WIMAX Security Challenges in Authentication, Authorization and Encryption.

SYED SABER HUSSAINI MSc. TELECOMMUNICATIONS, MIDDLESEX UNIVERSITY, LONDON. ID: M00378628
Abstract: WIMAX stands for worldwide interoperability for microwave access. It is a very promising 4G technology. WIMAX provide privacy and access control over the network. This article examines the security challenges that WIMAX have subject to its Authentication, Authorization and Encryption standards. Proposed recommendations are presented that should improve in WIMAX security challenges.

Fig: WIMAX PROTOCOL. The organization of this paper is it defines the problems in WIMAX authentication; authorization and encryption standards and then some recommendations are presented to improve the security in these subject.

Introduction: WIMAX is an excellent successor to WIFI as it provides more range, scalability, bit-rate, and several levels of Qos when compared to WIFI. WIMAX protocol mainly focuses on physical layer and MAC layer. From the end users point of view the main security concern are privacy and data integrity and from the service providers point the security concern is preventing unauthorized use of network services. The below diagram shows the WIMAX protocol.

PROBLEMS IN WIMAX AUTHENTICATION AND AUTHORIZATION: 1. The main purpose of authentication and authorization is to verify the correct usage of network and to prevent fraudulent such as Denial of Service attack, Man in the Middle attack, snooping etc.

2. If a lot of false request is received from subscriber station to base station then it causes denial of service attack as the base station will no longer be able to service any subscriber stations request. 3. WIMAX uses mutual authentication process to prevent from attacks such as Eavesdropping etc. but still it is possible for intruders to receive and modify the authentication message and there will be no guarantee that it has not been changed. 4. WIMAX uses 4-bit key sequence to differentiate between successive Authorization Keys and also uses 2bit key for Traffic Encryption Keys and due to the size of the keys it is possible for the attacker to hack the keying material. 5. It is possible for the attacker to make the genuine subscriber station to enter his network and get the permission to enter the genuine Base station. 6. There are two types of certificates issued by mutual authentication, one for subscriber station and other for manufacturer of WIMAX, but there is no provision for Base station certificate. 7. Now the WIMAX uses Advance Encryption Standard, which gives strong security for data confidentiality but still there is no encryption for Frames and this allows the attacker to collect the information about the subscriber in the area.

WIMAX AUTHENTICATION AUTHORIZATION:

and

Authentication means getting the genuine prove from the device or the end-user to join the wireless network. Authorization means determining whether the authenticated device or end-user is permitted to join the network or not. WIMAX provide flexible means of authentication both for network and end users. The authentication framework in WIMAX is based on the Internet Engineering Task Force (IETF) EAP, which supports a variety of credentials, such as username/password, digital certificates, and smart cards. EAP is used for authentication process, which is basically a request-response protocol based on four main messages EAP-request, EAPresponse, EAP-success, EAP-failure. WIMAX uses EAP-PKM and EAP-TLS methods for authentication and authorization. PKM has two versions: PKMV1: PKM version 1 authentication relies on the use of RSA asymmetric encryption, via RSA private/public key pairs, and International Telecommunication Union and PKMV2: PKMv2 provides mutual authentication between an SS/MA and a BS in either of two modes of operation. In the first mode, mutual authentication is provided by PKMv2. Fig 1 shows the enhanced security features that PKMV2 supports when compared to PKMV1.

NOTATION TEK GTEK KEK GKEK AK PAK PMK

PKMV1

PKMV2

MAK MGTEK MTK H/CMAC_KEY_U H/CMAC_KEY_D

Fig 1: Comparison between PKMV1 and PKMV2. The latest one with enhances security is PKMV2, it supports two authentication protocols: RSA and EAP. RSA is mandatory in all devices. RSA authentication method is based on X.509 certificates, which determines the identity of base station by subscriber station. Authorization via PKM-RSA: Fig2 shows the authorization process between the subscriber station and base station via PKM-RSA authentication. In the process below first Subscriber Station initiate the authentication process by sending Authentication information to Base station which contains X.509 certificate of Subscriber Station. After sending the authentication information message to the base station, the subscriber station sends the authentication request message to the base station which is used to get the Authorization key so that the subscriber station is authorized to participate in. Fig 2: Authorization Authentication. via PKM-RSA

After receiving the authentication request from the subscriber station, base station will validate the subscriber stations identity, determines the encryption algorithm and protocol and activates the Authorization key (AK) for subscriber station, encrypts it with subscriber stations public key and send it to the subscriber station in Authentication reply message. Authorization key is the share key for Base station and subscriber station. Base station also sends Traffic Encryption Key for each SAID for additional security, also it sends Authentication key lifetime, AKs sequence number which is used to differentiate between successive generations of AKs, in the Authentication reply message. After verifying Subscriber station, base station sends the Key reply message with KEK,

which is derived from AK and is used to encrypt TEK during TEK exchange. Lastly the subscriber station tries to verify base station and if the base station is verified then it gets the TEK by decryption of KEK with AK. Once the TEK is active, all the traffic is encrypted using symmetric key algorithms.

subscriber station and activates the AK. Hence the Authentication is completed.

