ieee 802 16 wimax security
play

IEEE 802.16 WiMax Security Dr. Kitti Wongthavarawat Thai Computer - PDF document

Sep 29, 2022 •150 likes •289 views

IEEE 802.16 WiMax Security Dr. Kitti Wongthavarawat Thai Computer Emergency Response Team (ThaiCERT) National Electronics and Computer Technology Center Thailand Presented at 17 th Annual FIRST Conference, Singapore July 1, 2005 Agenda

  1. IEEE 802.16 WiMax Security Dr. Kitti Wongthavarawat Thai Computer Emergency Response Team (ThaiCERT) National Electronics and Computer Technology Center Thailand Presented at 17 th Annual FIRST Conference, Singapore July 1, 2005 Agenda � Introduction to IEEE 802.16 WiMax � IEEE 802.16 Security Architecture based on IEEE 802.16-2004 Standard � IEEE 802.16 Security Process and Analysis � Authentication � Date Key Exchange � Data Privacy � Conclusions 1

  2. IEEE 802.16 WiMAX � Wireless Metropolitan Area Network (WMAN) Standard, Broadband Wireless Access (BWA) � Last mile connectivity � Range up to 50 km. � Provide high speed connectivity that supports data, voice and video � Fast deployment, cost saving IEEE 802.16 Applications Point-to-point “Fixed BWA” backhaul (IEEE 802.16-2004) Internet Residential Base Point-to-multipoint Station last mile Base Station Mobile User “Mobile BWA” (IEEE 802.16e) Industrial SOHO, Enterprise 2

  3. IEEE 802.16-2004 Air Interface SS BS MAC PHY 10-66 GHz Below 11 GHz � WirelessMAN-SC � WirelessMAN-SCa � WirelessMAN-OFDM � WirelessMAN-OFDMA � WirelessHUMAN IEEE 802.16-2004 Air Interface SS BS MAC PHY � Contentionless MAC protocol � Multiple access controlled by BS � Connection oriented � Security sublayer 3

  4. IEEE 802.16 Security Architecture BS SS MAC MAC Management plane Data plane Data plane Management plane CIDs CIDs CIDs CIDs PHY PHY Management connection Transport connection IEEE 802.16 Security Architecture BS SS MAC MAC Management plane Data plane Data plane Management plane Data Data Privacy Privacy CIDs CIDs CIDs CIDs PHY PHY Encryption (some) Header Encrypted payload 4

  5. IEEE 802.16 Security Architecture BS SS MAC MAC Management plane Data plane Data plane Management plane Key Key Authen. Authen. Management Management Data Data Privacy Privacy SAID SAID SAID SAID CIDs CIDs CIDs CIDs PHY PHY “Security Association (SA)” IEEE 802.16 Security Association MAC � Security Association (SA) Data plane Management plane � Cryptographic suite (i.e., encryption algorithm) Key Authen. Management � Security Info (i.e., key, IV) Data � Identified by SAID Privacy SAID SAID CIDs CIDs PHY 5

  6. IEEE 802.16 Security Process MAC Authentication 1 Data plane Management plane Data Key Exchange 2 Key Authen. 3 Management Data 1 2 Data Privacy 3 Privacy SAID SAID CIDs CIDs PHY IEEE 802.16 Authentication � SS authentication using X.509 certificate � No BS authentication � Negotiate security capabilities between BS and SS � Establish security association (SAID) � Authentication Key (AK) exchange � AK serves as authorization token � AK is encrypted using public key cryptography � Authentication is done when both SS and BS possess AK 6

  7. IEEE 802.16 Authentication BS SS Authorization Request [ SS Certificate, Security Capabilities, SAID ] Verify SS Certificate AK (128 bits) Generation Authorization Reply [ AK (encrypted with RSA-1024 SS’s public key), Key lifetime, Selected Security Suite, AK sequence number ] AK (128bits) AK (128bits) Key lifetime = 1 day to 70 days IEEE 802.16 Authentication Analysis � No mutual authentication – MAC Rogue BS Data Management plane plane � Man-in-the-middle attack Key Authen. Management � Limited authentication Data method – SS certification Privacy � New authentication method SAID SAID requires adding new type of CIDs CIDs authentication message PHY 7

  8. IEEE 802.16 Authentication Analysis Solution MAC Data Management plane � EAP-based Authentication plane Key Authen. Authen. � Authentication methods (i.e., Management Method EAP-TLS, EAP-TTLS, PEAP, EAP Data EAP-SIM) Privacy � Extend the authentication to SAID SAID AAA Server CIDs CIDs � Proposed in draft IEEE PHY 802.16e IEEE 802.16 Security Process MAC Authentication 1 Data plane Management plane Data Key Exchange 2 Key Authen. 3 Management Data 1 2 Data Privacy 3 Privacy SAID SAID CIDs CIDs PHY 8

