Security in W ireless

M etropolitan Area N etw orks

CSA 585 W ireless Security

Seurit in W ireless M etropolitan Area

N etw orks

Introduction
WiMAX and IEEE 802.16 Standards
Fundamental onepts
WiMAX Seurit Mehanisms - riva Ke Management
rotool and KMv2
WiMAX seurit risks and vulnerabilities
Overview and Q&A

Introduction

 A Wireless Metropolitan Area Network (WMAN) is a wireless network ommuniations

tehnolog with a overage distane ranging from 3 to 45 km
The two dominant wireless tehnologies used in WMANs are the Worldwide Interoperabilit
for Mirowave Aess (WiMAX or Wireless Loal Loop - WLL) and Long Term Evolution (LTE).
The are based on the IEEE 802. 16 standards for WiMAX and 3GPP standards for LTE

Although these tw o standards are im proved regularl, the urrent versions

ontain a num ber of seurit vulnerabilities.

W e w ill cover seurit issues, threats and ounterm easures in W iM AX inluding

the generation, authentiation, data onfidentialit and integrit of this
tehnolog

W IM AX
AN D
STAN D ARD S

IEEE

802.16

Fundam entalonepts

W orldw ide Interoperability for M irow ave Aess (W iM AX) is a w ireless

m etropolitan area netw ork (W M AN ) om m uniations tehnolog using the IEEE
802.16 standard.
The original purpose of IEEE 802.16 tehnologies w as to provide broadband
w ireless aess as an alternative to able, digital subsriber line (D SL), or T1
servie.
D evelopm ents in the IEEE 802.16 standard shifted the tehnologs fous
tow ard a m ore ellular-like, m obile arhiteture to serve a broader m arket.
Toda, W iM AX is a versatile tehnolog that ontinues to adapt to m arket
dem ands and provide enhaned user m obilit.
The W iM AX am endm ent that enabled m obile W iM AX operations is IEEE 802.16e2005.

Fundam entalonepts

Prior to its release, W iM AX w as lim ited to fixed operations b the IEEE 802.162004 standard.
Additionall, IEEE 802.16e-2005 provided signifiant seurit enhanem ents to
its predeessor b inorporating m ore robust m utualauthentiation
m ehanism s, as w ellas support for Advaned Enrption Standard (AES).
Although the IEEE 802.16-2004 and 802.16e-2005 standards w ere released
w ithin a ear of eah other, IEEE 802.16e-2005 produt ertifiation did not
start until2008.
Thus, IEEE 802.16-2004 produts are stillused in todas inform ation
tehnolog (IT) environm ents.

Fundam entalonepts

There are four fundam entalarhiteturalom ponents of W iM AX, as listed

below :

Base Station (BS). The BS is a node that logiall onnets subsriber

devies to network operators. A base station onsists of elements whih
provide wireless ommuniations (antennas, transievers, and other EM
transmitting equipment).

Fundam entalonepts

Subsriber Station (SS). The SS represents a fixed wireless node. These

nodes usuall ommuniate onl with BSs.

Subscriber stations (SS) in aWiMAXsystem are transceivers that convert

radio signals into digital signals that can be routed to and from
communication devices

Fundam entalonepts

Mobile Station (MS). MSs are tpiall self-powered, small devies suh as ellular
phones, laptops, tablets and other portable devies that work at vehiular speeds.

The IEEE 802.16e-2005, Amendment and Corrigendum to IEEE Std 802.16-2004,

February 28 2006 defines a MS as:

a station in the mobile servie intended to be

used while in motion or during halts at
unspeified points. A MS is alwas a subsriber
station (SS) unless speifiall exepted
otherwise in the standard.

Fundam entalonepts

Rela Station (RS). As defined in IEEE 802.16j-2009, Amendment to IEEE

802.16-2009 Multihop Relay Specification, June 12 2009, RSs are SSs
onfigured to forward traffi to other RSs, SSs, or MSs in a multihop Seurit
Zone.