Authorization via PKM-EAP: Fig 3 shows the Authorization via PKMEAP Authentication between Subscriber station and Base station. After Subscriber station is authorized via PKM-RSA to Base station, now EAP authorization process. First the Subscriber station sends the EAPREQUEST to the Base station. This message can either be an identity message or just a start of EAP. This message is encapsulated in MAC. After receiving the EAP-REQUEST, Base station will forward it to the local EAP and sends back the EAPRESPONSE message. After one or more EAP-REQUEST/RESPONSE, it is determined whether or not the authentication is successful. If it is successful then Base station transmits EAP-SUCCESS message to the Subscriber station. Base station sends the EAP-ESTABLISH-KEY-REQUEST to the Subscriber station including a 32-bit nonce, upon receiving this message Subscriber station generates its own nonce and derives Transient Key (TK), Key Confirmation Key (KEK) and authorization key (AK). Then the subscriber station sends the EAP-ESTABLISH-KEY-REPLY message to Base station, upon receiving this base station computes TK, AEK, AK. Then finally Base station sends the EAPESTABLISH-KEY-CONFIRM message to

Fig 3: Authorization Authentication.

via

PKM-EAP

SECURITY IN ICATION:

WIMAX

AUTHENT-

1. Mutual authentication in PKMV2 can be used to avoid Man-in-themiddle attack. 2. Each service has different SAID. 3. The limited lifetime of AK prevents the data to be hacked as it always refreshes. 4. X.509 certificate issued to every Subscriber station is unique and hence cannot be easily track. 5. From the base station and subscriber station a random value can be added to the authorization SA.

WIMAX ENCRYPTION STANDARDS: Once authentication is complete, the BS and SS/MS share an activated AK. PKM then uses the 160-bit AK to derive the 128bit KEK and the 160-bit message authentication keys, which are used to facilitate a secure exchange of TEKs. Most of the WIMAX uses Advance Encryption Standard (AES) and Triple Data Encryption Standard (3DES), RSA encryption etc.

message into sequence of fixed-size blocks. In this mode first the arbitrary blocks are encrypted and then the plaintext. It uses the same decryption method as it uses for encryption method. PROPOSED SOLUTIONS FOR THE ABOVE MENTIONED PROBLEMS IN WIMAX: 1. As the solution to denial of service attack, a timestamp is added to the authentication message of the original protocol. 2. Adding a timestamp also solves the mutual authentication issue. 3. Till now there is no solution for the key issue, but few more bits can be added to the keys to assure more security, but this will increase complexity. 4. To get the genuinity of the Base station, PKMV2-RSA is used. REFERRENCES: http://www.tutorialspoint.com/wimax/
wimax_network_model.htm

TRIPLE DATA STANDARD (3DES):

ENCRYPTION

DES was developed in 1977. DES is a cipher block which uses 65-bit cipher block and uses 56-bit keys. Now 3DES has emerged which is more secure than DES as it encrypts the data three times more when compared to DES. 3DES uses different keys for the passes. After the authentication process between Subscriber station and Base station DES encryption takes place.

ADVANCE ENCRYPTION STANDARD (AES): AES has four modes: AES with CBC, AES with CTR, AES with CCM (CTR with CBC) and AES with EAP (this is only for the encryption of traffic keys). AES-CCM mode is considered to be more secure than DES and 3DES; however it is more complex than DES and 3DES. It has an encryption key length of 128 bits. In AES-CTR mode before encryption takes place we need to change the arbitrary length

http://www.javvin.com/protocolWiMA X.html http://freewimaxinfo.com/aes-inwimax.html

http://www.mycrypto.net/encryption/c rypto_algorithms.html Guide to Securing WIMAX Wireless Communications Recommendations of the National Institute of Standards and

Technology. Karen Scarfone , Cyrus Tibbs , Matthew Sexton. NIST Special Publication 800-127 IEEE A Simple Encryption Scheme Based on WIMAX, LUO Cuilan Department of Electronics Jiangxi University of Finance And Economics, Nanchang, CHINA IEEE Authentication Authorization and Accounting (AAA) Schemes in WIMAX Sasan Adibi, Bin Lin, Pin-Han Ho, G.B. Agnew, Shervin Erfani University of Waterloo, Broadband Communication Research Centre (BBCR) 200 University West Ave, Waterloo, Ontario Canada, N2L 3G1. Improving Security in the IEEE 802.16 Standards Joseph Chee Ming Teo Institute for Infocomm Research, 1 Fusionopolis Way, Singapore 138632. WIMAX Subscriber and Mobile Station Authentication Challenges, Stuart Jacobs, Boston University. IEEE Security Concerns in WiMAX Syed Shabih Hasan, Mohammed Abdul Qadeer, Department of Computer Engineering, Zakir Hussain College of Engineering & Technology, Aligarh Muslim University, Aligarh - 202002, INDIA.