Mobile WiMAX Security

Transcription

1 WHITE PAPER WHITE PAPER Makes Mobile WiMAX Simple

2 Mobile WiMAX Security Glossary 3 Abstract 5 Introduction to Security in Wireless Networks 6 Data Link Layer Security 8 Authentication 8 Security Association 9 Authorization 10 Traffic Encryption 10 Summary 11 Network Aspects of Security 12 Mobile WiMAX Network Architecture 13 Network Reference Model 13 ASN Profile C and Security 15 ASN and CSN Interaction for Security 16 Connectivity Service Network (CSN) 18 Summary 19 2

3 Glossary AAA AES AK AKA Authentication, Authorization and Accounting Advanced Encryption Standard Authorization Key Authentication and Key Agreement ASN ASN BS CHAP CSN EAP EAP-AKA EAP-PSK EAP-SIM EAP-TLS EAP-TTLS EMSK IP IPsec KEK Key MAC MIP MS MSK Access Service Network GW ASN gateway Base Station Challenge Handshake Authentication Protocol Connectivity Service Network Extensible Authentication Protocol EAP-Authentication and Key Agreement EAP PreShared Key EAP-Subscriber Identity Module EAP-Transport Layer Security EAP-Tunnelled Transport Layer Security Enhanced Master Session Key Internet Protocol IP security Encryption Key Media Access Control Mobile IP Mobile Station Master Session Key 3

4 NAP NAS NSP PAP Network Access Provider Network Access Server Network Service Provider Password Authentication Protocol PEAP PK PKI PKM PMK PPP RADIUS RSA SA SIM TEK TLS Protected EAP Public Key Public Key Infrastructure Private Key Management Pairwise Master Key Point-to-Point Protocol Remote Authentication Dial In User Service Rivest-Shamir-Adleman Security Associations Subscriber Identity Module Traffic Encryption Key Transport Layer Security TTLS Tunnelled TLS USIM Universal SIM X.509 ITU-T standard for PKI digital certificates 4

5 Abstract Security is an important topic in telecommunications. It is even more important when wireless systems are used because it is generally perceived that wireless systems easier to attack than wireline systems. For a ground-breaking broadband wireless standard such as WiMAX, addressing the security concerns head-on and specifying credible solutions has been an important objective. Lessons learnt from weaknesses in Wi-Fi security have been incorporated into the IEEE standard. In this white paper we start by introducing the requirements and general principles of security in wireless networks. We then present the data link security sublayer functions as defined by the IEEE e-2005 standard for the WiMAX air interface. Finally, the Network Aspects of Security (page 12) and Mobile WiMAX Network Architecture (page 13) sections deal with the network aspects of security in accordance with the WiMAX Forum Network Reference Model (NRM). 5

6 Introduction to Security in Wireless Networks Security is an important concern for the network operator and the network user. The network operator wants to know that the users and the devices connected to their network are who they say they are (to prevent malicious attacks, user spoofing), that they are accessing services that they are authorised to access and that the network users pay for the services they have used. The network users want to ensure that their privacy is protected, that the integrity of the data they send and receive is not compromised, that they can access the services they have subscribed to and that they are not over charged for those services. In fact, the expectations of the network operator and the network user are not contradictory but complimentary. Any well designed network needs to deliver these perfectly reasonable expectations which can only be achieved by the equipment vendors, system integrators and network operators working together and making the right design choices. In table 1 below, we have summarised these security expectations Stakeholder Security Concern Comment Network User Network Operator Privacy Data integrity Access to services Correct accounting User authentication Device authentication Authorization Access control Protect from eavesdropping Protect user data from being tampered in transit User has the correct credentials Accuracy and efficiency of accounting Is the user who he says he is? Is the device the correct device? Is the user authorized to receive a particular service? Only authorized users have access to services Table 1 Security Expectations 6

