CDMA Network Security Verizon Wireless White Paper

CDMA Network Security Verizo Wireless White Paper

Cotets 1. Itroductio...................................................................................... 4 2. Security Overview................................................................................ 4 3. CDMA Network ad Techology Overview....................................................... 6 3.1 CDMA2000 1xRTT ad 1xEV-DO.............................................................. 8 3.2 Mobile Statios.............................................................................. 8 3.3 Access Network.............................................................................. 9 3.4 Core Network................................................................................ 9 4. Security i Call Setup............................................................................10 4.1 1xRTT Autoomous Registratio Autheticatio............................................10 4.2 EV-DO Access Autheticatio...............................................................14 4.3 Mobile IP (Public Network) or Eterprise Home Aget (Private Network) Access.............16 5. Air Iterface (Physical Layer).....................................................................21 5.1 Air Iterface Techologies...................................................................21 5.2 CDMA Air Iterface Security Beefits........................................................22 6. Access Network (Layer 2)........................................................................25 6.1 1xRTT Device ad Subscriber Autheticatio................................................25 6.2 1xEV-DO Access Autheticatio.............................................................25 7. Core Network...................................................................................26 7.1 User Autheticatio ad Authorizatio......................................................26 7.2 IP Maagemet.............................................................................26 7.3 Dyamic Mobile IP Update..................................................................28 7.4 Roamig....................................................................................28 8. Network Availability.............................................................................29 9. Trasport/Perimeter.............................................................................29 9.1 Traffic Separatio...........................................................................30 9.2 Direct Circuit Coectio...................................................................30 9.3 SSL/TLS.....................................................................................30 9.4 Firewalls ad Choke Routers................................................................30 10. Device Edpoit...............................................................................31 10.1 Iitial Provisioig.........................................................................31 10.2 Device Maagemet......................................................................31 10.3 Device Compliace........................................................................31

11. Hosted Services Security.......................................................................31 11.1 BREW......................................................................................32 11.2 SMS.......................................................................................32 11.3 MMS......................................................................................32 11.4 Cotet ad Media........................................................................32 11.5 Navigatio ad Locatio-Based Services (LBS)..............................................32 11.6 Field Force Maager.......................................................................32 12. Summary......................................................................................33 13. Glossary of Terms..............................................................................34 14. Cotact Iformatio...........................................................................40 15. Legal Disclaimer................................................................................41 3

1. Itroductio As wireless data etworks become icreasigly prevalet, ew possibilities ad challeges cotiue to emerge. Security becomes key to deliverig solutios that meet today s demad for mobility. Verizo Wireless has bee at the forefrot of offerig secure wireless broadbad solutios that miimize the security risk to persoal ad corporate data. Verizo Wireless implemets may aspects of iovative ad commercially available methods for securig data. This documet focuses o secure mobile data the Verizo Wireless mobile data etwork features that eable mobile users to ejoy secure access to hosted ad eterprise-wide applicatios. Voice services are ot covered. 2. Security Overview Protectig corporate etwork assets is a ogoig task for IT professioals. Icreased worker mobility ad mobile workers eeds for immediate, secure access to critical busiess iformatio add challeges to maitaiig etwork security. Mobility beefits all, but it ca itroduce security risks. Some of today s top security issues ad cocers are: Uauthorized systems ad etwork access Auditability ad compliace Customer data breaches Iteral ad exteral sabotage Theft of itellectual property ad cofidetial busiess iformatio Cost of mobile device admiistratio 4

The followig diagram illustrates may elemets critical to mobile data security. Network Reliability & Redudacy NETWORK Physical Protectio Remote Eterprise Access APPLICATIONS AND SERVICES Data Itegrity Network Perimeter Security Stored Data Protectio DEVICE PROTECTION User & Device Autheticatio Network Itegrity & Autheticatio Messagig Email Security Device Maagemet Policies Autheticatio Services NETWORK POLICY AND REGULATION Figure 1: The differet layers of mobile data security. 5

This white paper explais the security features, capabilities, ad beefits of the followig areas i the Verizo Wireless mobile data etwork: Air iterface Access etwork Core etwork Trasport Perimeter Edpoit 3. CDMA Network ad Techology Overview The core etwork of the Verizo Wireless mobile data etwork has may of the same compoets foud i a typical corporate etwork, ad maagig these compoets requires similar techiques ad practices that IT professioals commoly use i their ow etworks. The differece betwee the Verizo Wireless mobile data etwork ad a typical etwork is foud i the access etwork. It s i the access etwork where users are grated etry ito the overall mobile etwork ad where maitaiig high security ad access protocols become paramout. The followig diagram illustrates a simplified view of the Verizo Wireless CDMA2000 1x data etwork cotaiig both 1xRTT ad 1xEV-DO data structures. The Verizo Wireless mobile data etwork has two parts: the access etwork ad the core etwork. 6

Mobile User Access Network Core Network 1xRTT & Voice Home Locatio Register Base Statio Cotroller Packet Cotrol Fuctio Mobile Switchig Ceter Visitig Locatio Register Public Switched Telephoe Network 1xEV-DO Network Maagemet System Server Radio Network Cotroller Core Network AAA Server Hosted Services Base Trasceiver Statio Access Network AAA Server Packet Data Servig Node Foreig Aget Router Home Aget Text Messagig Media Messagig Navigatio Media ad Cotet Locatio-Based Services Field Force Automatio WAP Choke Router Direct Circuit Iteret Brach Office Firewall Firewall Eterprise Network Figure 2: A simplified cdma2000 1x data etwork showig 1xRTT ad 1xEV-DO data structures. 7

3.1 CDMA2000 1xRTT ad 1xEV-DO Over time, more ad more demads have bee made o the capabilities of corporate etworks. Workers wat more mobility; secure, high-speed access; ad a extesio of applicatios across the eterprise, all of which ca strai curret IT capabilities. Verizo Wireless uderstads these demads ad has costatly improved its mobile data etwork to offer icreased mobility, access, ad applicatios. This process is ogoig, but it pays to see what s happeed before to gai a greater appreciatio of the capabilities of today s mobile data etwork. Secod-geeratio (2G) CDMA-based wireless etworks, kow as cdmaoe, have proved their effectiveess i deliverig high-quality voice traffic to subscribers. I respose to subscriber growth ad demad for data services that require high-speed access, the third-geeratio (3G) wireless etworks, kow as CDMA2000 ad comprisig 1xRTT ad 1xEV-DO, were implemeted. The first phase of CDMA2000 is called 1xRTT. 1xRTT provides maximum theoretical data rates of 144 Kbps (dowlik) ad 144 Kbps (uplik), as well as twice the voice capacity of cdmaoe o a sigle 1.25-MHz CDMA chael. 1xEV-DO Revisio 0 (Rev. 0) icreases the dowlik maximum theoretical data rate to 2.4 Mbps, with a average data rate betwee 400 ad 700 Kbps. The average uplik data rate is betwee 60 ad 80 Kbps. 1xEV-DO Revisio A (Rev. A) supports Quality of Service (QoS), coverges IP services ad VoIP, reduces latecy, icreases the maximum theoretical dowlik speed to 3.1 Mbps (average 600 1400 Kbps), ad boosts the maximum theoretical uplik speed to 1.8 Mbps (average 500 800 Kbps). The etire Verizo Wireless EV-DO data etwork is ow Rev.A-eabled. 3.2 Mobile Statios Mobile subscribers access the CDMA2000 1x data etwork usig a mobile statio, such as a mobile phoe, modem, a laptop with a embedded CDMA2000 chip, a broadbad access wireless router, or PC Card o a laptop computer. Mobile statios allow mobile users to access Verizo Wireless-hosted services, the Iteret, or eterprise services. The mobile statio iteracts with the access etwork (AN) to obtai radio resources i order to exchage data packets. The mobile statio, i tethered mode, ca also act as a modem for a computer. The mobile statio automatically registers with the etwork upo power-up, ad upo successful registratio, it is ready for voice ad data calls. 8

