Analysis ofmobile WiMAX Security: Vulnerabilities and Solutions

Transcription

1 Analysis ofmobile WiMAX Security: Vulnerabilities and Solutions Tao Han, Ning Zhang, Kaiming Liu, Bihua Tang, Yuan'an Liu Key Lab. ofuniversal Wireless Communications, Ministry ofeducation (Beijing University ofposts and Telecommunications) 1. Introduction Abstract In this paper, we first give an overview of security architecture of mobile WiMAX network. Then, we investigate man-in-the-middle attacks and Denial of Service (DoS) attacks toward e-based Mobile WiMAX network. We find the initial network procedure is not effectively secured that makes Man-in-themiddle and Dos attacks possible. In addition, we find the resource saving and handover procedure is not secured enough to resist DoS attacks. Focusing on these two kinds of attacks, we propose Secure Initial Nenvork Entry Protocol (SINEP) based on Diffie Hellman (DB) key exchange protocol to enhance the security level during network initial. We modify DH key exchange protocol to fit it into mobile WiMAX network as well as to eliminate existing weakness in originaldhkey exchange protocol. IEEE802.16e-based Mobile WiMAX is one of the most promising technique for future communications. The Mobile WiMAX network model is shown in Figure 1. Test network of Mobile WiMAX have already been established in several areas all over the world. Commercial services of it are also planned in many countries. R2 NAP Network Access Provider ASN Access Service Network OMENSP Netwo kserviceprovider Figure 1. Mobile WiMAX network model [1] As the commercialization of Mobile WiMAX, its security scheme will be challenged by several kinds of attacks. However, few of relevant papers tackle the security issues of WiMAX network. David Johnston and Jesse Walker gave the most complete analysis of WiMAX security in [2], which focused on the problem of d. Starting from the analysis done in [2], several articles were published to cover the security issue of IEEE family of standard. Yang, in [3], introduces the EAP-TLS and RADIUS protocols that are in a similar way as IEEE i. In [4], Xu proposes the nonce and timestamps that suggest to strengthen the PKM protocol, and introduce a secure roaming algorithm. With the amendment of WiMAX standard, most of these vulnerabilities are solved. The security issue of Mobile WiMAX was analyzed by even few papers. Datta in [5] examined the 3-way TEK exchange and the authorization process in and did not find any vulnerability. In [6], Yuksel analyzed the key management protocol via using protocol analyzing software and could not detect any security leak. In [7], Kuo examined the Multi- and Broadcast Service (MBS) by applying a protocol analyzing tool, and pointed out that security of the MBS was based on a few parameters which need to be implemented properly for complete protection. In [8], T. Shon and W. Choi investigated the security leaks according to topology, and introduced Diffie-Hellman key exchange protocol to secure initial network entry process. This method protected important message during the initial network process, but it cannot eliminate the man-in-the-middle vulnerabilities. In this paper, we present an overview of IEEE standard e protocol layer and security scheme. We focus on potential man-in-the-middle attacks and DoS attacks toward it. Then, we introduce SINEP to eliminate security leaks in the initial network process. SINEP is based Diffie-Hellman key exchange protocol. Our proposed protocol partially based on [8], however, /08/$ IEEE 828

2 our work is different from [8], because we introduce mutual authentication algorithm in DH key exchange protocol to resist man-in-the-middle attacks. The rest ofpaper is organized as follows. In Section II, we give an overview of protocol layer and security scheme of mobile WiMAX. In Section III, we present potential man-in-the-middle attacks and DoS attacks toward the network. In Section IV, we propose SINEP to enhance the security level in the initial network procedure, and in the last section, we close this paper. 