  9. IEEE 802.16 Data Key Exchange � Data encryption requires data key called Transport Encryption key (TEK). � Use AK from authentication process to derive key encryption key (KEK) and Message Authentication key (HMAC key) � TEK is generated by BS randomly IEEE 802.16 Data Key Exchange � TEK is encrypted with � 3DES (use 112 bits KEK) � RSA (use SS’s public key) � AES (use 128 bits KEK) � Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation ) 9

  10. IEEE 802.16 Data Key Exchange BS SS KEK = Truncate( SHA(AK|53 64 ), 128) AK (128bits) AK (128bits) HMAC-up = SHA((AK|5C 64 ) HMAC-down = SHA((AK|3A 64 ) KEK (128bits) KEK (128bits) HMAC-Key (160bits) HMAC-Key (160bits) TEK Key Request [ AK Sequence Number, SAID, HMAC-SHA1 ] TEK (128bits) Generation TEK Key Reply [ AK Sequence Number, SAID, Encrypted TEK, TEK key lifetime, IV, HMAC-SHA1 ] TEK (128bits) TEK (128bits) Key lifetime = 30 mins to 7 days IEEE 802.16 Security Process MAC Authentication 1 Data plane Management plane Data Key Exchange 2 Key Authen. 3 Management Data 1 2 Data Privacy 3 Privacy SAID SAID CIDs CIDs PHY 10

  11. IEEE 802.16 Data Privacy � DES in CBC mode � 56 bit DES key (TEK) � CBC-IV = [IV Parameter from TEK exchange] XOR [ PHY Synchronization field] CBC-IV Plain block 1 Plain block 2 Plain block 3 + + + DES-CBC DES-CBC DES-CBC (56 bit key) (56 bit key) (56 bit key) Cipher block 1 Cipher block 2 Cipher block 3 IEEE 802.16 Data Privacy Analysis � 56 bit key is not secure based on today’s computer – Bruce force attack � CBC-IV is predictable � CBC-IV = [IV Parameter from TEK exchange] XOR [ PHY Synchronization field] � Chosen Plaintext Attack to recover the original plaintext � No Message Integrity Detection, No replay protection � Active attack 11

  12. IEEE 802.16 Data Privacy � AES in CCM Mode � 128 bit key (TEK) � Message Integrity Check � Replay Protection using Packet Number IEEE 802.16 Security Architecture BS SS MAC MAC Management plane Data plane Data plane Management plane Key Key Authen. Authen. Management Management Data Data Privacy Privacy CIDs CIDs CIDs CIDs PHY PHY 12

  13. Conclusions � Require mutual authentication � Require more flexible authentication method � EAP Authentication � Improve Key derivation � Include the system identity (i.e., SSID) � Key freshness – include random number from both SS and BS � Prefer AES to DES for data encryption 13

Recommend

IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo

IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo

I nternational Telecom m unication Union ITU-T IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo Nohara KDDI Corp., IEEE802.16 Relay TG Chair I TU-T W orkshop NGN and its Transport Netw

388 views • 15 slides
Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email:

Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email:

Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email: czhu@ieee.org What is mobile WiMAX? Mobile broadband wireless access Defined by IEEE and WiMAX Forum. IEEE 802.16e_2005: wireless MAN-OFDMA

480 views • 26 slides
WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March

WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March

PBL-02- BASIC CONCEPTS WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March 2017 1. WiMAX is short for W orldwide I nteroperability for M icrowave A ccess. 2. WiMAX is a metropolitan wireless

784 views • 34 slides
The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution

The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution

WiMAX Evaluation: The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution Strategy Department PT Comunicaes Workshop on Mobile WiMAX - Towards Ubiquitous Internet ISCTE, LISBON 27th September 2007

224 views • 19 slides
WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and

WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and

WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and discussion at https://groups.google.com/group/wimax-hacking The Technology WiMAX: a broadband wireless Internet technology 802.16, similar

983 views • 34 slides
Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon

Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon

Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon Kim and In-Cheol Park Division of Electrical Engineering Division of Electrical Engineering KAIST Introduction to Turbo Codes Introduction to Turbo

280 views • 13 slides
Overview of IEEE 802.16 Security David Johnston & Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston & Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston & Jesse Walker Presented By: Anil Bazaz CS6204, Spring 2005 Intro to IEEE 802.16 Standard for Wireless Metropolitan Area Networks (WMANs) Flavors: IEEE 802.16-2001, 802.16a, 802.16c,

844 views • 14 slides
Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li, Department of Electrical Computer Engineering University of Toronto WiMAX MBS IWQoS 2009: Cooperative Multicast Scheduling with Random Network Coding in

856 views • 53 slides
WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Mete Rodoper, MSc

WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Mete Rodoper, MSc

An Identity- -Based Based An Identity Cryptography (IBC) Scheme Cryptography (IBC) Scheme for WiMAX Security for WiMAX Security WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Mete Rodoper, MSc Under supervision

331 views • 15 slides
A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY

A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY

A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY Vivien NGUYEN Masood KHOSROSHAHY Vivien NGUYEN RMOB Project RMOB Project April 2006 April 2006 Project supervisor: Project