Fundam entalonepts

D epending on the tpe of onnetion betw een these om ponents, IEEE 802.16
Standards propose different seurit requirem ents.
There are tw o fundam entaltpes of onnetions in W iM AX:

management onnetions

data transport onnetions

M anagem ent onnetions are divided into three subtpes:

basi

primar

seondar

Fundam entalonepts

W hen a M S or m obile SS joins the netw ork, a basi onnetion is reated.

Basi onnetions are used for short and urgent m anagem ent m essages.
At the sam e tim e, prim ar onnetions are also reated for eah M S, w ith the
purpose of handling dela-tolerant m anagem ent m essages.
A seondar onnetion is used for IP enapsulated m anagem ent m essages
from protools suh as D H P or SN M P.
The transport onnetions are established as needed and are used to
transport data.

W iM AX Seurit M ehanism s

The IEEE 802.16e standard for W iM AX speifies seurit m ehanism s to ensure

onfidentialit of data and seret kes, preserve data integrit and ontrol
m essages, and provide proper authentiation, as w ellas seure ke generation
and m anagem ent.

W iM AX Seurit M ehanism s

The tw o m ajor laers of the W iM AX ProtoolStak are the PH and M A

laers.
The M A laer ontains 3 sublaers as follow s:

Priva or Seurit Sub-laer whih enrpts and derpts data entering

and leaving in and from the PH laer. This sub-laer uses 56bit DES
(Data Enrption Standard) enrption for data traffi and uses 3DES
enrption for Ke Exhanges.

The seond MA sub-laer is the Servie Speifi onvergene Sub-laer.

This sub-laer maps higher level data servies to MA laer servie flow
and onnetion.

The third sub-laer is the ommon Part Sublaer. In this the MPDUs (MA
Protool Data Units) sub-laer are onstruted. The PS sub-laer defines
rules and mehanisms for ARQ (Automati Repeat Request), for
onnetion ontrol and for sstem aess bandwidth alloation. It also
provides entralization, hannel aess and duplexing.

W iM AX Seurit M ehanism s

The seurit goals of W iM AX are m ainl ahieved in the M A Priva sub-laer

The w hole seurit m ehanism of W iM AX tehnolog is defined b the SA
(Seurit Assoiation), X.509 ertifiates, PKM Authorization, Priva Ke
M anagem ent and D ata Enrption.
The role of SAs is to m aintain the seurit state relevant to a onnetion; it
operates at the laer 2 of the W iM AX protoolstak. There are tw o SA tpes in
the 802.16 standard:

data SA

authorization SA

W iM AX Seurit M ehanism s
The authorization SA is onsisted of:

An X.509 ertifiate whih identifies the SS
A 160-bit AK both SS and BS maintain AK a seret
AK lifetime from one to 70 days
A key enryption key, KEK, used in distributing the TEKs
A downlink and uplink HMA key providing data authentiity of key distribution from BS to SS, and from SS to BS
A list of authorized data SAs
The data SA has the follow ing fi
elds:
SA identifier (SAID),
The ryptographi algorithms supported b the BS to protet data exhange over the onnetion.
Two traffi enryption keys (TEKs),
TEK lifetime 12h is set as default, with min of 30 mins, and max of seven das,
An initialization vetor for eah TEK

W iM AX Seurit M ehanism s

The IEEE 802.16 standard uses X.509 ertifiates to identify om m uniating parties.
Tw o ertifiate types are defined: m anufature ertifiates and SS ertifiates.
The m anufature ertifiate identifies the m anufaturer of a 802.16 devie (netw ork ard, base station et.).

