Enhancing Security Using the Discarded Security Information in Mobile WiMAX Networks

Transcription

1 Enhancing Security Using the Discarded Security Information in Mobile WiMAX Networks Youngwook Kim and Saewoong Bahk School of Electrical Engineering and Computer Science, INMC Seoul National University, Shillim-dong, Kwanak-gu, Seoul, Korea {kiyewo, Abstract In Mobile WiMAX (M-WiMAX), while generating Cipher-based Message Authentication Code (CMAC) for security, some bits of it are truncated and also while deriving a key hierarchy, some part of keying material is discarded. In this paper, we exploit these discarded information to enhance the security in M-WiMAX, and consider two cases of discarded information. Firstly, we propose to use the truncated upper 64-bits of CMAC, which we name Shared Authentication Information (SAI), to complement the security breach in the signalling protocol which is vulnerable to DDoS attack in M-WiMAX. Secondly, we use the truncated 192-bits of Master Session Key (MSK), which we name Shared Authentication Key (SAK), as a temporary authentication root key for inter-domain or inter-authenticator handover. The purpose of using SAK is to reduce the latency for authentication during handover. As this paper opens a possibility of using such discarded security information for enhancing security, we may apply this approach to some other security systems in a similar way. I. INTRODUCTION Security in Wireless communication is becoming more important in ubiquitous environments due to heavy dependency on networking. Shared secret is commonly used for providing authentication. But interestingly most of the shared secrets have not been used completely. It is truncated to a proper size for use, and the remaining part is discarded, which could have been used otherwise. This enables us to use this discarded security information to enhance the security of M-WiMAX network. Attempts for preventing mobile wireless networks from DDoS attacks are made recently. P. C. Lee, et al. identified a signalling DoS attack and suggested a solution based on the statistical cumulative sum (CUSUM) method [1]. In [2], Zhang and Fang suggested a possibility of redirection attack through a false Base Station () in a 3G network and modified the 3GPP-Authentication and Key Agreement (3GPP-AKA) algorithm to defend the network against it. In [3], Liang and Wang analyzed the effect of authentication on QoS by applying queuing theory. They mainly focused on the aspects of authentication cost and delay. This work was supported by the IT R&D program of MKE/IITA [2007-F , Fundamental Technologies for the Future Internet]. This research is supported by Foundation of ubiquitous computing and networking (UCN) Project, the Ministry of Knowledge Economy(MKE) 21st Century Frontier R&D Program in Korea and a result of subproject UCN 08B3-B3-10M. Decreasing authentication delay during handover is another important issue in wireless security area to support fast handover. H. Wang, et al. proposed a ticket-based scheme for mobility support in [5]. In [4], cryptographic credential is used. IETF Handover Keying Working Group (HOKEY WG) is also working on this issue [6] [9]. It suggests EAP reauthentication extensions (ERX) which specifies a new key hierarchy and re-authentication procedures based on Extensible Authentication Protocol (EAP). The contributions of this work are two things. First, we authenticate the user in idle mode by checking the posses of some discarded security information so as to provide network availability against a possible DDoS attack. Second, we propose a temporary authentication scheme, which uses temporary keys derived from discarded bits of security information, to overcome long latency problem during handover. The rest of the paper is organized as follows. Section 2 describes the vulnerability in the signalling protocol that leads to DDoS attack in M-WiMAX and proposes a defense mechanism. Section 3 considers a temporary authentication scheme and discusses its security. Section 4 concludes the paper. II. COMPLEMENTING SECURITY VULNERABILITY IN SIGNALLING PROTOCOL In this section, we consider a possible DDoS attack exploiting the vulnerability in the signalling protocol of M-WiMAX and propose a simple solution. A. M-WiMAX & Shared Authentication Information 1) M-WiMAX Network Reference Model: The M-WiMAX network has been proposed to support broadband wireless services by implementing the IEEE e standard. It provides wireless last mile access for fixed, pedestrian, or mobile users in Metropolitan area and replaces the wired last mile access such as xdsl,isdn, CATV, etc. The M-WiMAX network reference model consists of Access Service Network (ASN) and Connectivity Service Network (CSN) as shown in Fig. 1. The ASN formed by Base Station () and ASN Gateway (ASN GW) offers radio access to each Mobile Subscriber (MS) and the CSN provides IP connectivity service to MSs. ASN GW is placed at the boundary of ASN and connects s to CSN [10].