3.3 Access Network There are two types of access etworks: 1xRTT ad 1xEV-DO. The AN is the mobile statio s etry poit ito the mobile etwork ad maitais the commuicatios lik betwee the mobile statio ad the core etwork. The access etwork facilitates security by allowig oly authorized mobile statios to access the etwork. The AN is composed of the followig elemets: Base Trasceiver Statio The base trasceiver statio (BTS) is physically composed of ateas ad towers. The BTS maages radio resources icludig radio chael assigmet ad trasmit ad receive power maagemet ad acts as the iterface to mobile statios. Packet Cotrol Fuctio The packet cotrol fuctio (PCF) maitais the coectio state betwee the access etwork ad mobile statios, buffers packets whe ecessary, ad relays packets betwee mobile statios ad the PDSN. Radio Network Cotroller/Base Statio Cotroller The radio etwork cotroller for 1xEV-DO ad the base statio cotroller for 1xRTT schedule packet trasmissio o the air iterface ad maage hadoffs betwee BTSs. For 1xEV-DO, security fuctioality is maitaied by the security sublayer i the RNC. Security fuctioality is performed by either the BTS or the RNC, or by both. 3.4 Core Network The core etwork acts as the gateway betwee the access etwork ad the Iteret or eterprise private etworks. It provides autheticatio, authorizatio, ad accoutig (AAA) services, provides access to etwork services, IP mobility, ad maages IP addresses. The core etwork comprises the followig elemets: PDSN/Foreig Aget The PDSN is the gateway betwee the access etwork ad the core etwork. The PDSN termiates PPP for mobile statios. The PDSN hadles autheticatio ad authorizatio for access to packet services ad records packet billig iformatio i cojuctio with the AAA. The foreig aget hadles packet routig ad ecryptio (betwee the foreig aget ad the home aget) for mobile IP subscribers. AAA/Home Aget The AAA ad the home aget (HA) are used for autheticatio, authorizatio, ad accoutig for data services. The AAA/HA stores ad records usage ad access iformatio for billig ad ivoicig purposes. The HA facilitates data roamig ito other carrier etworks by providig a mobile IP address for mobile statios, ad by forwardig traffic to/from mobile statios. It maitais registratio iformatio ad supports dyamic assigmet IP addresses with the AAA. 9

Direct Circuit Coectios Verizo Wireless provides a direct circuit coectio (a private etwork ) for busiess customers to directly coect betwee the compay s eterprise etwork ad the Verizo Wireless fixed ed systems. This direct circuit lets compaies commuicate with their mobile workforces with icreased data respose times ad lower latecy, while reducig cocers over security ad reliability. Overall coectio reliability improves, because compaies avoid havig to traverse the Iteret. As a result, security threats are more cotaied. 4. SECURITY IN Call Setup This sectio briefly describes CDMA 1xRTT ad 1xEV-DO. It itroduces the idea of a call setup, procedures ivolved, ad the differeces i call setup for 1xRTT ad 1xEV-DO. A mobile statio is used to illustrate call setup. 4.1 1xRTT Autoomous Registratio Autheticatio Successful autoomous registratio autheticatio is diagrammed i Figure 3. The autheticatio sequece comprises 15 steps ad focuses o the major protocol exchages that begi with autheticatio betwee the mobile statio (MS) ad the base statio cotroller (BSC). 10

Mobile Statio Base Statio Cotroller Home Locatio Register 1 Cofiguratio 2 Registratio Message 3 REGNOT 4 REGNOT 5 Base Statio Ack Order RANDSSD ESN A-Key RANDU ESN MIN 6A SSD Geerator 6B Uique Challege SSD (128 bits) AUTHU 6C AUTHDIR (RANDSSD, AUTHU RANDU) SSD-B SSD-A 7 authdir 8A SSD Updatig Msg (RANDSSD) 8B SSD Geerator 9 10A SSD Updatig Cofirmatio Order Autheticatio Challege Msg (RANDU) 8B Uique Challege 11 Autheticatio Challege Respose Msg (AUTHU) 12 Uique Challege Validatio 13 ASREPORT (SSD update report, uique challege report) 14 Fraud Iformatio Gatherig System 15 authdir Figure 3: 1xRTT Autoomous Registratio Autheticatio. 11

1. MS acquires the system, collectig a complete set of cofiguratio messages before it is allowed to operate o the system. The BS tells all mobiles whe they should register i the System Parameters Message (oe of the messages i the set of cofiguratio messages). 2. MS otices that it is obligated to register ad so trasmits a Registratio Message. 3. The servig-system mobile switchig ceter (MSC) or visitor locatio register (VLR) issues the ANSI-41 Registratio Notificatio (REGNOT) Message for MS service qualificatio. 4. The home locatio register (HLR) respods with the REGNOT Result icludig the MS services profile. 5. Upo successful validatio of service qualificatio i the REGNOT message, the BS cofirms the MS s registratio was successful with a Base Statio Ackowledgmet Message. 6. a. Upo receipt of REGNOT i step 3 above, the Autheticatio Ceter (AC), based o its iteral autheticatio algorithms, iitiates the SSD Update process. The first step is executig the Cellular Autheticatio ad Voice Ecryptio (CAVE) algorithm usig the MS s autheticatio key (A-Key), electroic serial umber (ESN), ad a radom umber, called the RadomVariableSSD (RANDSSD). The result is the ew, pedig SSD subkey. The SSD has two parts: SSD-A (used for autheticatio) ad SSD-B (used for sessio key derivatio). b. The AC the selects RANDU (Uique Challege) ad calculates uique challege autheticatio sigature (AUTHU). AUTHU is calculated by executig the CAVE algorithm agai usig the SSD- A (lower 64 bits of the SSD) RANDU, ESN, ad mobile idetifier umber (MIN). The SSD Update process occurs i parallel with the registratio process. c. ANSI-41 AutheticatioDirective Ivoke message (AUTHDIR) is used to trasfer the [RANDSSD, RANDU, AUTHU] triplet from the AC to the VLR or servig MSC. 7. The servig system ackowledges the SSD update request by sedig the ANSI-41 AUTHDIR to the AC. 8. a. The BS seds a SSD Update Message, icludig the RANDSSD, to the MS. b. The MS extracts the RANDSSD ad idepedetly computes the SSD. 9. The MS seds the SSD Update Cofirmatio Order cofirmig SSD update. 10. The BS executes a uique challege by sedig a Autheticatio Challege Message icludig the RANDU. a. The MS extracts the RANDU ad idepedetly computes the AUTHU. 11. The MS returs the calculated AUTHU i the Autheticatio Challege Respose Message. 12

12. The servig system completes the uique challege by validatig whether the mobile statio successfully completed the uique challege. 13. Servig MSC/VLR seds a report, icludig the SSD update ad uique challege results, to the AC i the ANSI-41 ASREPORT message. 14. The HLR/AC verifies that the iformatio i the ASREPORT is the expected result. If ot, the HLR/AC forwards the iformatio to a Fraud Iformatio Gatherig System (FIGS) for use i determiig fraudulet activity. 15. The AC ackowledges the autheticatio report by sedig the ANSI-41 ASREPORT to the VLR. 13

4.2 EV-DO Access Autheticatio This sectio explais the process of how EV-DO access is grated ad autheticated. Mobile Statio Radio Network Cotroller Visited Access Network AAA Home AAA 1 UATI-Request 2 UATI-Assigmet 3 UATI-Complete 4 Sessio Establishmet 5 PPP Coectio Negotiatio (LCP) 6 CHAP Challege 7 CHAP Respose 8 A12 Access Request 9 Access-Request (NAI, CHAP Challege, CHAP Password) 10 Access-Accept (IMSI) 11 A12 Access-Respoce 12 CHAP Autheticatio Success Figure 4: EVDO A12 Autheticatio. 14

