Overview of WiMAX security

Mohammed El-Gammal
CSEP 59!"
A#stract
This paper examines the security architecture and threats model for IEEE 802.16
broadband wireless access. When possible we contrast IEEE 802.16 to 802.11 standards
threats models to hihliht similarities and differences between the two standards.
$%troductio%
The IEEE 802.16 standard was oriinally desined to address the !last mile" problem.
The standard wor#in roup has souht to a$oid desin mista#es in the security of 802.11
standards by relyin on pre%existin standards from another !last mile" technoloy
&'()I) *&ata '$er (able )er$ice Interface )pecifications+. )ince &'()I) was
desined for cable networ#s, a wired technoloy, while 802.16 is wireless- early $ersions
of 802.16 suffered from serious wea#ness in their security model as a result of that.
Overview of $EEE &'()*
Wi./0, short for Worldwide Interoperability for .icrowa$e /ccess, is the name for
802.16 family of wireless ser$ices. Wi./0 is aimed at carriers for use in metropolitan
area networ#s. It has a tremendous rane, up to 10 miles, and speeds of up to 20 .bps.
The table below summaries the most important fla$ors of 802.16 standards- and their
capabilities.

Standard
name
Date
Published
Frequency Goals Security
802.16 /pr 2002 10%66 345 'riinal standard, line
of siht, fixed%fixed
point wireless
802.16a 6an 2001 2%11 345 /dded non line of siht
extension. 7ow
supplanted by the
802.16d $ariant
802.16d 6un 2008 2%11 345
10%66 345
supports fixed and
nomadic access in 9ine
1&E) for /:
&E) for TE:
1
Standard
name
Date
Published
Frequency Goals Security
of )iht and 7on 9ine
of )iht en$ironments
0.;0<
802.16e =eb 2006 2%6 345 'ptimi5ed for dynamic
mobile radio channels,
pro$ides support for
handoffs and roamin
/E)%((.
/s the table abo$e shows, the standards went throuh many phases of e$olution, it started
as a line of siht, last mile fixed%to%fixed point, it e$ol$ed to near line of siht fixed%to%
fixed point, then to near line of siht roamin friendly standard. This e$olution becomes
important as we consider the security of this standard.
$EEE &'()* security al+ha#et sou+
BS >ase station
SS )ubscriber station
SA )ecurity association?context
SAD )/ identification
P!" @ri$acy and #ey manaement protocol
!#! :ey encryption #ey
$#! Traffic encryption #ey
A! /uthori5ation :ey
$EEE &'()* security architecture
The security architecture of IEEE 802.16 is comprised of fi$e componentsA
1. Security associations B a context to maintain the security state rele$ant to a
connection between a base station *>)+ and a subscriber station *))+.
2. %erti&icate 'ro&ile B 0.;0< to identify communication parties to each other
1. P!" authori(ation B authori5ation protocol to distribute an authori5ation to#en to
an authori5ed )).
8. Pri)acy and *ey mana+ement B a protocol to re#ey the )/
;. #ncry'tion B payload field encryption usin &E)%(>( in 802.16d, &E)%(>( and
/E)%((. in 802.16e
We will loo# into the architecture of each of these components- discuss how they are used
and how they interact with each other.
Security associations,
2
The role of security associations *)/+ is to maintain the security state?context rele$ant to
a connection- it operates at ./( layer B layer 2 of the networ# stac#. There are two )/
types in 802.16, data )/ and authori5ation )/. The authori5ation )/ consists ofA
/n 0.;0< certificate identifyin the ))
/ 160%bit authori5ation #ey */:+ B the desin assumes that both )) and >)
maintain /: a secret
/n /: lifetime B from one to 20 days
/ #ey encryption #ey, :E:
1
, used in distributin the TE:s
/ downlin# and uplin# 4./( #ey pro$idin data authenticity of #ey distribution
from >) to )), and from )) to >)
/ list of authori5ed data )/s
The standard explicitly defines the data )/. The data )/ has the followin fieldsA
)/ identifier )/I&,
The crypto alorithms supported by the >) to protect data exchane o$er the
connection. The standard reCuires &E)%(>( mode, howe$er the desin is
extensible. Their ha$e been se$eral proposal to incorporates other alorithms e..
/E) will be supported in 802.16e $ersion of the standard,
Two traffic encryption #eys *TE:+,
/ TE: lifetime B default is half day, with minimum of 10 mins, and max of se$en
days,
/ initiali5ation $ector for each TE:
To support multicast, the standard lets many connections I&s share an )/. Therefore a
fixed )) typically has two or three )/s B three in the case of multicast.