2 IBM ASN Fig. 1. ASN GW (PC & Auth.) CSN Internet AAA, HA, PF Mobile WiMAX Network Reference Model. 2) CMAC and Shared Authentication Information: M- WiMAX adopts CMAC to protect management messages integrity. Either MS or calculates CMAC for each management message and appends it to the management message. The receiving party verifies the CMAC by recalculating it. In IEEE e, the least significant 64 bits of the 128-bit CMAC are used as CMAC and the most significant 64 bits are discarded. This means that both parties know the 128 bits of CMAC but only a half of it are transmitted over the air. We name the unused 64 bits Shared Authentication Information (SAI) and use it as a proof that the MS aware of SAI is properly registered. The advantages of using SAI are as follows. 1) No additional processing and message exchanges are required to obtain and share SAI because SAI is obtained along with CMAC calculation for any selected management message. 2) SAI is a shared secret between MS and so that no other entity in the network can know about it before submission. 3) The security assurance of SAI is guaranteed as much as that in CMAC because their lengths and algorithms are the same. 4) SAI when it is submitted can be inserted as TLV (Type, Length, Value) requiring no modification in the standard. B. DDoS and MS Authentication 1) Signalling Protocol Vulnerability: An MS estimates its channel quality through ranging in M-WiMAX. The allocates the ranging interval, and the MS chooses an appropriate ranging code and transmits it during the interval to obtain the bandwidth for ranging. On the successful reception, the allocates appropriate bandwidth to the MS. As no authentication or authorization is required in this procedure, any MS can request the bandwidth for ranging. This opens a possibility of DDoS attack to the and ASN GW. 2) DDoS attack and Authentication of an MS in idle mode: When an MS in idle mode updates location or re-enters the network, the can assure the integrity of Ranging Request message (RNG-REQ) by CMAC. Since the doesn t track location changes of an MS in idle mode, it requests ASN GW information of the MS. The ASN GW generates and sends new AK context to the. Then the verifies the CMAC by using the AK context. If the CMAC is invalid, the RNG-REQ is ignored. In this process, it is reasonable for the network not to execute AK context generation and CMAC verification if the MS is not registered. This is because an unregistered MS can not generate the correct CMAC. Otherwise malicious MSs can send numerous RNG-REQs exploiting the signalling protocol vulnerability, which becomes DDoS attack to the and ASN GW. Therefore we propose a simple defense mechanism authenticating an MS that uses SAI and runs before CMAC verification for RNG-REQ. 3) MS Authentication using SAI: Fig. 2 shows the procedures that use SAI for Location Update (LU) authentication of an MS in idle mode. At the beginning, the MS sends Deregistration Request message (DREG-REQ) to the. The MS calculates the CMAC for the DREG-REQ, truncate the most significant 64 bits of CMAC as SAI, and sends the DREG-REQ to the. The DREG-REQ message contains only the least significant 64 bits of CMAC. The receiving DREG-REQ verifies the CMAC and obtains the SAI by recalculating the whole CMAC for the received DREQ-REQ. It then sends the MS s identifier and the SAI to the PC with MS-info Request message. The PC stores the SAI and replies the result with MS-info Response message. The SAI sharing in Fig. 2 depicts this procedure. When the MS updates its location, it sends an RNG-REQ containing the SAI to the. This may not be the same where the MS enters idle mode. The passes the SAI with LU REQ to the PC which has the SAI. The PC then verifies the SAI. If correct, it gets AK context from the Authenticator and returns Ranging Response message (RNG-RSP) to the. Otherwise it aborts these procedures. SAI update should be performed for next LU when MS authentication is successful since the SAI is submitted to the PC as a part of management message, which is transmitted without encryption. The remaining CMAC of the RNG-RSP is used as new SAI and the informs the PC of it by using LU confirm message. Fig. 2 shows the procedures for SAI sharing, verification, and update. In the next subsection, we evaluate the burden of AK context generation and CMAC verification as well as MS authentication, and compare these in terms of processing overhead and delay to confirm the effectiveness of using SAI. C. Simulation & analysis 1) Simulation Results: We modified the standard C- implementation of AES128-CMAC algorithm and dot16kdf function to apply SAI [12] [14]. We measure CPU cycles required for CMAC value calculation, AK context generation, and SAI verification using the rdtsc instruction. The number of CPU cycles is averaged over 1000 simulations. The simulation runs in 2.4 GHz Pentium 4 computers running Windows XP. We assume the lengths of LU REQ, LU RSP, LU REQ + SAI, and LU RSP + SAI message to be 44 bytes, 232 bytes, 56 bytes, 52 bytes, respectively. For delay analysis, we measure queueing delay by using the rdtsc instruction and calculate