The ertifiate has the follow ing form at:

X.509vX
Serial number
Issuer name
Issuers signature algorithm RSA with SHA1
Validit period
Holders identit in the ase of SS its MA address
Holders publi ke restrited to RSA
Subjet signature algorithm idential to the issuer algorithm
Issuers signature

W iM AX Seurit M ehanism s
An SS ertifiate identifies the SS and inludes its M A address in the subjet field.
M anufaturers reate and sign SS ertifiates.

Seurit oliies are enfored b the BS to the SS, so it an onl aess authorized
SA that resets the harateristi of that te of servie.
O ne SS m a have one to three different SAs:
one for the seondar management hannel and
one/two for ulink/downlink hannels.
The downstream is being roteted b the rimar SA, in multiast ommuniation
the rimar SA is not able to do so. Stati and/or dnami SAs are used for this
urose. Two tyes of SAs are suorted in the IEEE 802.16, data and authorization
SAs.

W iM AX Seurit M ehanism s

D ata SAs rotet data transort onnetions betw een BSs and SSs.
Authorization SAs establish the data SA and authorize the SSs to aess the BS.
A X.509 ertifiate is used for identifiation of SS.
The standard doesnt define ertifiates for BS. A X.509 ertifiate defines an
authentiation algorithm based on ubli-key tehniques.
Every SS has its ow n X.509 digitalertifiate w hih ontains the SSs M A
address and the ubli key.
The base station authentiates the subsriber stations w hen initialauthorization
exhange and in requesting tim e of an AK (Authentiation Ke), SSs resent to
the BS the ow n digitalertifiate.

W iM AX Seurit M ehanism s
After, the BS heks them and used the ubli ke for AK enrtions.
Requesting SSs reeive bak the AK and the BS assoiates for eah SS an
authentiation identit, on w hih SSs are authorized to aess, w ith the AK
exhange, servies like data, video or voie.
So, the BS an avoid the loned SSs attaks (m asquerades attaks).
SSs have RSA (a ubli ke iher ver w idel used in m an seure
authentiation and om m uniation rotools) ubli/rivate ke airs
installed at the fator or have an algorithm w hih dnam iall generates
RSA ke airs.

W iM AX Seurit M ehanism s

In the seond ase, if the SS m ust generate its RSA ke air, this ke air w illbe
generated before the AK exhanges.
For this reason SSs need to suort a m ehanism w hih installs the X.509
ertifiates issued b the m anufaturer.
Attakers m ust rak the enrtion of the X.509 ertifiate used and m ust
have an SS from the sam e m anufaturer for sueeding their attaks on the BS,
airing betw een SSs an onl be ahieved if the have a fator reinstalled
RSA rivate/ubli ke.

KM
In W iM AX,the seurit of onnetion aess is aom lished b om ling w ith the
riva Ke M anagem ent rotool(KM ).The utilit of this rotoolis rovision of
eriodialauthorization of SSs,distribution of keing m aterial,and refreshing and
reauthorizing kes.

Another task of KM is to ensure that the authentiation algorithm s and suorted

enrtion are orretl alied to the exhanged M D U s.
In order to seurel exhange kes betw een BS and SS, the KM rotooluses sm m etri
rtograh and X.509 ertifiates.
The rotooloerates in three hases.
The BS las the role of the server and it m anages identifiation kes to the SS, w ho las
the role of lient.
The BS authentiates a SS lient using KM rotoolin the initialauthorization exhange.
SS uses a digitalertifiate for authentiation at the BS.

KM

Also, the BS uses a shared seret enrted ke, w hih an be eriodiall

hanged b the SS, to om m uniate w ith the SS, ke rovided b KM rotool,
as show n in the next fi
g ure:

KM

The SS transm its an authentiation m essage (AuthentiationInfM ess) w hih

ontains the SS roduer ertifiate.
At the sam e tim e, the SS transm its another m essage w hih ontains the
Authorization Request M essage (AuthorizationReqM ess) that requests an AK.
The AuthorizationReqM ess ontains the SSs ertifiate; the rtograhi
aabilities w hih ontain a stak of rtograhi laers w ith a aket of data
authentiation and enrtion algorithm s and the SAID (Seurit Assoiation
ID entifier) w hose value is the sam e w ith the rim ar 16Bit ID ( onnetion
ID entifier) that the BS transm its to the SS at the initialization and netw ork entr
hase.
After the BS verifies the X.509 digitalertifiate; it w illhoose the enrtion
algorithm and send the authentiation resonse.
Finall, the SS reeives its RSA-ubli ke enrted AK from the BS.