7 Security is handled at multiple layers of the network, each layer handling a complimentary aspect of security. Security functions can be mapped to different layers of the OSI 7-layer model as shown in Figure 1 below. 7 Application Layer Digital signatures, certificates, endto-end security 4 Transport Layer Transport layer security (TLS) 3 Network Layer IPsec, AAA infrastructure, RADIUS 2 Data Link Layer AES, PKI, X Physical Layer WiMAX PHY Figure 1 Security functions at various network layers The security sublayer specified by the IEEE e-2005 only deals with the Data Link Layer security. Link Layer authentication and authorization ensures that the network is only accessed by permitted users. Link Layer encryption ensures privacy and protects traffic data from eavesdropping by unauthorised third parties. Network Layer security measures protect the network from malicious attacks achieved through the use of firewalls and AAA servers. RADIUS is the most widely used protocol for AAA interactions. Mobile WiMAX network architecture addresses the use of these techniques by providing an AAA based secure roaming model. The Transport and Application layers provide additional security measures as deemed appropriate by the network operator, application service providers (ASPs) or the end users themselves. The security measures employed at the higher layers are outside the scope of this white paper. 7

8 Data Link Layer Security Authentication The Data Link Layer security functions encompass the essential functions of authentication, authorization and encryption which take place between the end user station [note that we will talk about mobile station (MS) but the same principles also apply to subscriber stations (SS)] and the base station (BS) over the IEEE e air interface. Please note that in this section, for simplicity, we will attribute various security functions to the BS. In reality all these functions may not reside in the BS and may be performed in conjunction with other nodes in the network as will be explained in detail in the Mobile WiMAX Network Architecture section on page 13. We will now consider how these functions are performed. Authentication comes in two forms: unilateral authentication where the BS authenticates the MS and mutual authentication where the BS authenticates the MS and the MS authenticates the BS Every WiMAX implementation must have unilateral authentication. Experience has shown that mutual authentication is also extremely useful to have. Authentication is achieved using a public key interchange protocol which ensures not only authentication but also the establishment of encryption keys. In public key interchange schemes each participant must have a private key and a public key. The Public key is known widely whereas the private key is kept secret. WiMAX e-2005 standard defines a Privacy Key Management (PKM) protocol which allows for three types of authentication: a RSA based authentication - X.509 digital certificates together with RSA encryption b EAP based authentication (optional) c RSA based authentication followed by EAP authentication PKM authentication protocol establishes a shared secret key called Authorization Key (AK) between the MS and the BS. Once a shared AK is established between the BS and the MS, Key Encryption Key (KEK) is derived from it. KEK is then used to encrypt subsequent PKM exchanges of Traffic Encryption Key (TEK). 8

9 In the RSA based authentication, a BS authenticates the MS by virtue of its unique X.509 digital certificate which has been issued by the MS manufacturer. The X.509 certificate contains the MS s Public Key (PK) and its MAC address. When requesting an AK, the MS sends its digital certificate to the BS which validates the certificate and then uses the verified PK to encrypt an AK which is then sent back to the MS. All MSs that use RSA authentication have factory installed private/public key pairs (or an algorithm to generate the keys dynamically) together with factory installed X.509 certificates. In the case of EAP based authentication the MS is authenticated either through a unique operator issued credential, such as a SIM or though an X.509 certificate as described above. The choice of authentication method depends on the operator s choice of type of EAP as follows: EAP-AKA (Authentication and Key Agreement) for SIM based authentication, EAP-TLS for X.509 based authentication EAP-TTLS for MS-CHAPv2 (Microsoft-Challenge Handshake Authentication Protocol) The BS associates the MS s authenticated identity to a paying subscriber and hence to the services the subscriber is authorized to access. Thus, through the exchange of AK, the BS determines the authenticated identity of the MS and the services it is authorized to access. Security Association A Security Association (SA) is defined as the set of security information shared between a BS and one or more of the MSs connected to that BS in order to support secure communications across the WiMAX access network. Three types of SA have been defined, primary, static and dynamic. Each MS establishes a primary SA during the MS initialization phase. Static SAs are provided within the BS. Dynamic SAs are created and destroyed in real time in response to the creation and termination of service flows. Each MS can have several service flows on the go and can therefore have several dynamic SAs. The BS makes sure that the assigned SAs are compatible with the service types the MS is authorised to access. 9

10 Authorization Following authentication, MS requests authorization from the BS. This is a request for an AK as well as for an SA identity (SAID). The Authorization Request includes MS s X.509 certificate, encryption algorithms and cryptographic ID. In response, the BS carries out the necessary validation (by interacting with an AAA server in the network) and sends back an Authorization reply which contains the AK encrypted with the MS s public key, a lifetime key and an SAID. These processes are further discussed in the Mobile WiMAX Network Architecture section on page 13. After the initial authorization, the AAA via the BS periodically reauthorizes the MS. Traffic Encryption As we have seen above, the authentication and authorization process results in the assignment of and Authorization Key, which is 160 bits long. The Key Encryption Key is derived directly from the AK and is 128 bits long. The KEK is not used for encrypting traffic data; for this we require the Traffic Encryption Key which is generated as a random number in the BS using the TEK encryption algorithm where KEK is used as the encryption key. TEK is then used for encrypting the data traffic. 10