3 MS (a) (b) ASN GW (PC/Authenticator) ERP key hierarchy Proposed key hierarchy Awake mode SAI from DREG-REQ DREG-REQ SAI from DREG-REQ MS info REQ (SAI) MS info RSP DREG-CMD SAI sharing EMSK Extended MSK (Home EAP Server) DSRK Domain Specific Root Key (Foreign EAP Server) MSK 512-bit Master Session Key SAK 192-bit Shared Authentication Key (Home Authenticator) : : DS-rRK DS re-authentication Root Key (Foreign EAP Server) trk 192-bit temporary Root Key Idle Mode RNG-REQ NO security context LU REQ SAI == stored SAI? SAI verification DS-rMSK DS re-authentication MSK Fig. 3. tpmk 160-bit temporary PMK Proposed and ERX Key Hierarchies. AK context generation RNG-RSP CMAC verification LU RSP LU Confirm SAI update delay is dominant. For 12 Km of the backhaul link which has the propagation delay of 40 µs, we can reduce the response delay by 23 % and for 30 Km by 15 %. This means that using SAI contributes to reduction of the processing overhead very much but not the communication delay which is mainly dependent on the distance between and ASN GW. Fig. 2. Procedures for applying SAI. TABLE I SIMULATION RESULTS (CYCLES) CMAC calc AK context gen SAI verification 8 LU REQ Transmission LU RSP (100Mbps) LU REQ+SAI LU RSP+SAI Queueing transmission delay over the 100 Mbps backhaul link. Table I shows the simulation results. While CMAC calculation and AK context generation require and cycles, respectively, SAI verification requires only 8 cycles to compare the stored and submitted SAIs. 2) Analysis of Processing Overhead and Delay: We calculate the total processing overhead with and without SAI. Without using SAI, the overhead consists of CMAC calc., LU REQ/RSP trans., AK context gen., and queueing, resulting in total of cycles regardless of the network being attacked or not. With SAI, CMAC calc. and AK context gen. are not executed under DDoS attack, resulting in total of cycles, but SAI verification is needed under normal operation, which results in total of cycles. The results reveal that the total overhead increases by 1 % under normal operation and decreases by 59 % under DDoS attack. We also calculated the CPU cycles required for each operation to observe the delay reduction when using SAI. With the larger distance between and ASN GW, the portion of reducible delay (AK context gen. + CMAC calc.) decreases since the propagation III. REDUCING HANDOVER LATENCY USING TEMPORARY AUTHENTICATION Inter-domain or inter-authenticator handover involves long delay for authentication of the visited user that requires the visited domain AAA server to communicate with home domain one. Here we refer to a domain as a key management domain which is defined in [6]. One large ISP domain may have several key management domains to expedite key management. Therefore it is important to reduce this authentication delay especially for supporting delay-sensitive services. A possible approach is to apply ERP of HOKEY WG in IETF [6]. When an MS moves to a new authenticator or a new key management domain, it bootstraps the ERP for the EAP server at the new location to have rrk or DSRK. The key hierarchy and bootstrapping procedures are shown in Fig. 3 and Fig. 4 respectively. Once the bootstrapping is completed, the MS can reauthenticate itself with its local (i.e., visitor) authenticator. Thus the re-authentication delay can be reduced. But the ERP bootstrapping requires communication with an EAP server in home domain which causes some delay when the home domain is distant. So even if the ERP is used for reauthentication, we still need a fast and temporary authentication method that works until the bootstrapping is completed for the inter-key-management-domain handover. For doing so, we exploit unused shared security information. As our approach is designed for general purpose, it can be applied even when the ERP is not deployed. A. Shared Authentication Key M-WiMAX uses EAP to authenticate an MS, and the MS (EAP peer) shares an MSK with the ASN GW (Authenticator) as a result [10]. The MSK is truncated to generate 160-bit Pairwise Master Key (PMK) and 160-bit EAP Integrity Key (EIK).