KM

This roess of authentiation and ke exhange betw een the SS and BS, the
first oerationalhase of KM , can be seen on the figure below :

KM

In the next hase, a data SA is established b the KM rotoolthrough the

exhange of TEK (Transort Enrtion Kes)

KM
The KReM ess m essage is om osed of an AK sequene num ber, the SAID , the
aram eters linked to the old TEK, and the new TEK and an H M A digest - in order to
ensure the SS that the m essage is being sent b the BS w ithout being tam ered w ith.
The validit durations of the tw o TEKs overla.
The new TEK is being ativated before the old TEK exires, and the old TEK is
destroed after ensuring that the new TEK is ativated.
In order to estim ate w hen the BS w illinvalidate a revious, or request a new TEK, the
SS uses TEK lifetim e.
The BS w illrel w ith a Ke Rejet M essage w hih ontains the AK sequene num ber,
the SAID and an error ode indiating the reason of rejetion and a H M A digest.
The SS an resend a different KReqM ess m essage to obtain a new TEK if the SAID in
the KReqM ess m essage is invalid.

KM
The third hase of riva Ke M anagem ent
rotoolis the D ata Enrtion hase.
The transm itted data betw een the SS and BS
begins to be enrted using the TEK onl after
ahieving the SA authorization and the TEK
trade.
Eah SA has 2 TEKs reated b the BS.
If one exires it m akes a new one.
The dow nlink traffi is enrted w ith the old
ke.
The other ke an be used to dert the ulink
traffi.
The figure illustrates a SS request to the BS for
TEK0 and TEK1 enrtion kes.

KM v2

KM v2 rovides tw o-w a authentiation, so not onl the BS authentiates the

SS, but also the SS authentiates the BS.
The roess starts w hen the BS authentiates the SS, after w hih the SS
authentiates the BS.
W hen m utualauthendiation is om lete, the BS rovides the authentiated
SS w ith an AK and the identities and roerties of rim ar and stati SAs.
KM uses onl the D ES algorithm to rotet data onfidentialit.
KM v2 suorts both the X.509 digitalertifiates and the Extensible
Authentiation rotool(EA).

KM v2

If EA is used, one of the suorted EA authentiation m ethods needs to be

hosen, alongside w ith the orresonding seurit elem ents, suh as
subsriber identit m odules, assw ords, X.509 ertifiates or others, w illalso
be used in suh m ethod.
The W iM AX Forum reom m ends one of the follow ing tw o m ethods: Transort
Laer Seurit (TLS) or Tunneled Transort Laer Seurit (TTLS).
KM v2 adds AES- M w ith the TEK.
The Advaned Enrtion Standard (AES) is a sm m etri ke blok iher
suerseding D ES.
ounter m ode om bines w ith B-M A (iher-Blok haining M essage
Authentiation ode or M ) in order to rovide both authentiation and
onfidentialit.

W iM AX seurit risks and vulnerabilities

O ne om m on attak on authentiation and authentiated ke form ation

rotools is the M essage rela attak.
If the m essages exhanged in an authentiation rotooldoes not have
udated identifiers, an attaker an easil get authentiated b relaing
m essages oied from a legitim ate authentiation session.
D ue to the short 2-bit TEK identifier, it reeats ever four reke les.
Reusing exired TEKs in rela attaks an dislose onfidentialinform ation
and further om rom ise the TEK.
M an-in-the-m iddle attaks usuall assoiate w ith a om m uniation rotool
w here m utualauthentiation is m issing, as is the ase w ith KM v1.

