) and Cyrus
‘Tibbs and Matthew Sexton of Boor Allen Hanon, wish io thank thei colleagues who reviewed drafts ofthis document and comibuted wo its echieal content, patculny Lily Chen and Tim Grance of NIST and Bernard Eye, Ross Schwa, and John Padgett of Booz Allen Hamilton The authors would also Tike to thank the WiMAX Forum Tọr the contributions otis publication
Trademark Information WIMAX, WIMAX Forum, WIMAX Centifod, and WIMAX Forum Certified ae trademarks oe rogitenst trademarks ofthe WiMAX Forum,
Aller names are trademarks or registred tre marks of th respective owners
Trang 5‘uber Secure WIMAX WitLEss GommunenTons Table of Contents
2 Overview of WIMAX Technology
‘WIMAX Security Feature
3.2.1 IEEE 802.16-2004 Authentication and Authorization + 3.2.2 IEEE 802.16.2009 and WIMAX Forum NatwerkArehileelute Belease Lễ „25
33 Encryption Key Establishment
34 Daa Conldentally,
3⁄5 IEEE 602,16;-2008 Nult-Hop Reiay Security Architecture
‘Vulnerabilities, Threats, and Countermeasures for WIMAX Systems
‘Appondix B— Acronyms and Abbroviations
Trang 6‘uber Secure WIMAX WitLEss GommunenTons List of Figures
List of Tables Table 2-1, Addlional |EEE 602.16 Standards and Amendments 27 Table 4-1 Vulnerabilities, Threats, and Countermeasures Summary 49
Trang 7‘abe 1 Secunns WIMAX WitLEss oamunenions Executlve Summary
WIMAX technology is a wireless metropolitan area network (WMAN) commusicatons wehnology that
is largely has onthe wicless interface defied inthe IEEE 802.16 staan The industy Wade
ssocitin, the WIMAX Forum, coined the WiMAX trademark and defines the precise content and scope
of WIMAX technology through fechical spscfications that it crates and publishes.” The original Ppose of IEEE 8021 technology wa o provide lst-mite Broadhand wisest access asa alernative teeahle, digital subscriber ine, or TT service Developments inthe IEEE N02, [6 standard shifted the technology's foes loward more eeilarike, mobile architectare to serve a broader markt Tey, WiMAX technology continues to apt to market demands and provide enhanced ase ability This document discusses WIMAX witeloss communication topolgics components, etieations, security features, and elated security concen,
Ths IEEE amine ht rable mle WIMAX operations s IEE 80216-2008 Pro oi rdose,
deployment of WiMAX networks was limited to Tred operations bby the IEEE 802.16-2004 standard
‘NlonthIEL 0.160205 provid sintcant seu enhancements tis pede by incorporating mvs obust nual authnteaton mechanisms ell capo or Advanced
Encontro (AES) Ath the TEEE 802 16.208 and 802 16008 standards wor asad win eure eachother IEEE 602-2005 prdt corfcton ot start wnt 08, a EEE
0216304 pods sl asd in os nrmation technology (1) envnments The most tect rte stand ic EEE 80216009, ie console EEE 80216-2008 IEE 802 6 3oos ane EET 802.16amendmens on 2004 eagh 2008 TEE also else IEEE 02 16
20014 qeeiV mahilup lay mtwking Tis plication ese EEE 80216200, EEE
30 leo 0% IEEE 80.1620 and IEE 8021200
[WIMAX wizeloss intrtacetveats focus on compromising the rao ks between WiMAX nodes These ado Links support oth line-of-sight (LOS) and noline-of sight (NLOS) signal propagation Links from LOS WiMAX systoms ae generally harder to attack than those from NLOS systems because 30
slversary Would have w physically locate equipment between the wansmiting nodes 1 compromise the
‘Confidentiality or integrity ofthe wicks ink, WiMAX NLOS «ystems provide wisless coverage over large govgraphi regions, which expands the potential staging areas for both cients and aversarics, Like ther networking technologies, all WIMAX systems mus ess reat rising fom denial of scree stacks, eavesdropping, man-in-the-midle attacks, message maifiation, and resource misappropriation
ot hug sian ohne
¬
Trang 8‘abe 1 Secunns WIMAX WitLEss oamunenions Organizations should assess WIMAX technical countermeasures before implementing a vendor's WIMAX technology
As ofthis writing, fw WIMAX products employ Federal Information Processing Standard (FIPS)
‘alidated eryprographie modules: Consequnly.veador often integrate thee WIMAX produts With later security solutions that meet FIPS requirements WiMAX intetoperablty erifcaions do not textend to these ald-on approaches, which means there maybe no assurance thatthe vendors offering
‘will function as intended Given the diversity in potential approaches and the risk that tegration issues
‘ould atthe security of the system, organization sho! work closely with WiMAX vendors to gain a beter understanding of potential system configuration consirans, Organiations should independent