4 MS EAP-Req/Identity EAP Server in EAP Server in Home domain MS EAP lower layer (HO start) Home domain EAP-Rsp/Identiy EAP Init/Re-auth EAP Fin/Re-auth Fig. 4. EAP-Rsp/Identiy EAP Method exchange MSK, EAP Init/Re-auth rmsk, EAP Fin/Re-auth EAP-Rsp/Identity (DSRK Req, Domain Identity) DSRK -> rrk rrk -> rik, rmsk MSK, DSRK, EMSK -> DSRK EAP Re-authentication Procedure (ERP). Since the MSK is 512 bits, 192 bits of the MSK are discarded. We name the discarded 192 bits Shared Authentication Key (SAK) and use it as a root key for the proposed temporary authentication. We design a new key hierarchy and transport procedures for these keying materials toward the target authenticator to support delay-sensitive traffic during the inter-keymanagement-domain handover. Our temporary authentication method doesn t require any communication with an EAP server in home domain, it reduces the authentication delay significantly. The MS and the authenticator use the temporary authentication until the ERP bootstrapping is completed, or even if ERP is not applied, until the EAP re-authentication is completed. The SAK is located at the top of the proposed key hierarchy, and the current serving authenticator derives temporary Root Key (trk) from the SAK. The trk is then transported to the target authenticator and used to generate temporary PMK (tpmk). The current authenticator doesn t let the SAK leave from itself. It generates trk from the SAK and transports it to the target authenticator. This can prevent domino effect from happening, which will be discussed in the next subsection. Fig. 3 and 5 show the key hierarchy and the keying material transport procedures. Our temporary authentication starts at the beginning of handover. If M-WiMAX MAC works at the EAP lower layer, it sends MOB MSHO-REQ message to the authenticator in the current domain to start handover. The authenticator then derives a trk from the SAK and sends it to the target authenticator. The trk is used to derive tpmk which is subsequently used for deriving the child keys. After doing this, MOB HO-RSP message which indicates being ready for handover is sent along with the target authenticator ID and EAP session ID. Then the MS derives the trk and ERP bootstrapping ERP re-auth. SAK -> trk trk -> tpmk tpmk -> child keys Fig. 5. SAK -> trk EAP lower layer (HO RSP, Auth_ID, EAP_session_ID) AAA (trk tranport) AAA (confirm) trk -> tpmk tpmk -> child keys Temporary Authentication Procedures. its child keys, and uses them for communication with the target authenticator after handover. Since the required keys are shortly obtained from the temporary authentication, the MS can start communication with the target authenticator without delay. While the proposed authentication requires 1 roundtrip to the nearby authenticator which is much closer than the EAP Server in home domain, ERP bootstrapping requires several times of round-trips to the EAP server in the home domain, e.g., EAP-AKA, 2 round-trips (see Fig. 5 and 4). Therefore even if we assume that the one-way delay to the nearby authenticator is almost the same as the one to the local EAP server, the expected delay reduction is four times of the one-way delay between the local and the home EAP server. B. Security Considerations There is a concern that sharing keying materials between authenticators can be insecure because the compromise of an authenticator can reveal keying materials of other authenticators. In our proposal, since the SAK is only with the current authenticator, it is secure and only trk can be revealed when the target authenticator is compromised. This removes the possibility of domino effect. Even if the attacker is able to obtain the SAK from the trk in some way, the impact is limited because the SAK uses the discarded part of MSK. For this, we first explain key generation procedures. 1) Procedure for MSK generation in EAP-AKA [17]: Master Key (MK) is derived using SHA1 with CK, IK, and the identity as input parameters. The MK is then fed into a Pseudo-Random number Function (PRF), which generates the authentication key, K aut, and the encryption key, K enc to protect EAP-AKA packets as well as an MSK for link layer security and an EMSK for other purposes. The PRF is specified below in algorithm 1 [16] [17]. The function G in line 8 is constructed via Secure Hash Standard following Appendix 3.3 in [16]. It is almost the same as SHA-1 except the message padding. In this algorithm, both XKEY and XV AL values are 160-bits. the MK from each full authentication is used as the initial secret seed-key