1. The mobile ode (MN) seds a Uicast Access Termial Idetifier (UATI)-Request. 2. The RNC assigs UATI. 3. UATI assigmet is completed. 4. The EV-DO sessio is set up betwee the MN ad RNC. 5. PPP/Lik Cotrol Protocol (LCP) egotiatio completes betwee the MN ad the RNC. 6. The RNC seds a Challege-Hadshake Autheticatio Protocol (CHAP) challege to the MN. 7. The MN calculates a respose based o the A12 CHAP key ad icludes this alog with the A12 Network Access Idetifier (NAI) i a CHAP respose to the RNC. 8. The RNC icludes the challege ad respose i a Radius Access Request to the local AN- AAA server. 9. The local AN-AAA server uses the NAI to forward the message to the proper home AN-AAA server, possibly via brokers. 10. The home AN-AAA server validates the CHAP respose ad respods with a authorizatio respose that may be delivered usig security betwee foreig (visited) ad home etworks. If the respose is valid, the home AN-AAA server returs the IMSI i the Radius Access-Accept. 11. The local AN-AAA server forwards the respose to the RNC. 12. The RNC iforms the MN of the A12 autheticatio result. The PPP lik is termiated after A12 autheticatio. 15

4.3 Mobile IP (Public Network) or Eterprise Home Aget (Private Network) Access This sectio explais how access to a public or private etwork is grated ad the process eeded for autheticatio. Mobile Node Base Statio/ MSC PCF/RNC PDSN Visited AAA HA Host Home AAA 1 2 3 Origiatio Base Statio Ackowledge Order Traffic Chael Setup 4 5 Setup Coect 6 7 RP RRQ (ew call required) RP RRP 8 9 Setup Release 10 11 RP RRQ (air lik start) RP RRP 12 RLP Sych 13 PPP Coectio Negotiatio (LCP) 14 PPP Coectio Negotiatio (IPCP, CCP) 15 16 FA Advertisemet MIP RRQ 17 Access-Request (NAI) 18 19 Access Request (NAI) Access-Accept (secret, keyidx, HA addr) Figure 5: 3GMIPv4 Autheticatio. 16

Mobile Node Base Statio/ MSC PCF/RNC PDSN Visited AAA HA Host Home AAA 20 21 Access-Respose (secret, kyidx) IKE Phase 1 22 IKE Phase 1 23 MIP RRQ 24 ARQ (NAI) 25 AA (MN-HA secret) 26 MIP RRP 27 MIP RRP (MIP addr) 28 Accoutig-Request 29 Accoutig-Request 30 Accoutig-Respose 31 Accoutig-Respose 32 PPP Frame (IP Datagram) 33 IPsec (IP Datagram) 34 IP Datagram 35 IP Datagram 36 Figure 5: 3GMIPv4 Autheticatio (cot). 37 PPP Frame (IP Datagram) IPsec (IP Datagram) Access-Accept (secret, keyidx, HA addr) 17

1. The MN seds a Origiatio Message with the Data Ready to Sed (DRS) bit set to the umber (1), which idicates a request to establish a traffic chael to the BS/MSC to request packet data service. 2. The BS/MSC ackowledges the receipt of the Origiatio Message with a Base Statio Ackowledgemet Order to the Mobile Statio. 3. The traffic chael is set up betwee the MN ad BS/MSC. 4. The BS/MSC seds a SETUP message to the PCF. 5. The PCF seds back a CONNECT message to BS/MSC. 6. The PCF seds a R-P request to the PDSN to establish the R-P (i.e., A10/A11 iterface) coectio. 7. The PDSN respods to the PCF coectio request ad the A10/A11 coectio is established. 8. The BS/MSC seds a secod SETUP message to provide airlik start accoutig iformatio. 9. The secod RELEASE message to the BS/MSC is required to ackowledge the above SETUP message. I this case the RELEASE message does ot release ay resources. 10. The PCF seds a R-P Registratio Request RRQ message to the PDSN cotaiig airlik start accoutig iformatio. 11. The PDSN records the accoutig iformatio ad respods back to the PCF with the R-P Registratio Respose RRP message. 12. The BS/MSC seds a Radio Lik Protocol RLP sychroizatio message to the MN. 13. A PPP sessio is established betwee the MN ad the PDSN. 14. PPP egotiatio completes. IP Cotrol Protocol (IPCP) cofigures a simple IP address or rejects IPCP IP address cofiguratio to idicate mobile IP service is requested (versus simple IP service). 15. After PPP iitializatio, the PDSN seds Foreig Aget Challege (FAC) extesio advertisemets to the mobile statio. The mobile statio may sed a aget solicitatio message to the PDSN/foreig aget followig PPP iitializatio. 16. The mobile statio geerates a mobile IP registratio request cotaiig four MIPv4 extesios: NAI, MN-HA Autheticatio, FAC, ad MN-AAA Autheticatio Extesio. I this example we assume the user is requestig a secure reverse tuel (see steps 33 ad 36) as part of the MIP RRQ message. 18

17. Usig the NAI, the RADIUS protocol, the PDSN seds a autheticatio request to the local AAA. This request icludes the MN NAI, MN-AAA autheticatio, ad FAC/HA address (if ay), as well as other iformatio. 18. The local AAA server uses the NAI to forward the message to the proper home AAA server, possibly via brokers. 19. The home AAA respods with a authorizatio respose that may be delivered usig security betwee foreig (visited) ad home etworks. If the MN-AAA autheticator is valid, the home AAA returs the FA-HA secret key ad key idex i the Radius Access-Accept. 20. The local AAA forwards the respose to the PDSN. 21. The PDSN sets up a security associatio with the HA (if oe does ot already exist) with a Iteret Key Exchage (IKE) pre-shared secret. Note: The IKE pre-shared secret ca be dyamically cofigured as per IS-835 (distributed by the Home RADIUS server) or statically cofigured. 22. The HA ackowledges ad respods to the IKE exchage. 23. The PDSN seds the mobile IP RRQ to the HA. If the Mobile Statio wats to use its static Home Address (or the Mobile Statio already has a mobile IP address ad the same mobile IP sessio is beig cotiued), the Mobile icludes the IP Address as the MIP RRQ (step 16) home address. If the Mobile Statio wats a dyamic home address, it sets the home address to zero (0.0.0.0). Thus, i this case the HA field of the mobile IP RRQ is set to zero (0.0.0.0). 24. The HA requests the MN-HA key from the AAA. 25. The AAA returs the MN-HA secret key correspodig to the NAI i a Access-Accept (o a secure chael). 26. The HA validates the MN-HA autheticator. If valid, the HA respods with a mobile IP RRP Message, ad if requested, provides a dyamic IP address for the MN. Otherwise, the supplied address offered i the MIPv4 RRQ is accepted. 27. The PDSN seds the RRP to the MS after recordig the reply i the visitor etry list. 28. The PDSN seds a accoutig start to the AAA server (which may forward the message to the AAA via optioal brokers). 29. For roamig services, the local AAA server forwards the accoutig start to the remote AAA server. 30. The remote AAA server records the accoutig start ad respods back to the local AAA server. 31. The local AAA server forwards the accoutig respose to the PDSN. 19