‘ote the need for compensating contol to adress tehnical security Tunetionaliy thatthe WIMAX, Prowuet may nt adres
ton for WIMAX
supposing Extonsile Authentication Protocal (EAP) methods for mutual auentcation a ecommended
in NIST SP 800-120, Recommendation Jor EAP Methods Used in Wireless Newwork Access
Auteniarion.’ EAP methods that support mutual device authentication ypcaly also support integrated User auhemtcaion using passwords, smart cards, biometies or some combination ofthese mechanisms [WIMAX solutions that cannot meet these itera shout employ different means of authentication ata higher layer Ce eneryption overly oe vet private nctwork [VPND Specialy ative IEEE
02-16-2004 authentication des not support mutual device authentication and this shoul be avoided,
Organizations using WIMAX networks should implement FIPS-valdated encryption algorithms
«employing FIPS-validated cryptographic modules to protect data communication
[WiMAX communications consist of management and data messages, Management messages are used 40 gover communications parameters necessary Io maintain witless links, an data messages cary the da
Ue he transmlted over wireless inks, Eneryption i not applied to management messages to nerease the eficieney af aetwork operations, while dat messages ave enerypted natively ia accordance With the IEEE Sandasds IEEE 802.160-2008 and IEEE 802162009 suppor the Advanced Encryption Standard (AES) (4s documented in FIPS Publication 197), wheteas IEEE 802 16-2004 supports Data Encryption Standard
Jn Cipher Block Chaining mode (DES-CBC) DES-CBC has several well-documented weaknesses
‘making ita vulnerable encryption algorithm that should not he used to protect data messages Federal
‘gency communications tht rire protection through enesypion ms use pdt with enptographic functionality thats validated under the NIST Cryptographic Module Validation Program (CAIVP), eqing requirements per FIPS PUB 140, For WiMAX solutions thal do at support FIPS-validated gorithms employing FIPS-valdated eryptographie medals, organizations needing to protet the confidentiality oftheir WiMAX communications should deploy oetlay encryption solutions, suchas 3 FIPS-valdatd virwal private network solution,
Trang 9‘abe 1 Secunns WIMAX WitLEss oamunenions
1.1 Authority
The National Institue of Standards and Technology (NIST) developed this document in furtherance ofits statutory responsibilities under the Federal Ifoemation Seeuty Management Act (FISMA) of 2002, Public Law 107-347
NIST is responsible for developing standards and guidelines including minimum eequisements, fr providing adequate information scewity fo all agency operations and ase: but uch standards and fidlines do not apply to national security systems, Tair guideline is consistent with the requirements of the Office of Management and Budget (OMB) Ciscula A:130, Section 83), "Socuting Agency
Infomation Systems.” as analyzed in A-130, Appendix IV: Analysis of Key Sections Supplemental information i provided im A-130, Append I
Thị dln has been prepare for use by Federal agencies It may be used by nongovernmental
‘organizations on a voluntary basis ands nt subject o copyright although atbation is desired
[Nothing inthis document shouldbe taken to contradict standard and guidelines made mandatory an binding on Federal agencies bythe Secretary of Commerce under statutory authori, nr should these puidelins be intrpreted as altering oe superseding the existing autovitios ofthe Secretary of Commerce, Director ofthe OMB, or any other Federal oficial
1.2 Purpose and Scope
The purpose ofthis document isto provide information oexganizations regarding the security
apailitis of wireless communications using WIMAX networks at to provide recommendations ot Using these capabilities, WIMAX technology i wireless metropolitan ares network (WMAN)
technology based upon the IEEE 802.16 standard Ris usd fra variety of purposes including, bt not limited to fixed lastmie broadband access, long-range wicles backhaul, and acces ayer technology for mobile witless subscribers operating on slocommunicaions networks,
“The scope ofthis document is inte to the security ofthe WIMAX ai iaterface and user subscriber devices to include: curity serves for device and usce authentication data confidentiality; data
integrity: and replay protcton, This document docs not adress WIMAX network system specifications,
‘which address cove network infastrture and are primarily employed hy commercial network operators This publiation, while contsining requirements specific to Feder agencies, serves a provide security guidaneelo organizations considering the implementation of WiMAX systems