5 Algorithm 1 Pseudo-Random Number Generator 1: procedure PRNG(MK) MK as input to PRNG 2: XKEY MK in EAP-AKA 3: t EFCDAB89 98BADCFE C3D2E1F0 assigned init val in [15] 4: for j =0To m 1 do 5: XSEED j 0 no optional user input 6: for i =0To 1 do 7: XV AL (XKEY + XSEED j) mod2 b 8: w i G(t, XV AL) 9: XKEY (1 + XKEY + w i) mod2 b 10: end for 11: x j w 0 w 1 12: end for 13: end procedure X_0 K_encr K_aut (128bits) (128bits) X_1 PMK EIK SAK MSK (512bits) Fig. 6. X_2 EAP-AKA keys EMSK (512bits) X_3 XKEY.TheXSEED j in line 5 is set to zero. As a result, the algorithm generates the 320-bit random numbers x 0, x 1,..., x m-1. They are then concatenated and partitioned into suitable-sized chunks and used as the keys in the following order; K encr (128 bits), K aut (128 bits), MSK (512 bits),and EMSK (512 bits). 2) Security Proof of SAK: As there is a possibility of obtaining PMK from SAK, we discuss the security proof of SAK. We generate and concatenate 4 chunks of x j s, i.e., x 0, x 1, x 2, and x 3, to get MSK. Then we partition the concatenated chunks into suitable-sized one as shown in Fig. 6. MSK contains 64 bits of x 0, 320 bits of x 1, 128 bits of x 2. Again each x j consists of 2 w i s and each w iis generated from different XKEY and XV AL (See the line 7 and 9). For each w i generation, XKEY and XV AL are updated. Suppose an attacker knows SAK by chance. That is, the attacker knows a part of w 1ofx1 and a part of w 0ofx2. Then the question arises: Is the attacker able to guess correctly the PMK? Or is the attacker able to guess a part of w 1ofx0 and a part of w 0ofx1 which forms the PMK? To make this problem simple and more attackerfriendly, assume that the attacker knows the whole part of w 1 of x 1 and w 0ofx 2, which is more powerful than knowing the whole SAK. Then, is he able to guess w 0ofx 1, which is easier than guessing the whole PMK? For this guess to be valid, function G should be reversible, i.e., the preimage of G should be obtained from the result of G. But G is based on SHA1 which is a one-way hash function. The one-way hash function has a preimage-resistant property which is For given h, it should be hard to find any m such that h = hash(m). Therefore we can say, it is computationally infeasible for the attacker to guess PMK even if he has full knowledge of SAK. This concludes that the use of discarded bits of MSK for SAK is computationally secure. Another merit of our approach is that temporary authentication is valid only for a limited time, i.e., until the ERP bootstrapping is completed. This hinders attackers from obtaining the information about keying materials. To implement temporary authentication across ISP domains, a domain operator should allow the authenticator at the domain boundary to be partly controlled by neighbor domain operators. This is a thing that most operators hesitate to agree upon. This condition can be relaxed by locating the proxy-authenticator at the boundary. IV. CONCLUSION In this paper, we proposed a security enhancing scheme which exploits discarded security information in M-WiMAX. REFERENCES [1] P. C. Lee, T. Bu, and T. Woo, On the Detection of Signalling DoS Attacks on 3G Wireless Networks, in Proc. INFOCOM 2007, Anchorage, Alaska, May [2] M. Zhang and Y. Fang, Security Analysis and Enhancements of 3GPP Authentication and Key Agreement Protocol, IEEE Trans. on WIRELESS COMMUNICATIONS, vol. 4 no. 2, pp , Mar [3] W. Liang and W. Wang, Quantitative Study of Authentication and QoS in wireless IP networks, in Proc. INFOCOM 2005, Miami, USA, Mar [4] T. Aura and M. Roe, Reducing Reauthentication Delay in Wireless Networks, in Proc. SECURECOMM 2005, Athens, Greece, Sep [5] H. Wang, Y. Zhang, J. Cao, and Y. Kambayahsi, A Global Ticket-Based Access Scheme for Mobile Users, ACM Information Systems Frontiers, vol 6, issue 1, Mar, [6] V. Narayanan, and L. Dondeti, EAP Extensions for EAP Reauthentication Protocol (ERP), draft-ietf-hokey-erx (work in progress), Nov [7] J. Salowey, L. Dondeti, V. Narayanan, and M. Nakhjiri, Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK), draft-ietf-hokey-emsk-hierarchy (work in progress), Nov [8] M. Nakhjiri, and Y. Ohba, Derivation, delivery and management of EAP based keys for handover and re-authentication, draft-ietf-hokey-key-mgm (work in progress), Nov [9] T. Clancy, M. Nakhjiri, V. Narayanan, and L. Dondeti, Handover Key Management and Re-authentication Problem Statement, draft-ietf-hokeyreauth-ps (work in progress), Nov [10] WiMAX Forum, WiMAX End-to-End Network Systems Architecture - Stage 3: Detailed Protocols and Procedures, Aug [11] IEEE Std e-2005, Standard for Local and Metropolitan area networks- Part16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems, Feb [12] supplicant/ [13] J. H. Song, R. Poovendran, J. Lee, and T. Iwata, The AES-CMAC Algorithm, IETF RFC 4493, Jun [14] [15] National Institute of Standards and Technology, U.S. Department of Commerce,, Federal Information Processing Standard (FIPS) Publication 180-1, Secure Hash Standard, April [16] National Institute of Standards and Technology, Federal Information Processing Standard (FIPS) Publication (with change notice); Digital Signature Standard (DSS), January 2000, fips/fips186-2/fips186-2-change1.pdf. [17] J. Arkko, and H. Haverinen, Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), IETF RFC 4187, Jan [18] Telecommunications Technology Association(TTA), Mutual Authentication Mechanism for WiBro Service, TTAS.KO /R1, Annex A, Jun