32. User data flows from the MS over the PPP lik to the PDSN. 33. User data flows i the IPSec tuel betwee the PDSN ad the HA. 34. User data flows i a IP packet from the HA to the host. 35. User data flows i a IP packet from the host to the HA. 36. User data flows over the IPSec tuel betwee the HA ad the PDSN. 37. The PPP Packet flows from the PDSN to the MS. The PPP lik ca be termiated at ay time. The PPP lik ca be termiated by the user, autheticatio failure, or loss of carrier, etc., as described i the PPP protocol. I additio, the mobile statio periodically refreshes the registratio with the PDSN based o the lifetime value i the RRP message. The mobile statio is allowed to periodically refresh or i effect exted the registratio lifetime by sedig aget solicitatios. 20

5. Air Iterface (Physical Layer) Mobile statios rely o radio techology to access the etwork. Security is of cocer whe usig radio techology, but with the advaces i radio techology, several air iterface security mechaisms have bee developed to keep sigals secure while icreasig access capability. 5.1 Air Iterface Techologies Moder radio systems typically divide their allotted radio spectrum by two factors time or frequecy allowig multiple coectios to occur. The differet methods of dividig radio spectrum to accommodate lots of coectios are called multiple-access schemes. Dividig radio spectrum by time lets each coectio (i all or part of the allotted spectrum) use a specific time slot ad is called Time Divisio Multiple Access (TDMA). Usig TDMA, multiple coectios are separated from each other i time. Dividig the radio spectrum by frequecy allows each coectio (i all or part of the allotted spectrum) to have access to the radio spectrum all of the time ad is called Frequecy Divisio Multiple Access (FDMA). Usig FDMA, multiple coectios are separated from each other by differet frequecies. Frequecy Frequecy Frequecy Time Time TDMA FDMA CDMA Time Figure 6: A compariso of radio spectrum divisio techiques. 21

Aother way to give multiple access to radio spectrum is to divide the spectrum up usig uique codes. Each coectio has access to the radio spectrum all of the time, but uses a uique code to separate coectios. This is called Code Divisio Multiple Access (CDMA). CDMA provides exclusive rights to a uique code for the duratio of the coectio, avoidig simultaeous coectios from havig the same code. This method grats greater etwork access while offerig ehaced etwork security. 5.2 CDMA Air Iterface Security Beefits CDMA has iheret security beefits that TDMA ad FDMA multiple-access schemes do ot have. To uderstad the iheret security beefits of CDMA, it is ecessary to uderstad how direct-sequece spread-spectrum (DSSS) techology works. DSSS techology employs techiques that deliberately distribute or spread data over a frequecy domai. DSSS works by multiplyig user data by a pseudo-radom oise (PN) sequece composed of 1 ad -1 values. A PN sequece is a statistically radom sequece that is multiplied at a much higher data rate or chip rate expressed i chips per secod (cps), with the slower user data expressed i bits per secod (bps). This multiplicatio is doe at the radio basebad level prior to actual trasmissio over the air lik. The output of these multiplied sigals is a ew sigal that is radomly spread over a wide frequecy bad determied by the chip rate ad PN sequece legth. The ew sigal resembles white oise whe trasmitted over the air lik, except that it ca be filtered out by the receivig radio. The receiver multiplies the received sigal with the same sychroized PN sequece, yieldig the origial user data (1 x 1 = 1 ad -1 x -1 = 1). This process completely separates the origial user data from the received sigal ad is called despreadig. Because the despread process is the same as the spread process, it is possible that jammig sigals itroduced ito the radio chael will also be spread before despreadig is performed. This reduces the susceptibility of CDMA to jammig ad iterferece ad makes it less likely a coectio or call will be kocked off the air. Because each coectio or call is ecoded with a uique PN sequece, multiple users ca share a sigle frequecy bad or chael. Each coectio or call is kept isolated from others via PN sequece codes. CDMA2000 uses differet PN sequeces or ecodig types i the geeratio of both the uplik ad dowlik sides of each coectio. There are over 4.4 trillio differet PN code combiatios, makig it very difficult to itercept a specific coectio s PN sequece. These PN codes also chage regularly to make code iterceptio very difficult. As a added beefit, PN sequeces allow for icreased etwork access while icreasig overall etwork security. The followig diagram briefly describes how user data from the CDMA etwork is trasmitted from a base statio to a mobile statio (the dowlik side of a coectio). A similar process occurs o the uplik side of the coectio whe the mobile statio seds data to the etwork. The differece betwee dowlik ad uplik sides is that differet PN sequeces ad codes are used for each half of the coectio or call. Withi the mobile statio, the process is reversed. The received sigals are quatized ito bits or chips by a aalog-to-digital coverter (ADC). The output of the ADC is ru through the Walsh code ad PN 22

Base Statio Cotroller CALL 1 Data Source 1001101101 Covolutioal Ecoder 1001101101 64-bit Multiplier 1001101101 XOR 1001101101 Walsh Ecoder 1001101101 XOR P/N Sequece 1001101101 CALL 2 Data Source 1001101101 Covolutioal Ecodig 1001101101 64-bit Multiplier Walsh XOR Ecoder P/N Sequece XOR Combier ad Modulator Radio CALL 3 Data Source 1001101101 Covolutioal Ecodig 1001101101 64-bit Multiplier Walsh XOR Ecoder P/N Sequece XOR Base Statio Trasceiver Substatio (BTS) CALL N Data Source 1001101101 Covolutioal Ecodig 1001101101 64-bit Multiplier Walsh XOR Ecoder P/N Sequece XOR Figure 7: Base Statio Cotroller ecodig block diagram. I the previous illustratio, user-data output is doubled by a covolutioal ecoder that adds redudacy for error-checkig purposes. Each bit from the output of the covolutioal ecoder is replicated 64 times ad exclusive or d (geerally symbolized by XOR) with a Walsh code that is exclusive to that coectio. The output of the Walsh code is the exclusive or d with a PN sequece that is used to idetify all of the coectios or calls withi a particular cell s sector. At this poit, there are 128 times as may bits as there were i the origial user data. All of the coectios or calls for that cell s sector are the combied ad modulated oto a carrier frequecy. 23

Mobile Statio (MS) Radio Tuig Aalog-to- Digital Coverter 1001101101 Base Statio Trasceiver Substatio (BTS) Walsh Code Correlator Viterbi Decoder Data Source XOR 1011011010 P/N Code Figure 8: Mobile statio decodig block diagram. sequece correlatio receiver to recover the trasmitted bits of iformatio from the origial user data. Oce about 20 ms of data is received, a Viterbi decoder is able to decode the covolutioally ecoded data ad correct ay errors. Because the uplik ad dowlik sides of a coectio use differet ecodig methods, this ecodig scheme makes it much more difficult to demodulate these already hard-to-detect, oise-like sigals, thereby icreasig overall etwork security. The low probability of iterceptio, demodulatio difficulty, ad ati-jammig/iterferece beefits of DSSS CDMA techologies are why the military has used it for so may years. This is also why CDMA techology is iheretly more secure tha competig wireless techologies. The key iheret security beefits of CDMA techology ca be summarized as: CDMA codes iheretly spread the sigals across the full chael badwidth of 1.25 MHz. Soft hadoff (multiple cells simultaeously supportig the call) typical for the CDMA operatio make it very difficult to follow the CDMA cellular call. Log code mask (LCM) provides built-i security at the physical layer. CDMA sigals are very difficult to itercept. CDMA attacks require sophisticated ad expesive equipmet. Access is oly provided to autheticated mobile statios/subscribers. 24