1.3 Audience
“This document discusses WiMAX technologies and security capabilites in technical detail Ke assumes thatthe readers have leas some operating ysem, wireless networking, and security knowles
[Because ofthe constantly changing naire ofthe wireless security indir an the het oad
‘ulnerablitis ofthe technologies, readers are strongly encouraged to take advantage of ether resources Tincding those ided in this document for mote curent and detailed information
Trang 10
‘uber Secure WIMAX WitLEss GommunenTons
‘Te following list highlights people with differing cles and responsibilities that might we this document:
18 Government managers (chet information fiers and senor managers) who oversee the vse and sceuiy of WIMAX technologies within tei veganzations
1 Systems enginsors and architects who design and implement WiMAX technologies
1 Autitos, security consultants, and others who perform security assessments of wiceless environments 1m Researchers and analysts who want to understand the underying wireless technologies,
1.4 Document Structure
‘The remainder ofthis document is composed ofthe following sections and appendices:
1 Section 2 reviows the technology components compdsing the various WiMAX operating “environment, te evolution ofthe IEEE 802.16 standard, andthe WiMAX Forum prot
‘enifcations,
1 Section 3 provides an overview of the security mechanisms included in th IEEE 802.16-2004,
02 16e-2005, $02.16-2009, and $02 16}-2009 specifications and highlights thir imitations,
1 Section 4 examines common vulerabilies and threat involving WIMAX technologies and makes recommendations for countermeasures to improve secu
1 Appendix A provides a glossary of key terms used in this document
1 Appendix B consists of ist of acronyms and abbreviations usc in this document,
1 Appondix C provides alist of references fr this document
Trang 11‘abe 1 Secunns WIMAX WitLEss oamunenions
2 — Ovenl
‘A wireless metopoltan area network (WMAN) i a form of wireless aetworking that has a tended
‘overage area~arange-—of approximately the size of iy A WMAN is typically owned bya singe
iy such san aterm series provider, government entity o large corporation Accesso a WMAN is
‘sully restrict to authorized users an subscriber devies,
“The most widely deployed form of WMAN technology is WIMAX technology which is based in large parton the IEEE 802.16 standard, The industry trade assciaton, dhe WiMAX Forum’, coined the WIMAX trsemark and defines the precise content and scope of WiMAX technology through ethical specifications that it creates and publishes Early iterations of WIMAX technology (based on IEEE '802.16-2004 and earlier) were designed to provide Fixed lint Broadhand wireless acces, The IEEE '802.16e-2005 amendment added support for enhanced user mobility The ltst standard, IEEE 80216
2009, consodies IEEE 802.16-2004 and IEEE: 8021602005 ination to IEEE 802.16 amendments ppuoved Between 2004 and 3008, IEEE also released IEEE 802.16)-2009 to specify mulicop relay
‘etworking This seeionexpltins the fundamental concepts of WiMAX technology, including is
topologies and discusses the evolution ofthe IEEE 802.16 standard
2.1 Fundamental WIMAX Concepts
WIMAX networks have five fundamental sfhitetral components
1 Base Station (BS) The BS isthe noe that logically connects wireless subsriber devices a operator networks, The BS maintains communicalions with sbucriber devices and governs acces tothe
‘operator networks, A BS consists of the infrastructure elements necesary to enable witeless
‘communications i.e amennas, wanscivers, and other eleewomagnotic wave tansmiting equipment [Ss are eypically ici nodes, ut they may’ also he used spat of mobile solutions —for example [BS may’be affixed toa vehicle to provide communications for nearby WiMAX devives A BS also serves asa Master Rela-Base Station inthe multi-hop relay topology (described in Section 2.2),
1 Subscriber Station ($8) The SS sa stationary WiMAX-capable ai stem that communicates witha base station, bough ic may aleo onnet to a elay station in mul-hop say network
“operations (described in Section 2.2,
1 Mobile Station (MS) Aw MS is an SS hai intended wo be used while in mosion at upto vehicular speeds Compared wi fixed (tatonary) 88s MSs typically ar battery operated and therefore mploy enhanced power management Example MSs include WiMAX ratios embeded in laptops
fn motile phones This document sss the term SS/MS to refer to the class of oth MS ad
Stationary SS."