%erti&icate 'ro&ile,
The standard uses 0.;0<$1 certificates to identify communicatin parties. The standard
defines two certificate typesA manufacture certificates and )) certificates. The
manufacture certificate identifies the manufacture of 802.16 de$ice *networ# card, base
station,Detc.+. The certificate has the followin formatA
0.;0<$1
)erial number
Issuer name
IssuerEs sinature alorithmB F)/ with )4/1
Galidity period
4olderEs identity B in the case of )) its ./( address
4olderEs public #ey B restricted to F)/
)ubHect sinature alorithm B identical to the issuer alorithm
1
The :E: is calculated usin first 128%bits of )4/1**/: I 0
88
+ J ;1
68
+
1
Issuers sinature
/n )) certificate identifies the subscriber station and includes its ./( address in the
subHect field. .anufacturers typically create and sin )) certificates. The desin assumes
the )) maintains the pri$ate #ey correspondin to its public #ey in sealed tamper resistant
storaes.
$he 'ri)acy and *ey mana+ement -P!". authori(ation,
The @:. authori5ation protocol is used to distribute an authori5ation #eys to an
authori5ed )). This step in$ol$es three messaes exchanes.
.essae 1A PKM-REQ: Auth info
)) {Manufacturer-Cert} >) % >) uses it to decide if )) is a trusted de$ice
.essae 2A PKM-REQ: Auth req
)) {(SS-cert, Capabilitie, SA!"} >)
.essae 1A PKM-RSP: Auth repl#
>) {{AK}RSA public $e# of SS, $e#-lifeti%e, $e#-eq nu%ber, SA!" lit, SA-&#pe} ))
The )) uses its F)/ pri$ate #ey to retrie$e the /:. (orrect use of the /: demonstrates
authori5ation to access the networ#.
$he 'ri)acy and *ey mana+ement -P!". 'rotocol,
'nce authori5ed to the networ#, the )) can now establish a data )/ between it and the
>), for that it aain uses the @:. protocol. The phase can ha$e two or three messae
exchanes.
.essae 1A PKM-REQ: $e# requet
>) {AK Seq 'u%ber, SA!", (MAC(AK)o*nlin$, Ke# eq nu%ber I SA!"+} ))
>) ne$er uses messae 1 unless it wants to re#ey a data )/ or create a new )/. The
4./( $alue ties the new )/I& to /: used in the exchane.
.essae 2A PKM-REQ: $e# requet
)) {AK Seq 'u%ber, SA!", (MAC(AKuplin$, Ke# eq nu%ber I SA!"+} >)
)) uses messae 2 to reCuest )/ parameters. The )/I& has to be one from the )/I& list
in the authori5ation protocol or messae 1.
.essae 1A PKM-RSP: $e# repl#
>) KAK eq nu%ber, SA!", &EK para%eter (ol)er+, &EK, $e#-lifti%e, AK eq nu%ber,
C,C-!-, &EK-para%eter(ne*er+, &EK, Ke#-lifeti%e, AK q nu%ber, C,C-!-, (MAC-
)i.etL:E: ))
8
The old TE: $alue reiterates the acti$e )/ parameter, while the new TE: describes the
new TE: to use when the old one expires. It is noteworthy that the @:. protocol is one
side authentication from the >) side, there is no comparable authentication from the ))
side.
#ncry'tion
>y default the 802.16d standard supports &E)%(>( encryption operatin o$er the
payload field of the ./( protocol data unit. 7either the ./( header nor the pac#et
(F( is encrypted. It is noteworthy that the 802.16d $ersion of the standard doesnEt
pro$ide any means for data authenticity.
!he P,M +rotocol i% actio%
The reistration of a subscriber station on the networ# in$ol$es the followin stepsA
;
P!" authori(ation in 802.16d
6
!hreat A%alysis for &'()*
In section we examine threat model for 802.16 standards- we focus on the 802.16d
$ersion of the standard, and when possible we will contrast them to threats to 802.11 to
hihlihts lessons learned.
Physical layer attac*s,
/s noted abo$e the security of 802.16 is implemented at the bottom of layer 2 of the
networ# stac#, this lea$es the physical layer of the networ# unprotected. /s most radio
networ#s usin narrow bandwidth, 802.16 is susceptible to Hammin and &o) attac#s. /n
attac#er can use a probably confiured radio station to mount either continuous or
intermittent Hammin attac#s on the radio spectrum. This type of attac# is also possible in
802.11 standards, althouh the $ulnerability and potential damae is much hiher in
W./7. There are se$eral options to dealin with Hammin attac#s, increasin the power
of sinals by usin hih ain transmission antennas or increasin the bandwidth by usin
spreadin techniCues B e.. freCuency hoppin. 4owe$er, it seems that the desiners of
stranded ha$e opted, at least for now, to lea$e dealin with these #ind of attac#s to law
enforcement aencies.