6. Access Network (Layer 2) The access layer is critical for security because it is where access to the etwork is grated. Devices ad users must be autheticated, creatig a layer of security i accessig the wireless etwork. 6.1 1xRTT Device ad Subscriber Autheticatio 1xRTT autheticates device idetity ad subscriber idetity usig three compoets: A-key (secret value), MIN, ad ESN. For example, if someoe tries to steal a mobile statio ad sell it, Verizo Wireless ca track the subsequet usage of this mobile statio, reducig the icetive to steal devices. To autheticate, the MSC seds a radom biary umber (RANDSSD) to all the mobile statios i its service area. Mobile statios use the CAVE algorithm, A-Key, ESN, ad MIN to geerate SSD ad forward it to the MSC. The etwork autheticatio ceter geerates SSD usig the same set of autheticatio iputs. If the sigatures of the autheticatio ceter ad the mobile statio match, the MSC is iformed of the successful autheticatio ad both the ESN (device) ad MIN/IMSI (subscriber) are autheticated. If they do ot match, the access to the mobile statio is deied ad its user is shut off from etwork access. I CDMA, idetity iformatio is set o the access chael. Test equipmet may be available that is capable of moitorig the CDMA access chael, thereby obtaiig the phoe idetity iformatio. To deter this, the CDMA stadards provide a mechaism for elimiatig the trasmissio of phoe idetificatio data over the air. This mechaism ivolves the assigmet of a Temporary Mobile Statio Idetifier (TMSI) to the mobile statio that is used, istead of the permaet mobile statio idetifiers. Because the mobile statio does ot trasmit permaet idetifiers, they caot be obtaied by iterceptig trasmissios. 6.2 1xEV-DO Access Autheticatio Subscriber autheticatio grats users access to commo etwork services ad prevets uwated itrusios from takig place. Access autheticatio betwee a EV-DO mobile statio ad RNC takes place whe the AT iitiates the PPP coectio. Access autheticatio does ot require ay user iteractios ad uses CHAP ad MD5. It requires that the AT supports the MD5 algorithm ad saves the A12 NAI ad autheticatio keys. The RNC obtais the subscriber-specific NAI, autheticatio keys (passwords), ad IMSI from the AAA via the A12 iterface. 25

7. Core Network The Verizo Wireless mobile data etwork uses autheticatio protocols to establish a user s idetity before etwork access is grated. Verizo Wireless follows may of the established security ad access procedures implemeted by may IT orgaizatios. This sectio will cover those topics, plus commo etwork services such as IP addresses, ad roamig. 7.1 User Autheticatio ad Authorizatio Oce a subscriber is autheticated o the access etwork, he or she is autheticated for IP services usig CHAP with the PDSN, durig PPP establishmet betwee the mobile statio ad the PDSN. The reaso for autheticatig subscribers at the packet data level (e.g., core etwork) is to provide differetiated services to Iteret users ad mobile subscribers. The subscriber profile i the AAA defies which services the subscriber is authorized to access. 7.2 IP Maagemet Verizo Wireless offers a variety of IP addressig optios that provide differig levels of accessibility, protectio, ad maageability. These optios are desiged to provide customers with a variety of choices, so that customers ca choose a IP addressig scheme that is appropriate for their eeds. For example, a mobile user who eeds to access the Iteret or coect to the eterprise etwork via VPN from the mobile statio (i.e., mobile-origiated data coectio) would eed a Iteret accessible or urestricted IP address (e.g., a dyamic or static public IP address). 26

Coectivity Optios VPN Optios Beefit Cosideratio Low cost Secure Low redudacy Not all VPN vedors are supported. Sigle-frame relay Dual-frame relay (to differet Verizo Wireless locatios) Multiple direct circuits Secure Full routig cotrol Secure Redudat Full routig cotrol Secure Some redudacy MLPPP (required if static) Requires static or BGP routig. Verizo Wireless strogly suggests that customers implemet access cotrol policies to protect their etworks. Requires static or BGP routig. Verizo Wireless strogly suggests that customers implemet access cotrol policies to protect their etworks. Requires static or BGP routig. Verizo Wireless strogly suggests that customers implemet access cotrol policies to protect their etworks. Note: Please cotact a Verizo Wireless sales represetative for pricig optios. Dyamic Public IP Address With a dyamic public IP address, a mobile statio has access to the Iteret. Because the IP address is public, there is o eed to NAT or proxy data to/from the mobile statio. Push applicatios, or mobiletermiated data, are supported. Mobile statios i the geeral dyamic protected IP address pool are protected from usolicited Iteret traffic, but allow traffic from Verizo Wireless push applicatios such as VZEmail. Static Public IP Address With a static public IP address, a mobile statio gets the same IP address each time it registers with the etwork. Mobile statios with urestricted static public IP addresses have full Iteret access, while mobile statios with Iteret-restricted static public IP addresses caot access the Iteret. The latter alterative is importat for customers lookig for mobile-termiated ad mobile-iitiated data through a direct circuit coectio. 27

Customer-provided IP Address With direct circuit coectios, mobile statios ca be assiged customer-provided private or public IP addresses. This virtually exteds the corporate LAN addressig to mobile statios, allowig IT admiistrators to maage mobile statios ad LAN devices usig the same tools ad techiques. For example, the same firewall ad routig schemes ca be used. Traffic to/from mobile statios are tueled securely to the eterprise etwork, ad Iteret access ca be provided via the eterprise etwork. This makes it easier for eterprise IT admiistrators to maage ad moitor etwork usage ad eforce IT policies. 7.3 Dyamic Mobile IP Update The CDMA2000 mobile IP stadard was desiged to icorporate cryptographic keys for MIP security. However, the stadard did t provide a secure ad efficiet meas to distribute MIP keys to mobile statios. To that ed, Verizo Wireless developed the Dyamic Mobile IP Update (DMU) stadard to prevet hackers from iterceptig or reroutig packets set to legitimate users, stoppig ma-i-themiddle attacks. The DMU stadard allows maufacturers to embed public RSA ecryptio keys ito mobile statios to eable secure distributio of mobile IP keys. The DMU stadard eables stroger cryptographic keys 128-bit autheticatio ad stroger autheticatio of MIP registratio messages. DMU is used to provisio simple IP ad mobile IP credetials, where it is used to eforce key lifetimes ad establish security policies o the keys such as key legth, etc. Security ad protectio cotiue eve as the subscriber moves through the service area. Overall, the DMU stadard adds aother layer of device autheticatio. 7.4 Roamig Roamig allows greater mobility through mobile access from differet etworks. Verizo Wireless allows its subscribers to roam o other etworks operated by carriers with whom Verizo Wireless has roamig agreemets without compromisig security by usig the same autheticatio mechaisms eve for roamig users. For roamig autheticatio, Verizo Wireless securely stores the autheticatio credetials o its etwork ad does t share them with ay etwork. This prevets operator fraud. I additio, autheticatio happes betwee Verizo Wireless ad the mobile statio, with the roamig etwork as a pass-through for autheticatio iformatio. 28

8. Network Availability Verizo Wireless has desiged its wireless etwork to deliver America s most reliable wireless service usig smart etwork desig, etworkig best practices (policies, procedures ad maiteace), ad cotiuity of operatios. COOP As part of its overall security policy, Verizo Wireless maitais a system to esure cotiuity of operatios (COOP) i the evet of disasters or other service iterruptios. This COOP system ivolves usig back-up ad redudat servers, cellular towers, ad other equipmet to esure that coectivity ad security are maitaied throughout the etwork. Verizo Wireless has redudacy ad automatic fail-over throughout the etwork such as at the BSC/RNC, PDSN, home aget, ad AAA levels. The Verizo Wireless etwork is built for reliability, with battery back-up power at all facilities. I additio, geerators are istalled at all switchig facilities ad may cell-site locatios. Portable geerators ca also be deployed to provide power durig exteded power outages. Rapid Disaster Respose For rapid disaster respose ad to hadle special evets with large gatherigs, Verizo Wireless has Cell o Light Trucks (COLTs) ad Cell o Wheels (COWs) that hadle voice ad data services. A COLT is a 25,000-poud vehicle with two retractable masts, a microwave atea to lik etwork compoets, a emergecy power geerator, ad a small office. COLTs are also fully equipped with emergecy resources such as equipmet, fuel, electrical geerators, food, water, ad cots. COWs are fully fuctioal, geerator-powered mobile cell sites that ehace coverage ad capacity i a give area. 24/7 Network Operatios Ceters Verizo Wireless has two etwork operatios ceters to moitor its atiowide etwork. These operatios ceters are i service 24 hours a day, 7 days a week. Verizo Wireless also has etwork ad file system itrusio detectio systems (IDS) i place to maage, moitor, ad prevet break-is o a 24/7 basis. 9. Trasport/Perimeter Data commuicatios require striget security measures to prevet breaches ad attacks. Firewalls are put ito place to secure data, cryptographic measures are take to prevet hackig or corruptig data, ad direct coectios such as VPNs are used to cotrol data flow. The Verizo Wireless mobile data etwork uses these techiques to ehace security o its etwork. 29