1 Relay tation (RS) RSs are SSs configu to forward tfc to other RSs or SS in 4 multi-hop Sectity Zone (which is discussed in Secon 35) The RS may be ina fixed location e, atached building) or mobile eg, placed in an automobile) The ar interface botwcn an RS and an SS is identical othe ai interface Between @ BS and 39 SS,
I8 Operator Network ~The operator netvork encompasses infasruture network funtion that provide radio access and IP connectivity serves to WiMAX subscribers, These Functions are defined {in WiMAX Forum technical specifications as the access service network (radio acess) and the
Trang 12‘abe 1 Secunns WIMAX WitLEss oamunenions
conneetivityserviee network (IP connectivity)” WIMAX devices communicate using to wireless message type! management messages and data messages Date messages transport dat actors the WIMAX network Management messages ae used to maintain communications between an SS/MS and BS, eg esublishing communication parameters, exchanging security stings, and performing
‘stem registration events (nal network en, bandos, ete.)
IEEE 802.16 defines fequeney bands for operations based on signal propagation ype In one ype it
‘employs a radiofrequency (RF) beam to propapae signals hetween nodes Propagation over this Beam is bighly sensitive to RF obstacles, so an unobstructed view betweon nodes nocd This ype of sign Propagation called fne-ofsght (LOS), imited oft operations and wes the 10 to 66 gigaher (GH) frequoney range The other ype of signal propagation called non-in-osght (ML.05) NLOS
‘employs alvanced RF modulation techniques to Gompensate or RF signal changes eased by obstacles
‘hat would prevent LOS communications NLOS ea be used for hath fixed WiMAX operations (below
11 GH) anil mobile operations below 6 GH?) NLOS signal propagation is more commonly employed than LOS because of obstacles tha interfere with LOS communications and because of tc epultions for fsqueney licensing nd antsana deployment in many environments tht hinder the feasibility of using Los
22 Operating Topologies
‘Tere are four primary topologies for IEEE $02.16 networks: poin-o-pont, pot -o- mul
hop ey, and mobile Each of hese topologies is belly deseribod below
22.1 Point-to-Point (P2P)
A point-to-point (P2P) topology eonsits of dedicated long-range, higheapacty wireless ik between
‘vo sites Typically the mai o ental site hosts the BS, an the rem site hosts the SS a eo ia Figure 21 The BS conwols the communications and security parameters for establishing the Hak with the
$8 The P2P topology is used for high-bandwidth witless Dackhaul® services at maximum operating range of approximately 48 Kilometers (km) (30 miles) using LOS signal propagation, and eight km (ive niles) sing NLOS
Trang 13
‘abe 1 Secunns WIMAX WitLEss oamunenions
A polnt-t-mulpoin (PMP) topology composed of «central BS supporting multiple SSS providing
‘network access from one location fo many Is commonly used forlast-nie broadhand acces private
‘ncepise connectivity to remote offices, and long-range wireless backhaul services fr multiple sits PMP networks can operate using LOS of NLOS signal propagation Each PMP BS has a maximum
‘operating range of 8k 5 miles) but i typically less than this due to cell configuration and the urban density ofthe target coverage area, Figure 22 lutaes the PMP topolony
Trang 14‘abe 1 Secunns WIMAX WitLEss oamunenions
‘sing LOS propagation as wel The maximum operating range foreach node ina multi-hop clay
topology is approximately 8 ki S miles) but he actual operating range i ypcaly less depending om environmental conditions (eg uildng obstructions) and antenna configuration
Trang 15
Le ToSecueng WMAX WedtrscCcuMucirove
Figure 23 Mul-Hop Topology 22.4 Mobile
A mobile topology is similar o acellular nctwork because multiple BSs collaborate to provide seamless
‘communications over a distributed network to both SSs and MSS This topology combines the coverage rev of each member BS and includes measure o faite handoff of MS Betwcen BS coverage areas,
fs seen by the car MS in Figure 24 uses advanced RF signaling echnology to suppor the increased [RE complexity quired for mobile operations Each BS coverage areas approximately & km (Smiles)
‘Mobile WiMAX systems aperate sing NLOS signal propagation on fequencis below 6 GHz