2. WiMAX security scheme 2.1 Protocol layer The IEEE standard consists of a protocol stack with well-defined interfaces. The scope of protocol contains MAC layer and PHY layer. MAC layer includes three sub-layers shown in Figure 2. The Service Specific Convergence Sub-layer (MAC CS), the MAC Common Part Sub-layer (MAC CPS) and the Security Sub-layer. Scope ofstandard Data/Control Plane Management Entity Service Specific Convergence Sub-layers Management Entity MAC Common Part Sub-layer Management Entity PHYLayer Management Plane Figure 2. Protocol layering in The service specific Convergence Sub-layer (CS) maps higher level data services to MAC layer service flows and connections. There are two type of CS: ATM CS which is designed for ATM network and service, and packet CS which supports Ethernet, pointto-point protocol (PPP), both IPv4 and IPv6 internet protocols, and virtual local area network (VLAN). The MAC Common Part Sub-layer (MAC CPS) is the core of the standard. MAC CPS defines the rules and mechanisms for system access, bandwidth allocation and connection management. Functions like uplink scheduling, bandwidth request and grant, connection control, and automatic repeat request (ARQ) is also defined here. Communications between the CS and the MAC CPS are done by MAC Service Access Point (MAC SAP). The Security Sub-layer lies between MAC CPS and PHY layer. This sub-layer is responsible for encryption and decryption of data traveling to and from the PHY layer, and it is also used for authentication and secure key exchange. Specification of this sub-layer is detailed in later paragraph. PHY layer, targeted for operation in the GHz frequency band, is designed with a high degree of flexibility in order to allow service providers to optimize system deployments with respect to cell planning, cost, radio capabilities and services. 2.2 Security scheme The Mobile WiMAX system based on the IEEE e-2005 amendment has more improved security features than previous IEEE d-based WiMAX network system. Almost all the security issues in Mobile WiMAX are considered in security sub-layer, and are shown in Figure 3. RSA-based Authentication / SA EAP encapsulation / authentication control decapsulation Traffic data encryption / authentication processing PKM control management PHY SAP Control message processing J:essage auth~ntication processmg Figure 3. Security sub-layer The security sub-layer encompasses three essential functions: authentication, authorization and encryption. We explain how these three functions perform as follows Authentication. Authentication is achieved using a public key interchange protocol that ensures not only authentication but also the establishment of encryption keys e based-on Mobile WiMAX defines Privacy Key Management (PKM) protocol in security sub-layer, which allows three types ofauthentication: The first type is RSA (Rivest-Shamir-Adleman) based authentication. RSA based authentication applies X.509 digital certificates together with RSA encryption. In this authentication mode, a BS authenticates the SS through its unique X.509 digital certificate that has been issued by the SS manufacturer. The X.509 certificate contains the SS's Public Key (PK) and its MAC address. When requesting an Authorization Key (AK), the SS sends its digital certificate to the BS, and then BS validates the 829

3 certificate, uses the verified Public Key (PK) to encrypt an AK and sends back to the SSe All SSs that use RSA authentication have factory installed private/public key pairs together with factory installed X.509 certificates. The second type is EAP (Extensible Authentication Protocol) based authentication. In the case of EAP based authentication, the SS is authenticated either by virtue of a unique operator issued credential, such as a SIM or an X.509 certificate as described above. The operator's choice of type of EAP determines authentication method. There are three types of EAP: the first type is EAP-AKA (Authentication and Key Agreement) for SIM based authentication; the second type is EAP-TLS (Transport Layer Security) for X.509 based authentication; the third type is EAP-TTLS (Tunneled Transport Layer Security) for SS-CHAPv2 (Microsoft-Challenge Handshake Authentication Protocol). The third type is RSA based authentication followed by EAP authentication Authorization. Following authentication is the authorization process. In this process, SS requests for an AK as well as an SA (Security Associations) identity (SAID) from BS. The Authorization Request message includes SS's X.509 certificate, encryption algorithms and cryptographic ID. In response, the BS interacts with an AAA (Authentication, Authorization and Accounting) server in the network to carry out the necessary validation and sends back an Authorization reply that contains the AK encrypted with the SS's public key, a lifetime key and an SAID Traffic encryption. The previous authentication and authorization process results in the assignment of and Authorization Key, which is 160 bits long. The Key Encryption Key is derived directly from the AK and it is 128 bits long. The KEK is not used for encrypting traffic data; so SS require the Traffic Encryption Key (TEK) from BS. TEK is generated as a random number generating in the BS using the TEK encryption algorithm where KEK is used as the encryption key. TEK is then used for encrypting the data traffic. 