1

Wimax Security

Presented By : Esmaeil Zarrinfar zarrinfar@gmail.com

2

What is Wimax? Wireless Network Standard Wimax History Wimax Architecture

Wimax Security Architecture Security Sub Layer Security Mechanisms

Wimax Security Issue Reference

Topic

3

Wireless PAN

IEEE 802.15

Bluetooth&

ZigBee

Wireless Lan

IEEE 802.11

Wi-Fi(Wireless Fidelity)

Wireless MAN

IEEE 802.16

Wimax ( WorldWide

Interoperability For Microwave Access )

Wireless Network Standard

استانداردهاي تجهيزات بيسيم

Also known Low Rate Wireless PAN Properties:• Data Rate Maximum 250 Kbps• Range 10 to 100 Meters• Low Cost• Low power consumption• Frequency 2.4 GHz• ZigBee Next Generation Of

Bluetooth

4

Wireless PAN

5

Also known WLAN or WiFi Properties: • 802.11 Protocol kind :

a,b,g,n,ac,ad,af,ah• Data Rate Maximum 6.75 Gbps in

802.11ad• Range indoor from 20 to 60 meters• Range outdoor from 100 to 1000

meters• High Cost• Frequency 2.4 , 3.6 , 5 ,60 GHz

Wireless LAN

6

Wimax Standard History

IEEE 802.16 (2001) Frequency 10 – 66 GHZ (Line-of-Sight) Base Wimax

IEEE 802.16d (July 2004) Fixed Wimax Data Rate 70 Mbps

IEEE 802.16e (2005) Mobile Wimax Data Rate 15 Mbps

IEEE 802.16m (2011 ) Also known as Wimax Release 2 or WirelessMAN-

Advanced Mobile & Fix Wimax Data Rate 100 Mbps for Mobile and 1 Gbps for Fix

7

Providing portable mobile broadband connectivity across cities and countries through a variety of devices.

Providing a wireless alternative to cable and Digital Subscriber Line (DSL) for far broadband access.

Providing data, telecommunications (VoIP) and IPTV services Providing

a source of Internet connectivity as part of a business continuity plan.

Wimax Uses

کاربردهاي وايمکس

8

Wimax Architecture

WiMax can provide two forms of wireless service: none-line-of-sight and line-of-sight.

WiMax system includes two main parts WiMax receiver and WiMax tower.

Wimax Receiver : Subscriber Station (SS) // ايستگاه مشترک Wimax Tower : Base Station (BS) // ايستگاه پايه

9

Two main layers: Medium Access Control (MAC) layer and Physical layer (PHY).

SAPs (Service Access Point) are interfacing points. Mac layer have three Sub Layer : Convergence , Common

Part , Security ( Privacy )

Wimax Architecture

WiMAXتوضيحات در رابطه به دو اليه موجود در معماري پروتکل

10

Convergence Sub-layer (CS) maps higher level data services to MAC layer service flows and connections.

There are two type of CS : ATM CS which is designed for ATM network and service. Packet CS which supports Ethernet, point-to-point protocol (PPP), both

IPv4 and IPv6 internet protocols, and virtual local area network (VLAN).

Common Part Sub-layer (CPS) defines the rules and mechanisms for system access, bandwidth allocation and connection management, uplink scheduling, bandwidth request and grant, connection control and automatic repeat request (ARQ)

Security Sub-layer lies between MAC CPS and PHY layer. This sub-layer is responsible for encryption and decryption of data traveling to and from the PHY layer, and it is also used for authentication and secure key exchange.

Wimax Architecture

معماري پروتکل MACتوضيحات در رابطه به سه زيراليه موجود در اليه WiMAX

11

BS : Base Station SS : Sub Scriber Station X.509 : Digital certificate serving AK : Authorization Key SAID : Security Association ID TEK : Transport Encryption Key KEK : Key Encryption Keys HMAC : Hashed Message

Authentication Code AAA : Authentication , Authorization

, Accounting

Terms

X.509 Certificate

12

Three main features of security are: Authentication Authorization Traffic Encryption

Authentication Technique: Privacy & Key Management Protocols (PKM) Rivest-Shamir-Adleman (RSA) Extensible Authentication Protocol (EAP)

Authorization Technique: Security Associations (SA’s) are used to authorize user. Authorization include request for Authentication Key

and SA-Identity in exchange for subscriber’s certificate, encryption algorithm and cryptographic ID.