ee
Trang 16‘uber Secure WIMAX WitLEss GommunenTons
23 Evolution of the IEEE 802.16 Standard
In 1999, the $02.16 Working Group on Broadhand Wireless Access Standards was etblshed to develop Standazds and eecommended paces to suppor the development and deployment of beoaand WMAN
‘The following summarizes the stamands and amends tat the working group has produce
‘When the IEEE 902.16-2001 standard, whieh targeted lstmile broadband wireless acces was Fist ter development in 2001, the WiMAX Frum formed to promate the compatibility and interoperability
Df IEEE $0216 technologies, In December 2001, the IEEE $02.16-2001 standard was approved
‘operate inthe 10-66 GH frequency range and provided LOS live PAP and PMP commirieadom
‘anim data ates of approximately 70 megabits per second (Mbp) plementation of the IEEE '802.16-2001 standard wa Himited because of is LOS requirement and lack of availabe specu
Because ofthe shortcomings of IEEE 802.16-2001, an amendment, IEEE 802 16a, was released ding
2003 This amendment improved inteoperailiy quality of service (QoS), and data performance 1 also Provided the ability to propagate signals from one ative device to another and to have NLOS
communication An TEBE 802.16 amendment was also under development to mmprove interoperability, butt rs Inter transitioned from a single amendment toa revision project that aggregated TELE 802.16
2001 an is amendents under single standard IEEE 80216-2004, Versions of IEEE 801,16 prior EEE 802.16-2004 are no longer supposed by vendors and are not dncunsed rer i this publication,
‘modulation techniques to accommdate LOS and NLOS communications requirements Additionally, IEEE: 802.16-2004 ean operate in P2P and PMP topologies
‘The IEEE 8026-2008 amendment to the IEEE 802.16-2004 stand provides enhancements to Fixed wireless operations and enables calularlike agchitecture, Specialy IEEE 402 16e-2008 provides
‘mobility suppod for SSs and implements eokaneod signaling techniques that enable new service offerings such as Voiceover Internet Protocol (VoIP) presence, and multimedia broadcast These enhancements 19 the previous standards Qos make it resilient against communications latency and jt." Additionally, IEEE 80216-2005 limits the fequeney range to 6 Gite or below for mobile operations, IEEE 802,16
2005 also introduces new security measres thee are deseribed in detail in Seton 3,
Providing support in IEEE 8026-2005 fr mobile devices nscesitated a significant dpartre fom the process IEEE 802 16-2004 BSs use wo manage SS IEEE 802 1e-2005 inioices dynam roaming and father new methods to manage the communiation handotfs between SSs and Ss switching am SS transmission from one BS coverage ate nto anew BS coverage ara asthe mobile S$ moves The communications architecture is also modified file better power management an eficient ees
fF operation io adsess the power constants of MSs
In May 2000, IEEE consolidated 02, 162004, 802 16-2005, 802162005, and 80216-2007 ito the latest IEEE 802, 16-2000 standard, IEEE 90216-2009 technically mad the consolidated stands and amendments obsolete: however a8 of his writing, many production WIMAX networks ae sil based on IEEE 802.16-2004 or IEEE $02, 160-2005 In June 2009, IEEE release the IEEE $02 16)-2009
‘amendment specifying multi-hop relay This amendment provides amore developed and thorough
ia sas using, ee dies in ey fakes,
ag
Trang 17‘abe 1 Secunns WIMAX WitLEss oamunenions security and communications architecture for muli-hop networking than was previously deine in IEEE '802.16-2004 forthe mesh aetvorking option
1 avon tothe standards and amendaeotsaleady discussed, Tab
snl amondaents to the IEEE 802.16 fail of stands
1 ists other selevant standards
‘Table 21, Additonal IEEE 90216 Standards and Amendments
Promoting the cortication of pets based on the IEEE 802.16 standard, The WiMAX Forum operates the WiMAX Forum Certification Program using accede testing laboratories and designated
tsrtication bodies to ensure WIMAX product age compatible, interoperable, and confor to industry Standards to ensure the interoperability of diffrent vendor products, This results n greater competition in the marketplace, greater lexiblty in deployment, larger target markets, and lower production costs.”