11 Summary Table 2 below summarises how the mobile WiMAX standard addresses the security requirements summarised in Table 1 on page 6 above. Stakeholder Security Concern Comment How does WiMAX address it? Privacy Protect from RSA encryption, eavesdropping EAP-TLS, PKM protocol Network User Data integrity Protect user data from RSA encryption, being tampered in EAP-TLS, PKM protocol transit Access to services User has the correct X.509, EAP credentials Correct accounting Accuracy and efficiency AAA architecture of accounting User authentication Is the user who he says X.509, EAP-TTLS he is? Network Operator Device authentication Is the device the X.509, EAP-TTLS correct device? Authorization Is the user authorized RSA, EAP, PKMv2 to receive a particular protocol service? Access control Only authorized users RSA, EAP, PKMv2 have access to services protocol Table 2 How WiMAX standard addresses security expectations 11

12 Network Aspects of Security Up until now we have considered the security related interactions and protocols between the SS and the BS. Now let s consider what happens at the network level and where the intelligence may reside. Figure 2 below shows a typical access control architecture. EAP EAP WiMAX Link Layer AAA - RADIUS Mobile Station (MS) Authenticator IP Cloud Authentication Server Figure 2 Typical access control architecture Extensible Authentication Protocol (EAP) defined by IETF (RFC 3748) is a flexible framework which allows complex authentication protocols to be exchanged between the end user and the authenticator. In WiMAX, between the MS and the BS EAP runs over the WiMAX PHY and MAC utilising the PKMv2 protocol as defined in e If the authenticator function is not in the BS, the BS relays the authentication protocol to the authenticator (in the Access Services Network). From the authenticator to the authentication server (typically in the Home Connectivity Service Network) EAP is carried over RADIUS. RADIUS is a widely used standard. It has a client/server architecture and utilises UDP messages. The authentication server is also the RADIUS server, whereas the authenticator acts as a RADIUS client. In addition to authentication, RADIUS also supports authorization and accounting functions. 12

13 Mobile WiMAX Network Architecture We will now consider this Mobile WiMAX network architecture as defined by the IEEE e-2005 standard from a security point of view and map the concepts from earlier sections onto this network architecture. Network Reference Model Mobile WiMAX end-to-end network architecture model follows the Network Reference Model (NRM), the first release of which is shown below. The NRM was developed by WiMAX Forum s Network Working Group (NWG). R2 NAP Network Access Provider HOME NSP Network Service Provider Internet BS AAA HA Mobile Station (MS) R1 R8 R6 IP Cloud ASN GW (FA) R6 BS ASN Access Service Network R4 R3 IP Cloud CRM IMS Billing CSN Connectivity Service Network R5 ASPs Legacy Core Networks 2G/3G Mobile Networks Another ASN Other Operator s CSN Figure 3 Mobile WiMAX Network Reference Model 13

14 Network Reference Model reference points are summarised in the table below: R1 R2 R3 R4 R5 R6 R8 Interface between the MS and the ASN Functionality: air interface Interface between the MS and the CSN Functionality: AAA, IP host configuration, mobility management Interface between the ASN and CSN Functionality: AAA, policy enforcement, mobility management Interface between ASNs Functionality: mobility management Interface between CSNs Functionality: internetworking, roaming Interface between BTS and ASN gateway Functionality: IP tunnel management to establish and release MS connection Interface between Base stations Functionality: handoffs Table 3 NRM Reference Point Summary The IEEE e-2005 standard calls for the ability to manage subscriber mobility at a number of layers as well as to authenticate, account and apply policy on a per subscriber basis. This is achieved by dividing the WiMAX network into two main parts: Access Service Network (ASN) and Connectivity Service Network (CSN). The ASN consists of the WiMAX base stations and the ASN Gateway, whereas, the CSN is at the core of the network providing control and management functions such as AAA, DHCP, FTP and IMS. A key element of the ASN is the ASN Gateway, which controls and aggregates the traffic from one or more WiMAX base stations, and managing handover between them, which includes maintaining authentication, service flows and key distribution between base stations. 14