W iM AX seurit risks and vulnerabilities

O ther know n attaks inlude arallelsession attaks, D enialof Servie (D oS)

attaks, refletion attaks, interleaving attaks, attaks due to te flaw ,
nam e om ission attaks, and attaks duetom isuseofrtograhiservies.

W iM AX seurit risks and vulnerabilities

In the IEEE 802.16 rotoolStak, the hsiallaer resides just below the
riva sub-laer.
Therefore, W iM AX is vulnerable to H laer attaks suh as jam m ing and
sram bling.
Jam m ing is done by resenting a strong RF noise soure to signifiantly
redue the hannelbandw idth w hih results in D oS to SSs.
It is ossible to loate and rem ove the RF jam m ing soure, but it is not often
easy onsidering the large overage range of W iM AX.

W iM AX seurit risks and vulnerabilities

O ut-of-band om m uniations is one solution to this roblem .

Sram bling is onsidered to be a subategory of RF jam m ing attaks, but the
m ain differene is that it requires m ore reise injetions of interferene in
relatively short tim e eriods during the transm ission of seifi ontrolor
m anagem ent m essages.
Sram bling is m ore diffiult to detet than jam m ing, so it requires m ore
sensitive soure detetion and a faster resonse.
Som e threats are generi in the w ireless w orld; IEEE 802.16 is not an
exetion.
A lassi threat arises is the w ater torture attak, in w hih an attaker sends
a series of fram es to drain the reeivers battery.

W iM AX seurit risks and vulnerabilities

Rerogram m ing a devie w ith the hardw are address of another devie an be
a m eans used for identity theft.
The address m ay be stolen by intereting m anagem ent m essages.
M anagem ent m essages are unenrted, sine none of the W iM AX standards
or am endm ents has addressed or required their enrtion.
A rogue BS w hih transm its w hile the realBS is transm itting, but w ith m ore
ow er, an onfuse a set of SSs/M Ss w hen attem ting to get servie from
w hat the believe is a legitim ate BS.
onfidentialinform ation involved in the roesses of node registration,
bandw idth alloation and netw ork entr are also in danger inluding ossible
eavesdroing, rela and sram bling attaks.

W iM AX seurit risks and vulnerabilities

O verview

 A lth ou g h W iM A X h as om lex au th en tiation an d au th orization m eth od s an d

ver stron g en r tion teh n iq u es, as an oth er teh n olog it is still
vu ln erab le to d ifferen t ty es of attaks.
Th e IEEE 802.16 stan d ard it is b ased u on on stan tly im roves an d resolves
reviou s seu rity issu es. Th e w ell kn ow n seu rity issu es of W iM A X m ain ly
resid e in th e S eu rity su b -layer of th e IEEE 802.16 rotool S tak.
Th ese issu es in lu d e attaks su h as sram b lin g , jam m in g , re lay attaks,
m asq u erad e attaks et.
Th e seu rity m eh an ism s of W iM A X rely on th e riva K e M an ag em en t
rotool. Th e u tilit of th is rotool is th at it rovid es eriod ial
au th orization of su b srib er station s, it d istrib u tes kein g m aterial to th em
an d also rovid es ke refresh an d reau th orization .
Th e rotol also en su res th at th e au th en tiation alg orith m s an d su orted
en r tion are orretl a lied to th e exh an g ed m an ag em en t rotool d ata
u n its.
U n fortu n ately, it is very w ell kn ow n th at n ew seu rity h allen g es arise
on stan tly, n o m atter h ow w ell th e relation sh i b etw een seu rity an d
fu n tion ality is p lan n ed .
Th is said , in form ation seu rity w ill alw ays b e a resou refu l researh field in
W M A N , as w ell as oth er w ireless teh n olog ies.

TH AN K YO U !