“The WiMAX Forum warns that "endo claiming their equipment is "WiMAX-ike™."WiMAX-
‘compliant’ and ctstea are not WiMAX Forum Cetfed, which mans that thcir equipment may not be interoperable with ther vendors’ equipment"
The WIMAX Forum Co Prout Rep i own ths arn eto ‘WIMAX Foun, Ceo Pops tg ait
Trang 18
‘uber Secure WIMAX WitLEss GommunenTons IAX Securlty Features:
“Thin section discusses the security mechaivms neludedi IEEE 8036-3014, IEE 802.16e.200%, IEEE
02 lộ 2009, and EEE A03 16-2009” lysates thei Functions and provides 3 foundation for the scary recommendations in Sction 4, The IEEE 802.16 standards specify two sie security services
‘uthentication and confidentiality Authentication involves the process of verifying the ientity claimed
by a WIMAX device, Confidentiality is mite to protecting the contents of WiMAX data messages so that only authorized devices can view them, IEEE 80216-2005 and TELE: 802, 16.2009 share the same
‘utheniation ad confidentiality mechanisms the both sport user athentcaion and device
suthentiaton
The IE 802.16 standants do no addres her security services such a availability and confidentiality protection for wireless management messages si sch services ae quired they mst he provided Through additional means Alo, while IEEE 80216 security protects communications over the WMAN, link between an SS/MS and a BS, i doos not protetcommutications onthe wired operator network bohind the BS End-to-end (i, devieo-o-device) security is wot possible without applying adiional security conyols nt specified by the IEEE standards
WIMAX systems provide secure communications by peefoming tne steps authentication, key
establishment, and data encryption Figure 3-1 i ahigh-level overview ofthe security framework The authentication procedure provides common keying material fr the SSMS and te BS and Taciitats the Secure exchange of data eneyption ke that ensure the confidentiality of WIMAX data communications
“The remainder ofthis seston explains the Basics of the WiMAX security framework, athentcaion, key establishment, and data eneryption
Trang 19‘abe 1 Secunns WIMAX WitLEss oamunenions
‘nerypion SA, whereas 4 mlcal service would havea unique ero SA
Authorization SAs facilitate authentication and Key establishment to configure data and group SAS
‘ushorizaton Ss contain the following aeibutes
‘= X.509 certificates X.509 digital certfieates allow WiMAX communication component 0 validate
‘one another The manufeturer's entficae i sed or informational purposes, andthe BS and SSMS
‘erfcaes contin the espotive devices’ public hes The certifies resigned by the device
‘manufactuer ora thind-party cerifiation authori
© Authorization key (AK) AKs are exchange between the BS and SS/MS to authenticate one another Prior tothe talc eneryption key (TEK) exchange The authorization 8 inelades an ietfcr and
ao
Trang 20‘uber Secure WIMAX WitLEss GommunenTons
1 Key eneryption key (KEK) Derived fom the AK, the KEK i used to enerypt TEKS ding the
‘TEK exchange, as discussed in Soction 33
= Message authentication keys Derived fom the AK, the mess
authenticity of key distribution messages during key ctalishne
‘management messages to Validate message ue
authentication keys valid
"These keys ate also used to sign
1 Authorized data SA list Provide to the SS/MS bythe BS,
‘which data eneryption SAsthe SS/MS i authorized to acess, te authorized data SA lis incaten
Data SAs establish the paramsters usd to protect uniast data messages Hstoen BSS and SSw/MSs, Data SAs cannot he applied fo management messages, which are never eneypted A data SA contin he following security atte
= SA identifier (SAID) This wise 16: vale identifies he SA to distinguish it rom other Ss '= Encryption cipher tobe employed The connscton will we this encryption cipher definition to provide wirless link confidentiality
‘Traffic encryption key (TEK).TEKs ae randomly generated bythe BS and ae used 1 nex pt WIMAX data messages Two TEKS ac isbed to prevent communications disruption dusing TEK rekeying: the fist TEK is sed for active communications, while the second TEK remais docmant
1 Data encryption SA type Indicator This indicator denies the type of data SA Thote ae thee
‘ypes
— Primary SA This SA isesablisied as a unique connection foreach SS/MS upon int
With the BS Thor soa one primary SA poe SSMS,
~ Static SA-This SA secures the data messages and is generate fr each service define by the BS
= Dynamic SA This SA is created and climinao in response othe initiation and termination of specie service ows