3. Vulnerabilities analysis We analyze vulnerabilities contained in Mobile WiMAX in this section. According to different aspects of attacks, we categorize these weakness found in the protocol into two kinds. They are man-in-the-middle vulnerabilities and the DoS vulnerabilities. The following parts of this section analyze these vulnerabilities in detail. 3.1 Man-in-the-middle vulnerabilities A man-in-the-middle attack is one in which the attacker intercepts messages during the process of communication establishment or a public key exchange and then retransmits them, tampering the information contained in the messages, so that the two original parties still appear to be communicating with each other. In a man-in-the-middle attacks, the intruder uses a program that appears to be the (access point) AP to SS and appears to be the SS to AP. We focus our analysis on Point to Multi-Point (PMP) topology. In PMP mode, BS is the central node that dynamically allocates radio resources for the SSe Downlink and uplink are separated resources mapped to different frequencies or time slots depending on the chosen physical layer. BS is the only node that can use the downlink channel while SS can only transmit in uplink channel. Initial network entry contains four processes: initial Ranging process, SS Basic Capability (SBC) negotiation process, PKM authentication process, and registration process. Initial network entry is the most security sensitive processes in Mobile WiMAX network not only because it is the first gate to establish a connection to the network, but also because many physical parameters, performance factors, and security contexts between SS and serving BS are determined during this process. The initial network process and SS Basic Capability negotiation are illustrated in Figure 4. I ss I I BS UL-MAC (Initial Ranging Codes) Selected Ranging Code RNG-REQ SBC-REO (Security Negotiation Parameters) SBC-RSP Figure 4. Initial network entry procedure However, Mobile WiMAX standard fails to provide any security mechanism to keep the SBC negotiation parameters confidentiality. Thus, there exist the possibilities that, through intercepting and capturing message in this entry procedure, attacker camouflages himself as the legitimate SS and send tamped SBC RSP message to serving BS while interrupting the 830

4 legitimate SS's communication with the legitimate BS, shown in Figure 5. The spoofed message may contain false message about the security capabilities of the legitimate SSe For instance, the attacker may send messages to inform the BS that the SS only supports low security capabilities or has no security capabilities. In this situation, ifthe BS supports this kind of SS, the communication between the SS with the serving BS will not be encrypted. As a result, the attackers would wiretap and tamper all the information transmitted....r...).,...)..,., /'Ij. <: ~. L~itimate BS./1 '+, because SS's action could be directed by any validly formatted that addresses to it. For example, attackers could spoof unsolicited messages with the Ranging Status field set to a value of 2, which corresponds to "abort". When receiving this message, the victim SS aborts all transmission and re-initials its MAC. This attack is shown in Figure 6.,-~~=-=:= , Operational Ranging tatus Code? Abort message with status code = abort ERROR: Re-intialize MAC Figure 6. DoS attack Figure 5. DoS attack 3.2 DoS vulnerabilities Denial of Service (DoS) attack is an incident in which a subscriber is deprived of the service of a resource they would normally expect to have. A considerable amount of denial of service attacks implement across the Internet by flooding the propagation medium with noise and forge messages. The victim is overwhelmed by the sheer volume of traffic, with either its network bandwidth or its computing power exhausted by the flood of information. Almost all the DoS vulnerabilities in Mobile WiMAX standard are due to unauthenticated or unencrypted management messages. We discussed these vulnerabilities in three processes: the initial network process, resource saving process and handover process Initial Network Process In the initial network process as shown in Fig. 3, the Ranging Request (RNG-REQ) message is sent by an SS seeking to join a network. The message contains the SS's presence and is a request for transmission timing, power, frequency and burst profile information. The BS responds to the SS request using a Ranging Response () message. This message consists of important information, such as ranging status, time