WiMAX Security: Solutions for Secure 802.16

Data security has become a major issue in most network protocols. This is due to the increasing importance of information. Due to this importance, different security protocols were designed, and deployed with network standards in order to add the security. This publicaton addresses the security protocols defined by one of the modern wireless communication standards, the Broadband Wireless Access, commonly known as WiMAX, a fast evolving technology that is used to form wide range wireless networks with dramatically high data rate of information transfer.

WiMAX opens the door to thousands of applications that make use of the solid wireless backbone to connect people together. With the high data rate, applications will include video transfer, voice calls, and many other services. All those types of applications will require a solid secure medium to operate and exchange information safely. This is what the IEEE decided to add to the WiMAX standard in its both versions - fixed and mobile broadband wireless access. This publication contains information about security schemes defined by IEEE, including authorization, data authentication and data security. It covers these topics from the implementation point of view by giving information about implementing those different types of protocols into a WiMAX subscriber/base station system.

Abstract. 2

Table of Contents. 3

Copyright 2007. 5

Introduction.. 6

WiMAX Security sublayer. 7

Architecture. 7

PKM Protocol. 8

PKM version 1. 9

Introduction. 9

Authentication. 9

Security Associations Management10

Types of Security associations. 11

Primary Security Association. 11

Static Security Association. 11

Dynamic Security Association. 11

Security capabilities (Cryptographic Suite)12

Security Capabilities Selection Process. 12

Data Encryption Algorithms. 13

Data Authentication Algorithms. 13

TEK Encryption Algorithms. 14

Authorization Key Management14

Authorization Key Generation. 15

Authorization Key Transfer15

Authorization Key State Machine. 15

Traffic Encryption Keys Management16

PKM version 2. 17

Introduction. 17

Authentication. 17

RSA-based Authorization. 17

EAP-Based Authentication. 17

Security Associations Management19

Unicast Security Associations (SA)19

Multicast Security Associations (GSA)19

Multicast Broadcast Group Security Associations (MBSGSA)19

SA TEK 3Way Handshake Process. 20

Handover20

Authorization Key Management21

AK in case of RSA-based authorization. 21

AK in case of EAP-based authentication. 21

AK in case of EAP-based Authentication after RSA-based authorization. 22

AK in case of EAP-based authentication afteR EAP-based authentication. 22

Traffic Encryption Keys Management22

Traffic Encryption Key (TEK)22

Group Traffic Encryption Key (GTEK)22

Group Key Encryption Key (GKEK) derivation. 23

Key Update Command. 24

MBS Traffic Key (MTK)24

WiMAX Cryptography. 25

Introduction. 25

Traffic Encryption Algorithms. 25

Data encryption with DES in CBC mode. 25

DES Keys. 26

Data encryption with AES in CCM mode. 26

PDU payload format26

PN (Packet Number)27

Data encryption with AES in CTR mode. 27

Encrypted MBS PDU payload format27

Data encryption with AES in CBC mode. 28

CBC IV generation. 28

Data Authentication Algorithms. 29

TEK Encryption Algorithms. 29

Encryption of TEK with 3-DES. 29

Encryption of TEK with RSA.. 29

Encryption of TEK-128 with AES. 30

Encryption of TEK-128 with AES Key Wrap. 30

HMAC-Digests. 30

HMAC authentication keys. 31

Cipher-based MAC (CMAC) digests. 31

Calculation of CMAC Value. 31

Key Encryption Keys (KEKs)33

PKMv1 KEKs. 33

AES KEKs in PKMv2. 33

Encryption of GKEK in PKMv2. 33

Encryption of GKEK with 3-DES in PKMv2. 33

Encryption of GKEK with RSA in PKMv2. 34

Encryption of GKEK with ECB mode AES in PKMv2. 34

Encryption of GKEK with AES Key Wrap in PKMv2. 35

X.509 Digital Certificate. 35

Introduction. 35

X.509 Digital Certificate and 802.16 standard. 36

Importance of X.509 Digital Certificate in Wireless Networks. 37

VeriSign® X.509 Digital Certificates. 38

X.509 signature and Verification. 38

Public-key encryption of AK. 38

RSA Cryptography. 38

RSA Usage in IEEE 802.16 standard. 39

References. 40