9.1 Traffic Separatio Verizo Wireless uses traffic separatio to keep apart operatios, admiistratio, ad maagemet (OAM); billig; ad subscriber data. The etwork is partitioed ito multiple domais to separate data traffic. Traffic separatio is available for both etwork liks ad etwork odes. I additio, mobile IP uses tuelig as a additioal measure of traffic separatio. 9.2 Direct Circuit Coectio The Verizo Wireless allows busiess customers to exted the eterprise etwork to mobile statios via direct circuit coectio. I additio, mobile statios ca be coected to the customer s maaged services provider as well. Eterprise etworks ca coect to the Verizo Wireless FES through a direct circuit coectio usig Frame Relay, T1, DS3, ad Metro Etheret coectios. FES also supports IPSec ad MPLS VPN techology. VPN services from the mobile statio are also provided as eeded. A customer s mobile statios ca be assiged private ad public IP addresses belogig to a customer, creatig a virtual extesio of customer etwork. For example, this allows a eterprise etwork to reach mobile statios as if they were part of the local eterprise etwork. Because these mobile statios have customer-specific IP addresses, their traffic is tueled through Verizo Wireless s core etwork to a eterprise home aget (EHA) (rather tha to a HA), ad the forwarded to the eterprise etwork via the FES that is coected to the direct circuit. Thus, traffic is segregated from other wireless traffic. Overall, direct circuit coectio improves reliability ad security because customer traffic is segregated ad is directly trasferred without havig to traverse the Iteret. Direct circuit coectios also support roamig mobile statios. 9.3 SSL/TLS Secure Sockets Layer (SSL) ad Trasport Layer Security (TLS) are stadards-based protocols that allow mutual autheticatio betwee a cliet ad server, ad establishes a autheticated ad ecrypted coectio betwee the cliet ad the server. Verizo Wireless supports SSL/TLS through ibas ad MyBusiess portals ad for customers usig trasports that use service orieted architecture, a secure eviromet for busiess process itegratio. 9.4 Firewalls ad Choke Routers Firewalls are a key factor i maitaiig the overall security of the mobile data etwork. As part of a security best-practices pla, Verizo Wireless uses firewalls to partitio the etwork ito easily cotrollable security domais. Verizo Wireless also has firewalls o the direct circuit to eterprise etworks ad has choke routers to protect its Iteret iterface. Verizo Wireless also has applicatiolevel gateways withi its etwork. 30

10. Device Edpoit Verizo Wireless uses a variety of techiques to provide a secure eviromet for mobile statios, icludig licesig ad resellig certified third-party applicatios to secure smartphoe ad BlackBerry -based mobile statios. These tools allow a eterprise s IT persoel to establish security policies to fit the eeds of the eterprise ad form a cohesive solutio to protect a eterprise s data from beig compromised by a ocompliat mobile statio. 10.1 Iitial Provisioig Provisioig makes a mobile statio fuctioal for a subscriber. This process ivolves activatig the mobile statio, subscribig to services, ad loadig ecessary software ad applicatios. To begi the process, the mobile statio ad subscriber credetials are autheticated. Oce autheticated, software ad applicatios ca be set OTA to the mobile statio to make it compliat with the eterprise IT policy. Oly services ad applicatios allowed per the subscriber profile ca be provisioed. 10.2 Device Maagemet Device maagemet takes security beyod the iitial setup. New applicatios ca be set OTA to the mobile statio to keep it curret with IT policies. As a mobile statio is subscribed to ew services, or as IT policy chages, device maagemet allows mobile statios to be brought up to date. O a basic level, advaced mobile statios ca be fitted with a firewall ad a eterprise s firewall policies ca be exteded out to the mobile statio to prevet attacks through the mobile statio. I additio, a IT admiistrator ca eable software istallatio protectio through o-device-maitaied blacklists ad whitelists. Ati-virus, ati-spam, ad ati-spyware capabilities are also available o mobile statios. 10.3 Device Compliace Device compliace allows a IT admiistrator to remotely moitor a mobile statio to esure that it maitais itegrity. As ew software applicatios become available, or as a eterprise s IT policy chages, a IT admiistrator ca update the mobile statio OTA to maitai compliace. If a mobile statio has bee compromised, a IT admiistrator ca lock a mobile statio by sedig a message to the mobile statio. The IT admiistrator ca also erase the cotets of the mobile statio, rederig it useless util it is re-provisioed. Mobile statios ca also be backed up ad restored OTA. 11. Hosted Services Security Verizo Wireless offers secure, hosted, wireless data services for its subscribers. These hosted services are desiged to ehace the mobile experiece while maitaiig security. 31

11.1 BREW BREW is a rutime eviromet that allows Verizo Wireless to cotrol which applicatios ca ru o a mobile statio to access its etwork. For example, V CAST ad Get It Now use BREW. Mobile statios require a BREW sigature to ru applicatios. No-BREW-based applicatios caot read, write, or delete a target applicatio s data, esurig that o data breach or corruptio occurs. BREW-based applicatios ca grat access to o-brew applicatios oly after these applicatios have bee autheticated. No-BREW applicatios are verified via a digital sigature from a trusted certificate authority to miimize the risk of virus ifectio. 11.2 SMS SMS allows subscribers to sed ad receive short text messages betwee mobile statios. To combat floodig the etwork with SMS messages, Verizo Wireless has the ability to limit the umber of messages ad users accessig the etwork. If there are too may messages comig from oe perso or broadcast behavior is detected, this behavior, also kow as spammig, ca be preveted by blockig these messages. 11.3 MMS MMS allows for the trasmissio of images, audio, video, ad rich text usig WAP techology ad a MMS-capable mobile statio. Commuicatio betwee the mobile statio ad the WAP server is hadled through WTLS security. I additio, the Verizo Wireless MMSC implemets message throttlig to mitigate deial-of-service attacks. Stadard best operatig practices, such as firewalls ad access cotrol lists, are implemeted to provide security for MMS. 11.4 Cotet ad Media V CAST TM provides OTA multimedia cotet icludig video, games, ad music. Dowloads are tested ad autheticated as beig from a reliable source before beig made available to the ed user. I additio to CDMA security, V CAST is made secure through the use of BREW. 11.5 Navigatio ad Locatio-Based Services (LBS) VZ Navigator SM provides subscribers with avigatio, icludig tur-by-tur directios, via their mobile statios. Navigatio ad LBS are made secure by maitaiig locatio/positio iformatio withi Verizo Wireless ad providig that oly to autheticated applicatios. 11.6 Verizo Wireless Field Force Maager Field Force Maager provides compaies with resource trackig ad maagemet tools that help reduce operatig costs, icrease worker productivity, ad streamlie busiess processes. Field Force Maager allows maagers to track worker locatios, job lists, ad timecards; validate job details; ad dispatch persoel to eeded locatios all of which is kept secure through LBS security features from Verizo Wireless. 32