‘Group SAs contain the keying material used to scare muticas trafic Group SAs are inherently ess secure than data Ss because identical Keying materia is shared among all members of a BS's group Group SAs contains the following atsbute
‘= Group traffic encryption key (GTEK) This key is randomly generated by the BS and used to
‘ery mulicast trafic eteeen a BS and SSMS,
up key encryption key (GKEK) This key is also randomly generated bythe BS and used 19
‘ery pt the GTEK sent in multicast messages between a BS and SSMS,
3.2 Authentication and Authorization
[Naworking technologies traditionally refer to authorization 3 the proces that determines the evel of aceoss anode receives alter the subject is Menifid and aubeHfealel The TPEE 803.16 standard
fener refers wo authorization a the proces of autheaicating WiMAX podes and granting them access tothe network This slight dstintion made by TEEE 802.16 is that authorization processes implicitly include authentication The Pivacy Key Management (PKM) protocl is the sto rules esponsble for
Trang 21‘uber Secure WIMAX WitLEss GommunenTons suthentication and authorization ta facilitate secure key distibution in WIMAX PKM uses authorization
Ss authenieate system endExso that data and group encryption SAs caa be established PKMT's
‘sutheniation enforcement function provides the SS/MS and BS with idcatical AK cach AK i hen tsod to derive the message atcntication keys and KEK that fit the secure exchange of the TEKS IEEE 802,16-2004 derives the AK using PRM version I (PKMG1), Heese EEL 802 16-2005 and [LEE 802.16-2009 derive the AK using PKMW2, This section reviews the provedares used in hath
PRM! and PKMV2,
3.2.1 IEEE 802.16-2004 Authentication and Authorization,
In PRMvI [IEEO4}, the BS authenticates the identity ofthe SS, providing one-way authentication Figure '32llostates the callenge-response verification scheme used in PAMvI-hased authentication, Tae -wuhorizaion process nitated when the SS sens an authorization information message tothe BS This
‘message contains the X.S19 ceria ofthe SS manufacturer ads used Dy the BS for informational Purposes Inmodiately following the authorization information message, the SS sends a auhorization ghen to the BS, which contains the following information:
1m The 8's unique X50 eoiiat, which ictus is RS public key
18 A description ofthe SS's supported eryptographic algorithms
15 The primary SAID
[Next the BS validates the $8" X.S00 certifies, communicates the supported eryplographic algorithms snd protocols and activate an AK for the SS, Then the BS sends the SS an authorization eply message
‘ontining the following information
18 The etvatd AK, eneryped with the 8S" public key
K8 “The AK sequence number use to differentiate beween successive generations of AK
The AK tiene
1A list of SAIDs thatthe SS is authorized to access and their associate opens
‘The AK i priicallyreauthorized hase om its ifetime The reauthorization proces is denial tthe intial authorization process with the exception thal the authorization information message i te xen: Reauthorization docs aot ausea service twerupion because two AKs with overtapping letimes are supported simultaneously
aay
Trang 22‘abe 1 Secunns WIMAX WitLEss oamunenions
IEEE 802.16-2009 includes security features ofthe $02.16e-2005 arnendment which was opted ater
‘he publication of 80216-2004 The WiMAX Forum Network Architecture Release 8 further extends the security framework In particular, the Base Specification delineates the requited Extensible
‘Authentication Protocol (EAP) methods thal acetfied device must support, and describes the ws of Remote Authentication Dain User Services (RADIUS) land its Diameter successor) for authentication, utoriation, and accounting (AAA) The addition of EAP and RADIUS/Diametr supp enables WIMAX networks to he toed 1 a Wide range of robust entegpise security afeiteetues, and aso
‘makes the design and implementation of WIMAX networks more complex than bat ben the ease with IEEE $02.16-2004
‘The WIMAX Forum Network Archtscture Release 1.5 states requiem for device and user
authentication, For mut device authentication hase on X-S0 ceriiaes, an SSMS mst support EAPAransport ayer security (EAP-TLS} For user authentication, the SS/MS must suppot ther EAP- authentication and key agreement (EAP-AK.A} or EAP-tuneled TLS (EAP-TTLS), preferably both EAP.AKA isan authentication method used in Univeral Mobile Telecommnications System (UMTS) snd CDMA2000 networks Is hased on symmetric key enerypion tht pial runs in subseriber
‘nity module (SIM) or sini smart cand.” EAD-TTLS authenticates the network to the see ith an X:S0® certificate and authenticates the use othe network with another "unoeled” EAP method, The
as