adjust information and power adjust information. However, the message is neither encrypted nor authenticated, and it is stateless. Attacker would take advantages ofthis leak to implement a DoS attack Resource Saving Process. Mobile WiMAX introduces sleep mode to minimize SS's power usage and decrease usage of BS air interface resources. Sleep mode is a state in which an SS conducts pre-negotiated periods of absence from the BS air interface. These periods are characterized by the unavailability of the SSe Implementation of sleep mode is optional for the SS and mandatory for the BS. Since the messages communicated in this process are not authenticated, we find two potential DoS attacks detailed as follows. On the one hand, the SS can set the sleep mode in the bandwidth request and uplink sleep control messages that are not authenticated. The attacker can send the bandwidth request and uplink sleep control message with the identifier of victim SSe As a result, the BS will stop transmitting messages to that SS, so performing a DoS attack. On the other hand, the BS can also send Traffic Indication Message to indicate a sleeping SS to notify that there is traffic destined to it. Accordingly, the SS is waked up from sleep mode. An adversary could generate this message to frequently wake up MSs and exhaust victim SS's battery. Then the victim cannot communicate with others until it refreshes its battery, thus performing a DoS attack Handover Process Mobile WiMAX supports mobility and the mobile SS can handover between BS while communicating. Thus, BS that supports mobile functionality shall be capable of sending a neighbor advertisement management message at a periodic interval to identify 831

5 the network and define the characteristics of neighbor BS to potential SS that is seeking handover possibilities. This message is crucial for the service continuity of SS; unfortunately, it is unauthenticated too. The attacker may exploit this leak to forge neighbor advertisement management message in which the information about the victim SS's neighbor BS is omitted. Thus, attacker can successfully prevent SS from handovering to BS. As a result, the victim SS's service quality decreases gradually while it moves away from the serving BS, and finally it will be out of service. 4. Solution and improvement With a close examination of man-in-the-middle attacks and DoS attacks toward mobile WiMAX, we find if network entry procedure is well secured, these two kinds of attacks would be largely prevented and the security level of the network would be enhanced. Thus, we proposed SINEP to secure the initial network procedure in the following paragraphs. Network entry procedure is prior to authentication and key negotiation, and much significant information is exchanged during this procedure. However, there are not appropriate methods to protect these messages. In order to eliminate the security vulnerabilities during initial network entry, we introduce SINEP based on Diffie-Hellman (DH) key exchange protocol. DH key agreement is a key management method to share an encryption key with global variables known as prime number 'p' and 'r', 'r' is a primitive root ofp. The DH key exchange protocol is described as follows: step one: SS r x mod P ) BS step two : BS r Y mod l!.. ) SS Figure 7. DH key exchange protocol X is the private key of SS, and Y is the private key of BS. SS's public key is PK ss =r X mod p, and BS's public key is PK BS =r Y mod p. Then, both SS and BS can derive the share private key through following equation: Kshare = (PKBS)x mod p = (r Y mod pr mod p =r YX mod p =(rxr mod p =(r X modpr modp =(PKss)Y modp (1) After this process, SS and BS share the private key Kshare. Applying DH key exchange protocol could effectively resist against DoS attacks during initial network entry procedure since the shared private key, Kshare ' could be used to encrypt security sensitive messages in this procedure. However, the original DH key exchange protocol cannot prevent man-in-themiddle attacks since it provides no identity authentication. A simple man-in-the-middle attack toward this protocol is described in Figure 8. step one: SS r X mod P)ES step two: ES r Z mod J0BS step three: BS r Y mod l!..) ES step four: ES r Z mod '4 SS Figure 8. Man-in-the-middle attack toward HD Victim SS's public key PK ss is captured by Evil Station (ES). The ES camouflages as SS and sends its own public key PK ES to BS, then the severing BS will send back its public key PKBS ' at this time, the ES could establish a shared key with BS, finally, ES sends its own public key PKES to victim SS, and establish a shared key with SSe As a result, all the