"A% /ayer attac*s,
/lthouh physical layer attac#s are possible they miht pro$e to be the least important
type of attac#s on 802.16 networ#s. ./( layer attac#s on the other hand can be more
serious, and can cause more damae to users and ser$ice pro$iders. We consider here
some of these attac#sA
Replay attacks B as noted abo$e 802.16 authentication wor#s in one direction, base
station authenticatin subscriber stations, this desin lea$es clients $ulnerable to replay
attac#s. )ince 802.16 supports near line of siht operation, a well positioned attac#er can
act as a man in middle between a base station and a number of subscribers, by
confiurin a roue base station *>)+ to imitate a leitimate >). This type of attac# is a
well #nown threat in 802.11 networ#s
1
, althouh it will be harder to mount on 802.16
because the time di$ision multiple access model, but it not impossible. /s part of the
de$elopment of 802.16e there were se$eral proposals to reCuire mutual authentication
which would ma#e this type of attac#s more difficult to mount
2
.
Authentication Key (AK) weaknesses % The authentication #ey has se$eral wea#nesses-
for start the standard doesnEt impose reCuirements on the randomness of eneratin the
#ey
3
, it assumes uniform distribution o$er the 160%bits for the #ey, this assumption lea$es
the door open for different implementation from different manufactures which could lead
to less than random #eys. )ince the #ey is entirely enerated by the >), with no input
from the )), this puts the burden on the >) random enerator to be perfect- if the random
number enerator has any #ind of bias the result will be reducin the #ey space for the
/:s, which in turn could compromise subseCuent TE:s for all )) connectin to the
same >). =inally, the protocol assumes a one%to%one relation between a subscriber station
./( address and the public?pri$ate #ey pair certified to use by that )). This can cause
problems for public access machines- if an attac#er can obtain the pri$ate #ey for a public
2
access machine they can easily retrie$e the /: for subseCuent accesses from the same
machine, allowin them to snoop all the traffic from that machine.
Traffic Encryption Keys (TEK) weaknesses

% /s noted abo$e the traffic encryption #eys
*TE:s+ are re#eyable. The space for re#eyin is 2%bits wide, causin the TE:s to wrap
e$ery forth re#eyin. This limited #eyin space and the use of seCuence number instead
of F73 ma#e the protocol more $ulnerable to replay attac#s. The TE: also suffers from
the lac# of clear definition of Mran)o%neE that the /: suffers from.
Data packets encryption weaknesses - The TE: protected data pac#ets suffer from a
couple of wea#nesses. =irst, TE: are ;6%bit &E) #eys, ma#in the data pac#ets less
secure than /E) protected pac#ets. The ./( header of the pac#ets is not ciphered to
allow for easier routin, howe$er, the ./( header should ha$e been included in interity
protected parts of the data pac#et to uarantee data authenticity- instead, the 2001 $ersion
of the standard states that !data authentication is not currently defined
8
". =inally, TE:
encryption protects aainst read%only attac#s, which lea$es the data pac#ets unprotected
aainst replay attac#s, e$en when the attac#er doesnEt ha$e the #ey. It is interestin to
note that 802.11b WE@ suffers from some if not all of these wea#nesses.
X.50 certification is li!itin" B The standard defines a sinle manufacturer credential
based on 0.;0<, this will pro$ed to limitin in practical use. The standard is also silent on
how to handle re$ocation of certificate in case the pri$ate #ey is compromised. It is
ob$ious that the certification model assumes cable modem and &)9 models.
Com+ariso% to &'())
In this section we will try to summaries the security features of different important
fla$ors of IEEE 802.11 and 802.16
Security
&eature
802.11b 802.11i 802.16d 802.16e
Authentication WE@ E/@ 0.;0< one way @:.$2
E/@ *optional+
Data
#ncry'tion
7one
WE@
W@/
/E)
&E)%(>( &E(%(>(
/E)%((.
Data inte+rity 7o NE) 7o Nes
;
Physical layer
de&ense
7o 7o 7o 7o
Co%clusio%
The first incarnations of Wi./0, exemplified in IEEE 802.16d, pro$ed to be more
secure than the early $ersions of 802.11. They included an authentication protocol, @:.,
which is separated from the data encryption?decryption protocol B usinf a common
protocol?#ey was a serious flaw in 802.11b, and they included a more secure data
8
encryption alorithm. Onfortunately, the encryption alorithm t used, i.e. &E), is wea#er
than the state of the art, and data interity was not i$en enouh attention.
The most recent incantation of Wi./0, IEEE 802.16e fixed many of the problems the
security community hihlihted in 802.16d, by addin data interity mechanisms, mutual
authentication, and /E)%((. for data pac#ets encryptions. 4owe$er, i$en how new the
standard is %% it was published =eb 2006 %% it remains to be seen how secure it will pro$e
to be in practice.
-efere%ces
<
1
Ernest and Noun, the necessity of roue wireless de$ice detection, paper 2008
2
IEEE )td 802.16e%200; published =eb 28, 2006
1
6ohnson and Wal#er M'$er$iew of 802.16 securityE IEEE security and pri$acy 2008
8
IEEE 802.16%2001, published /pr 8, 2002
;
.ichel >arbeau, Wi.ax?802.16 Threat /nalysis