15 ASN Profile C and Security The NWG has defined three ASN profiles, referred as profile A, B and C from which vendors and service providers can select their preferred solution. Profile A and C both use centralized ASN Gateways, however, in Profile C the base stations are responsible for implementing the Radio Resource Management (RRM) and Handover management functions. Profile B embeds the key ASN functionality inside the base station, which removes the need for a centralised ASN gateway. Recently Profile A has been withdrawn leaving just Profiles B and C. Airspan currently offers profile C compliant solutions in collaboration with the specialist ASN Gateway vendor Starent. Airspan s ASN Gateway portfolio is called ControlMAX. Table 4 below maps the functionality split (including the security functionality) of ASN between the BS and the ASN Gateway for an ASN profile C implementation. Category Function ASN Profile C BS ASN GW Security Authenticator Handoff Management Radio Resource Management (RRM) Authentication relay Key distributor Key receiver Data path function Handover control Context server and client MIP foreign agent Radio resource controller Radio resource agent Paging Paging controller Paging agent Quality of service SF authorisation SF manager Table 4 ASN Profile C functionality split for 15

16 For an ASN Profile C implementation, the interactions between the BS and ASN Gateway over R6 for discharging the security functions are shown in Figure 5 below. Base Station ASN (Profile C) ASN Gateway Authentication Relay Authentication relay protocol Authenticator AAA Server Key receiver Authentication key transfer protocol Key distributor R6 Figure 5 ASN Profile C security architecture ASN and CSN Interaction for Security Connectivity Service Network (CSN) is the core of the network. It controls and manages the ASNs and the subscribers with a variety of services such as AAA, Home Agent functions, DHCP server, etc. CSN is also responsible for connecting to other operator s networks and enables inter-operator and inter-technology roaming. Figure 6 below shows the protocol stack for AAA in mobile WiMAX network implementation. It is worth noting that EAP layer operates over the R1/R3/R5 reference points and the EAP methods (AKA, TSL/TTLS) operate over R2. 16

17 MS BS ASN GW AAA Proxy AAA Server ASN Visited CSN Home CSN EAP-TLS, EAP-TTLS, PEAP EAP PKM v2 EAP AAA Protocol Authentication relay encapsulation protocol UDP/IP Figure 6 Protocols for Mobile WiMAX AAA When authentications of both the end user and the device need to be performed and these authentications terminate in different AAA servers, the favoured approach in PKMv2 is to use EAP-TTLS instead of double authentication. In double authentication, first device authentication then user EAP authentication takes place before the MS is allowed access to IP services. In EAP-TTLS authentication however, double authentication is dispensed with and by virtue of tunnelling to the appropriate AAA server, the same AAA server is used for both, thus shortening the authentication process. 17

18 Service Flow Management and Authorization Service Flow Management (SFM) and Service Flow Authorization (SFA) are the logical functional entities, closely associated with QoS, located in the ASN that act as policy enforcement and policy decision points. For ASN Profile C, the SFM function is located in the BS and the SFA function is located at the ASN GW. The Service Flow Manager (SFM) located in the BS is responsible for the creation, admission, activation, modification, and deletion of IEEE e-2005 service flows. It consists of an Admission Control (AC) function, data path function and the associated local resource information. AC decides whether a new service flow can be admitted to the system. Service Flow Authorization (SFA) is located at the ASN GW and is responsible for evaluating any service request against the subscriber's QoS profile. If the SFA already has the user QoS profile then it evaluates the incoming service requests against the user s profile. If the SFA does not have the user profile then it sends the service request to the Policy Function (PF) for decision making. The Policy Functions (PFs) and its associated database reside in the CSN of both the home and the visited network. 18

19 Summary In this white paper we set out to de-mystify the whole topic of wireless security and to put it into some kind context that makes it easier to understand the key concepts. Security is of crucial importance in deploying a successful mobile WiMAX network. It is an important issue both for the end users and the network operators and must be addressed and resolved from Day 1. In the past there have been well publicised security loopholes in security implementations. IEEE e-2005 standard has embraced the lessons learnt and has specified a comprehensive set of solutions. It is up to the equipment vendors, systems integrators and network operators to work together to implement a network-wide security policy appropriate for the network. 19