messages that the victim SS sends to BS are relayed by ES, and the encryption keys are known by ES. Thus, ES could eavesdrop and tamper all these message. To resist man-in-the-middle attacks in this procedure, we enhance the DH key exchange protocol by introducing identity authentication. First, we make some symbol notification here. H (x) is an one-way function that generates hash value using X. a II b means that a and b are cascaded. Then, we assume every SS has its own International Subscriber Station Identity (ISSI) and using this ISSI, SS can generate Temporary Subscriber Station Identity (TSSI). This TSSI is used in our protocol as SS's identity. Further, we assume that legitimate BS has the hash value,h(tssi), which is generated by SS's TSSI,. We use H (TSSI) as an input parameter of hash authentication function instead ofdirect usage oftssi, because in certain situation, one of the legitimate BSs may be captured by attackers, storing H (TSSI) in BS prevents attackers to achieve the SS's TSSI. There are five steps in our protocol: Step one: SS alleges that it is a legitimate subscriber. 832

6 Step two: BS sends a random number, R BS ' as a challenge to SSe Step three: SS calculates H (TSSI) firstly, then SS cascades H (TSSI), R BS and its public key PKss as the inputs to generate the response for BS's challenge, H (H(TSSI) II ~s II PK ss ). At the end ofthis step, SS send the response, its public key and its challenge, R ss ' to BS. Step four: BS firstly calculates hash value using the cascade of its stored H (TSSI), R BS and PKss as inputs and compares it with SS's response to check whether the SS are legitimate. If SS is not a legitimate subscriber, BS ceases the communication. Otherwise, BS calculates hash value using the cascade ofh( ~I), R ss and its public key PKBS as inputs and derives H( H(~I) II Rss II PK m ). Then, BS sends the hash value and its own public key to SSe Step five: SS checks BS's identity using the response that it receives, if the BS is legitimate, the shared key is established and SS continues to communicate with BS; otherwise, SS ceases the communication. We formulate SINEP using our enhanced DH key exchange protocol. The secure initial network entry is shown in Figure 9. SS Service Re uest UL-MAC (Initial Ranging Codes) Challenge R BS Selected Ranging Code (p, r), PK ss, H ((TSSI) II R BS II PK ss ), R ss Connection Establishment Figure 9. SINEP scheme SINEP could not only successfully resist DoS attacks but also efficiently prevent man-in-the-middle attacks since it provides mutual authentications. In addition, through this protocol, SS could share a private key with BS, and this key could encrypt the basic capabilities negotiations, which contain many important messages such as security capability and signal power. This protocol guarantees that no evil attacker could decrease the security capability of the network by modifying these important messages during network initial process. 5. Conclusion In this paper, we give an overview of security scheme in IEEE based mobile WiMAX. We investigate man-in-the-middle vulnerabilities and DoS vulnerabilities in mobile WiMAX network and we propose SINEP to enhance the security level during the initial network entry procedure. This protocol bases on DH key exchange protocol. We modify DH protocol to fit mobile WiMAX. It is proved that SINEP could eliminate the possibilities of the man-in-the-middle attacks as well as resist DoS attacks toward mobile WiMAX. 6. References [I] Airspan, "Mobile WiMAX security", Airspan Networks Inc [Online]. Available: [2] D. Johnston and J. Walker, "Overview of IEEE security", IEEE Security & Privacy, vol. 2, no. 3, pp , May/June [3] F. Yang, H. Zhou, L. Zhang, and J. Feng. "An improved security scheme in wman based on ieee standard ", in 2005 International Conference on Wireless Communications, Networking and Mobile Computing, [4] S. Xu, M. M. Matthews, and C.-T. Huang, "Security issues in privacy and key management protocols of IEEE ," in ACM Southeast Regional Conference, R. Menezes, Ed. ACM, 2006, pp [5] Datta A., He C. and Mitchell J.C., "802.16e Notes," Stanford University, CA, USA, [Online]. Available: [6] Yuksel E., "Analysis of the PKMv2 Protocol in IEEE e-2005 Using Static Analysis Informatics and Mathematical Modeling", TUD, [Online]. Available: p?id=5159 [7] Ju-Yi Kuo, "Analysis of e Multicast /Broadcast group privacy rekeying protocol", Stanford University, CA, USA, [Online]. Available: class/cs259/projects/projecto1/01-writeup.pdf [8] Taeshik Shon and Wook Choi, "An Analysis of Mobile WiMAX Security: Vulnerabilities and Solutions", Lecture Notes in Computer Science, vol. 4658, pp , Aug