Traffic Encryption Technique: All the traffic between Subscriber Station (SS) and Base

Station (BS) is encrypted with Traffic Encryption Key.

Wimax Security Architecture

13

Wimax Security StepsStep 1: Authentication And Authorization

Base Station (BS)SubScriber Station (SS)

Message1: ( X.509 Manufacturer Certificate)

Message2: ( X.509 Certificate , Security Capabilities , SAID)

Message3: (Authorization SA ,AK )

گام اول ارتباط: درخواست ارتباط از ايستگاه مشترک به ايستگاه پايه

14

Wimax Security StepsStep 2: Key Exchange

Base Station (BS)SubScriber Station (SS)

Message1: (SAID, HMAC (1))

Message2: (SAID, HMAC (2))

Message3: (SAID, OldTEK, NewTEK, HMAC (3))

گام دوم ارتباط: تبادل کليد مابين ايستگاه مشترک و ايستگاه پايه

AAA Server

15

Wimax Security StepsStep 3: Traffic Encryption

Base Station (BS) SubScriber Station (SS)

Data Encrypted With TEK

Data Encrypted With TEK

Data stream is encrypted with the TEK when travelling to or from BS. The data stream can be encrypted using:

DES AES

TEK is shared during Key Exchange process and is encrypted using KEK. It can be encrypted using: 3 DES RSA AES

گام سوم ارتباط: تبادل داده بين دو ايستگاه با استفاده از TEKرمزگذاري

16

WiMax/802.16 is vulnerable to physical layer attacks such as jamming and scrambling.

Jamming is reducing the channel capacity. Scrambling is a sort of jamming, but for

short intervals of time and targeted to specific frames or parts of frames.

Intercept the radio signals in air.

Wimax Security IssueIn PHY Layer

مشکالت امنيتي وايمکس : در اليه فيزيکيارسال پارازيت دائمي1)ارسال پارازيت موقت2)قطع سيگنال3)

17

The attacker will be attack the link during authentication or key exchange process.

Wimax Security IssueIn MAC Layer

Base Station (BS)

SubScriber Station (SS)

MAN-IN-Middle

Original Connection

New Connection

18

Authentication of the SS (Man-in-the-Middle and Forgery) SS authenticates itself through its certificate, however, the BS does not . Rogue BS could place himself between SS and real BS and try to force SS

to authenticate itself and initiate a session by transferring an AK (forgery attack).

The attacker can generate his own Authorization Reply Message containing a self-generated AK and thus gain control over the communication of the attacked SS.

Wimax Security IssueIn MAC Layer

مشکالت امنيتي در وايمکس در هنگام احراز هويت

19

Key Exchange Phase-Attacks Attacker can act as a false BS for subscriber and issue

self generated keys to take over communication Attacker can act as false subscriber to request to renew

the keys again.

Wimax Security IssueIn MAC Layer

مشکالت امنيتي در وايمکس در هنگام تبادل کليد

20

Replay and DoS Attack against SS The SS send Authentication Information Messages to transmit all

relevant information to the BS. The BS responds to the last message with an Authorization Reply

Message. The BS can fall victim to a replay attack by which the attacker

intercepts an Authorization Request Message from an authorized SS and stores it.

He will not be able to derive the AK from the Authorization Response Message (since he does not possess the associated private key), he can repeatedly send the message to the BS, burdening the BS with the effect that this declines the real/authentic SS. This is a Denial-of-Service-Attack against the SS.

Wimax Security Issue

مشکالت امنيتي در وايمکس در نوع حمالت انکار سرويس

21

Tao Han, Ning Zhang, Kaiming Liu, Bihua Tang, and Yuan'an Liu. Analysis of mobile wimax security: Vulnerabilities and solutions. 5th IEEE International Conference on Mobile Adhoc and Sensor Systems, Sep 2008. 

Evren Eren, "WiMAX Security Architecture - Analysis and Assessment" IEEE International Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications Dortmund, Germany 6-8 September 2007. 

Mahmoud Nasreldin, Heba Aslan, Magdy El-Hennawy, Adel El-Hennaey, "WiMAX Security", Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, pp. 1335-1340, 2008. 

Reference