12. Summary To secure its ow wireless etwork, Verizo Wireless has developed ad implemeted the security best practices foud i this documet, eablig the compay to offer a secure wireless eviromet to access mobile eterprise applicatios ad data. Verizo Wireless combies techology, access policies, ad services to help esure that its customers mobile workers have secure access to the data ad applicatios they eed, while miimizig outside security threats ad possible attacks. 33

13. Glossary of Terms 1xEV-DO (Oe times Evolutio Data Optimized) A CDMA2000 techology optimized for packet data services. 1xRTT (Oe times Radio Trasmissio Techology) A CDMA2000 techology with traditioal circuit voice ad data support that has maximum dowlik speeds of 307 Kbps ad uplik speeds of 144 Kbps. 2G (secod geeratio) The secod geeratio of cell-phoe techology itroduced durig the 1990s. This geeratio added data capabilities to cell phoes, icludig Iteret ad email access. 3G (third geeratio) Third-geeratio cell-phoe techology appeared i the 2000s ad forms the foudatio of our curret cell-phoe capabilities. 3G techology offers eve faster Iteret access, plus eables worldwide roamig capabilities. AAA (autheticatio, authorizatio, ad accoutig) A etwork server used for access cotrol. Autheticatio idetifies the user. Authorizatio implemets policies that determie which resources ad services a valid user may access. Accoutig keeps track of time ad data resources used for billig ad aalysis. AC (Autheticatio Ceter) A system that autheticates a mobile statio that attempts to gai access to the cellular etwork. ADC (aalog-to-digital coverter) The device that coverts aalog sigals ito digital sigals. A-Key (autheticatio key) A digital key used durig a electroic trasactio to esure that the cotets of the trasactio remai uchaged whe travelig from seder to receiver. AN (access etwork) A etwork that grats ed user access to the etwork core ad etwork services. ASREPORT A report set by the MSC to the VLR idicatig the status of a uique challege. AT (access termial) A 1xEV-DO mobile statio. AUTHDIR (Autheticatio Directive) A uique challege ad update operatio betwee a Autheticatio Ceter ad a Mobile Switchig Ceter i a cellular etwork. AUTHU (Autheticatio respose for a uique challege) A respose to a uique challege by the cellular etwork to prove the autheticity of a mobile statio. 34

Base statio (BS) A terrestrial statio i a cellular etwork that commuicates with mobile termials. BREW (Biary Rutime Eviromet for Wireless) A rutime eviromet that allows applicatios to ru o a mobile statio. BSC (base statio cotroller) A distributed computig structure of the access etwork that maages multiple base trasceiver statios (BTSs), radio resources, ad hadoffs betwee BTSs withi its domai. BSC-to-BSC hadoffs are hadled by the mobile switchig statio. BTS (base trasceiver statio) A structure of the access etwork that cotais ateas, trasmittig ad receivig radio systems, ecodig/decodig systems, ad ecryptio/decryptio equipmet. Multiple BTSs are cotrolled by a BSC. CAVE (Cellular Autheticatio ad Voice Ecryptio) algorithm A cryptographic hash fuctio used i CDMA mobile systems for autheticatio, data protectio, aoymity, ad key derivatio. CDMA (Code Divisio Multiple Access) A method for sedig multiple voice ad/or data sigals simultaeously across the radio spectrum. CDMA2000 The brad ame for telecommuicatios Iterim Stadard-2000 (IS-2000) that supports 3G CDMA-based cellular etworks. cdmaoe The brad ame for telecommuicatios Iterim Stadard-95 (IS-95) that support 2G CDMA-based cellular etworks. CHAP (Challege-Hadshake Autheticatio Protocol) The protocol used to autheticate remote users to a Iteret access provider. COOP (cotiuity of operatios) Techology used to esure cotiuous operatio of services i the evet of a disaster or crisis. DMU (Dyamic Mobile IP Update) A procedure used to distribute ad update mobile IP cryptographic keys i CDMA, 1xRTT, ad 1xEV-DO etworks. DRS (Data Ready to Sed) A code or bit that sigals that a system is ready to sed data. DSSS (direct-sequece spread-spectrum) A techology techique that deliberately distributes or spreads data over a frequecy domai. ESN (electroic serial umber) The uique idetificatio umber foud i mobile statios. FA (foreig aget) A etwork device that acts as a mobility aget for a mobility ode. Foreig agets work i cojuctio with a home aget to support IP traffic forwardig for a device coectig to the etwork from somewhere other tha its home etwork. 35

FAC (Foreig Aget Challege) A challege issued by the foreig aget to a verify the autheticity of a device coectio to the etwork. FDMA (Frequecy Divisio Multiple Access) I FDMA, multiple coectios o the radio spectrum are separated from each other by usig differet frequecies. FIGS (Fraud Iformatio Gatherig System) A system that moitors the activities of cellular etwork subscribers ad looks for fraudulet activities. GPS (global positioig system) Navigatio techology that pipoits the exact locatio of the device cotaiig the GPS. GRE (Geeric Routig Ecapsulatio) A tuelig protocol that allows etwork layer packets to cotai packets from a differet protocol. It is widely used to tuel protocols iside IP packets for virtual private etworks. HA (home aget) A core etwork device that stores ad forwards locatio ad IP address iformatio about a mobile statio whe it is away from the mobile statio s home etwork. The home aget is used i cojuctio with oe or more foreig agets to maage mobile statios as they roam. HDLC (High-level Data Lik Cotrol) A sychroous data lik layer protocol developed by the Iteratioal Stadards Orgaizatio (ISO) that maages PPP ad MLPP coectios. HLR (home locatio register) A database i a cellular system that cotais all the subscribers withi the provider s home service area. HTTP (Hypertext Trasfer Protocol) The method used to covey iformatio o the World Wide Web. IDS (itrusio detectio system) A software system that detects attacks o the etwork. IETF (Iteret Egieerig Task Force) The goverig body resposible for establishig stadards for the Iteret. IKE (Iteret Key Exchage) A protocol whose purpose is to egotiate ad provide autheticated keyig for protected security associatios. IMAP (Iteret Message Access Protocol) The protocol that allows remote devices to access email messages from the Iteret. IMSI (Iteratioal Mobile Subscriber Idetifier) A uique 15-digit umber assiged to a mobile statio issued at the time of service subscriptio cotaiig subscriber idetificatio iformatio. 36

IP (Iteret Protocol) The etwork layer protocol i the TCP/IP commuicatios protocol suite (the IP i TCP/IP). Also refereces IP address, the four-elemet umber with three decimal poits that is the umeric idetificatio of every ode i a TCP/IP etwork. IPCP (Iteret Protocol Cotrol Protocol) A etwork cotrol protocol for establishig ad cofigurig a IP over PPP coectio. IPSec (IP Security) A suite of protocols used to secure IP commuicatios through autheticatio ad ecryptio techology. ITU (Iteratioal Telecommuicatios Uio) A iteratioal goverig body that develops stadards recommedatios for telecommuicatios, cosumer electroics, broadcastig, ad multimedia commuicatios. The ITU s mai resposibilities goverig the mobile telecommuicatios idustry is stadardizatio, radio spectrum allocatio, ad the facilitatio of arragemets betwee coutries allowig for iteratioal phoe calls. L2TP (Layer 2 Tuelig Protocol) A tuelig protocol that is used to support VPNs. L2TPv3 provides additioal security features, improved ecapsulatio, ad the ability to carry data liks other tha PPP over a IP etwork. LCM (log code mask) A 42-bit biary umber that creates the uique idetity for a log-code geerator whose output is used i the CDMA codig ad spreadig process. LCP (Lik Cotrol Protocol) Used by PPP to establish a lik betwee a user s computer ad the Iteret service provider. LBS (locatio-based services) LBS are used by wireless compaies to sed advertisig ad promotioal messages to the user, based o his or her locatio. LDAP (Lightweight Directory Access Protocol) A etwork protocol used for queryig ad modifyig directory services o TCP/IP coectios. MAC (medium access cotrol) The process that allows multiple coected termials to broadcast over the same physical medium. MD5 a widely used cryptographic hash fuctio with a 128-bit hash value. MD5 is a Iteret stadard (RFC 1321) that is deployed i a wide variety of security applicatios. MIN (mobile idetifier umber) The uique 10-digit umber used to idetify a mobile phoe. MLPPP (Multi-lik Poit-to-Poit Protocol) A extesio to PPP that eables two chaels to be liked together to double the throughput. It is used for ISDN trasmissio ad chael bodig. 37