741 views • 40 slides
Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These

Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These

Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These slides have used resources (presentations, documents, pictures) available on the web. Special thanks are given to Dr. Liang Cheng and Dr. Shalinee Kishore

503 views • 27 slides
Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group Meeting : August 10, 2010 Wireless Networks Today Mobile network High latency (100 - 200 ms) Low bandwidth Good coverage WLAN/WiFi

677 views • 21 slides
1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

Structure of Presentation Introduction 8 0 2.15.4 and Zigbee IEEE 812.15.4 WPAN IEEE 802.15.4 PHY IEEE 802.15.4 MAC Zigbee Routing Layer Kevin Klues Department of Computer Science and Engineering 2 Introduction Zigbee and

863 views • 6 slides
Services in 4G WiMAX Networks Amitabha Ghosh IBM India Research Laboratory Department of

Services in 4G WiMAX Networks Amitabha Ghosh IBM India Research Laboratory Department of

IBM Research QoE Characterization for Video-On-Demand Services in 4G WiMAX Networks Amitabha Ghosh IBM India Research Laboratory Department of Electrical Engineering University of Southern California, Los Angeles http://anrg.usc.edu/~amitabhg

538 views • 20 slides
Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A Checksum-Aware Background Directed Fuzzing Tool for Automatic Motivation Software Vulnerability Detection TaintScope Intuition Tielei Wang 1 ,

427 views • 5 slides
Verena: End-to-End Integrity Protection for Web Applications IEEE Security & Privacy 2016

Verena: End-to-End Integrity Protection for Web Applications IEEE Security & Privacy 2016

Verena: End-to-End Integrity Protection for Web Applications IEEE Security & Privacy 2016 Nikos Karapanos, Alexandros Filios, Raluca Ada Popa, Srdjan Capkun Information Integrity is Critical for Decision Making EKG, EKG, heart rate,

534 views • 15 slides
Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By

Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By

Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By Bhaskar Rao G Srinath Y Sridhar Y Jitesh M Motorola India Pvt Ltd, Hyderabad bhaskarraog@motorola.com 23 November 2009 T3UC-2009 1 Agenda

623 views • 20 slides
Secure Design: A Better Bug Repellent Christoph Kern, IEEE SecDev '17 Security Defects

Secure Design: A Better Bug Repellent Christoph Kern, IEEE SecDev '17 Security Defects

Secure Design: A Better Bug Repellent Christoph Kern, IEEE SecDev '17 Security Defects Implementation Bugs Shallow & Localized Patchable Straightforward & Testable Image credit: Vaniato/Shutterstock.com Design Flaws Deep &

414 views • 28 slides
Mobile WiMax: Description and Deployment Dr. Zulfiquar Sayeed Alcatel Lucent Bell Labs

Mobile WiMax: Description and Deployment Dr. Zulfiquar Sayeed Alcatel Lucent Bell Labs

Mobile WiMax: Description and Deployment Dr. Zulfiquar Sayeed Alcatel Lucent Bell Labs zsayeed@alcatel-lucent.com 732-949-3055 Outline The big picture 802.16 Specifications family OFDM and OFDMA fundamentals Profiles System

265 views • 22 slides
4. Web Security - Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions,

4. Web Security - Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions,

All papers can be found by Google Scholar. For those papers accepted by S&P 2019, you can download them from this website: https://www.ieee- security.org/TC/SP2019/program-papers.html The below papers are published in the top security

290 views • 5 slides
Marco Ghiglieri Web 2.0 Security & Privacy 2014 Workshop In conjunction with the IEEE

Marco Ghiglieri Web 2.0 Security & Privacy 2014 Workshop In conjunction with the IEEE

I Know What You Watched Last Sunday A New Survey of Privacy in HbbTV May 18, 2014 Marco Ghiglieri Web 2.0 Security & Privacy 2014 Workshop In conjunction with the IEEE Symposium on Security and Privacy May 18, 2014 | I Know What You

287 views • 26 slides
Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec

Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec

Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec Workshop 2016 Guillaume Endignoux Olivier Levillain Jean-Yves Migeon cole Polytechnique, France EPFL, Switzerland ANSSI, France Thursday 26 th

842 views • 35 slides
Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue Bloomberg L.P. New York, USA. May 24, 2015 Big picture : The Automated Exploitation Grand Challenge A Security Exploit is a program taking

451 views • 23 slides
IEEE OU Analytics Training Presentation 2017 IEEE OU Analytics Welcome to the new IEEE OU

IEEE OU Analytics Training Presentation 2017 IEEE OU Analytics Welcome to the new IEEE OU

IEEE OU Analytics Training Presentation 2017 IEEE OU Analytics Welcome to the new IEEE OU Analytics This training guide will assist you in becoming familiar with the new tool being transitioned for both IEEE Volunteers and Staff through

1.57k views • 43 slides

More recommend