MMS (Multimedia Messagig Service) A messagig system that allows video, pictures, audio clips, ad other multimedia to be distributed wirelessly. Mobile IP (MIP) I MIP, the packet data sessio is ot dropped each time the user chages locatio. The sessio cotiues as log as mobility is still coected to the home aget. Mobile ode (MN) Same as Mobile Statio. Mobile statio (MS) A ed termial such as a mobile phoe, a laptop with a embedded modem, a broadbad wireless router, or a PCMCIA modem that ca access the CDMA etwork. MPLS (Multiprotocol Label Switchig) A datagram trasport service desiged to emulate circuitswitched etwork characteristics over a packet-switched etwork. It ca be used to carry may differet types of traffic, such as IP packets, ATM frames, ad Etheret frames. MPN (mobile private etwork) MPNs allow mobile users to commuicate securely across public etworks. MSC (mobile switchig ceter) A core-etwork switchig structure that bridges the mobile telephoe access etwork with aother telephoe etwork such as the public switched telephoe etwork (PSTN). NAI (Network Access Idetifier) The user idetificatio submitted by the mobile statio durig etwork access autheticatio. NAS (etwork access server) A device that fuctios as a access cotrol poit for users i remote locatios, coectig users to their compay s iteral etwork or to a Iteret service provider. NNTP (Network News Trasfer Protocol) The protocol used to post ad receive iformatio from Useet ad ews servers. OAM (operatios, admiistratio, ad maagemet) The process by which wireless etworks ad mobile devices are maitaied. OSI (Ope Systems Itercoectio) The stadard referece model for how messages are trasmitted betwee ay two poits i a etwork. OTA (over the air) The process by which mobile statios are updated with ew software or moitored for security. PCF (packet cotrol fuctio) Routes IP packets betwee the mobile statios coected to its associated BTSes ad PDSN. PDSN (Packet Data Servig Node) A PDSN establishes, maitais, ad termiates a PPP sessio to a MS. 38

PN (pseudo-radom oise) sequece A set of bits iteded to simulate the statistical radomess of oise. A PN sequece is geerated by a determiistic process ad will repeat; therefore, it is pseudo -radom. PPP (Poit-to-Poit Protocol) A commo method to establish a direct coectio betwee two poits. PPP is lik layer-agostic ad is commoly used to establish a coectio betwee a etworked device ad the Iteret. PTT (push-to-talk) Services made available by pressig a butto o a mobile statio to commuicate. QoS (quality of service) The measure of performace i a telecommuicatios system. QoS refers to the mechaisms i the etwork software that make the actual determiatio of which packets have priority. RADIUS (Remote Autheticatio Dial-I User Service) A cliet/server protocol eablig remote access servers to commuicate with a cetral server to autheticate users ad authorize etwork access. RANDSSD (Radom Variable Shared Secret Data) A 56-bit radom umber geerated by the mobile statio s home statio. RANDU (Uique Radom Number) A 24-bit radom umber geerated by a base statio i support of the AUTHU challege. RLP (Radio Lik Protocol) A lik layer protocol used to correct etwork-based errors. RNC (radio etwork cotroller) A etwork elemet that cotrols ad maages a group of coected base statio cotrollers. R-P (Radio Network-Packet Network) A radio system ad methodology for hadlig packetized commuicatios withi a CDMA etwork. RRP (Registratio Reply) A message reply from a home aget regardig the state of a subscriber. RRQ (Registratio Request) A message request set to a home aget regardig the state of a subscriber. RSA (Rivest, Shamir, Adelma) A ecryptio ad autheticatio system that uses a algorithm developed by Ro Rivest, Adi Shamir, ad Leoard Adlema. Simple IP (SIP) Simple IP is a IP address that is valid withi a PDSN coverage area. A mobile statio must obtai a ew IP address (ad lose existig coectios) whe it moves from oe PDSN coverage area to aother. SMS (Short Message Service) A feature of the cellular etwork allowig text messages of up to 160 characters to be set ad received. 39

SSD (Shared Secret Data) SSD is used to respod to autheticatio challeges. SSD is a 128-bit umber derived from the A-Key ad radom umbers. SSL (Secure Sockets Layer) Cryptographic protocols that provide security over the Iteret. TDMA (Time Divisio Multiple Access) The process of dividig the radio spectrum by time. Usig TDMA, multiple coectios are separated by time. TIA (Telecommuicatios Idustry Associatio) A o-profit trade associatio servig the telecommuicatios ad iformatio techology idustries. TMSI (Temporary Mobile Statio Idetifier) A temporary umber assiged to a mobile statio at the momet it s tured o. The umber chages whe the mobile statio chages locatios. UATI (Uicast Access Termial Idetifier) A over-the-air sigalig idetifier that associates a mobile termial with the access etwork s radio resources used durig the coectio ad call setup procedure. VLR (visitor locatio register) The database i a cellular etwork that cotais the list of subscribers registered i a service area. VoIP (Voice over Iteret Protocol) Telephoe services that use the Iteret to make ad receive calls. VPN (virtual private etwork) A private etwork that uses a public etwork such as the Iteret to coect users or remote sites together i a secure maer. VPN direct-coect solutios are extremely popular due to their low cost to deploy. Istead of usig a dedicated coectio such as leased-lie direct circuits, the VPN optio uses tuels routed over the Iteret from the compay s private etwork to the Verizo Wireless etwork operatios ceter. WAP (Wireless Applicatio Protocol) The protocol that allows mobile statios to wirelessly access the Iteret ad email applicatios. 14. Cotact Iformatio For more iformatio about Verizo Wireless, speak with a Verizo Wireless sales represetative, visit www.verizowireless.com, or call 1.800.VZW.4BIZ. 40

15. Legal Disclaimer This documet ad the iformatio cotaied herei (collectively, the Iformatio ) is provided by Verizo Wireless, o behalf of itself ad its affiliates for iformatioal purposes oly. Verizo Wireless is providig the Iformatio because Verizo Wireless believes the Iformatio may be useful. The Iformatio is provided solely o the basis that each busiess will be resposible for makig its ow assessmets of the Iformatio ad are advised to verify all represetatios, statemets, ad iformatio before usig or relyig upo ay of the Iformatio. Although Verizo Wireless has exercised reasoable care i providig the Iformatio, Verizo Wireless does ot warrat the accuracy of the Iformatio ad is ot resposible for ay damages arisig from the use of or reliace upo the Iformatio. Verizo Wireless i o way represets, ad o reliace should be placed o ay belief, that Verizo Wireless is providig the Iformatio i accordace with ay stadard or service (routie, customary or otherwise) related to the cosultig, services, hardware, software, or other idustries. Network details, coverage limitatios, ad maps are available at www.verizowireless.com. 2007 Verizo Wireless. All Rights Reserved. Verizo Wireless is a registered trademark of Verizo Trademark Services LLC. All other trademarks are the property of their respective owers. Research I Motio, the RIM logo, BlackBerry, the BlackBerry logo, ad SureType are registered with the U.S. Patet ad Trademark Office ad may be pedig or registered i other coutries these ad other marks of Research I Motio Limited are used uder licese. 41