Wireless Survey

Published on May 2016 | Categories: Documents | Downloads: 34 | Comments: 0 | Views: 261
of 62
Download PDF   Embed   Report

Comments

Content

1

Security in Current Commercial Wireless Networks: A Survey
Fabian Andre Perez School of Electrical and Computer Engineering Purdue University West Lafayette, IN 47907-1285 [email protected]
Abstract The goal of this survey is to give an overview of the current practices in the security mechanisms used in the current commercial Wireless Networks. The study will try to cover all the scope of Wireless Networks from the well known 802.11 standards for WLAN to the 3G standards for Wireless Cellular Technologies. This article is not intended to cover the details of each technology but will try to give a high level view of the solutions used to secure each technology.

I. INTRODUCTION Everyday, technology is innovating the way people interact among each other. In the last years, Wireless Networks -in all its flavors- have revolutionized the way people communicate, and for the first time it gives the customers the feeling of being virtually connected (by voice, messaging, video applications over cell phones, email, VoIP, messaging over internet). It is this closeness or convenience that has made current Wireless Networks so successfull. The more we get used to a communication tool, the more we trust it. For good or for bad, this is the reality today, and current technology aims to be even more intimate in the way to interact with people. However, in the last few years some concern has been raised about the security strength of the commercial Wireless Networks; this is precisely the motivation of this document. To offer a clear presentation, easy to understand, of how each major Wireless Technology is using security standards and practices to offer the security level customers deserve and demand. This study will analyze various technologies, which are listed in II. For each technology, first a simple but clear introduction is offered in order to make the following security analysis easier to present. Then a section detailing how each technology is using secure mechanisms in order to enforce their security policy is presented. Even though an introduction section is offered for each technology, some background knowledge is assumed in wired and wireless networks and Information Security. A secondary but important objective of this study was the compile a glossary about the countless acronyms used in the field.

2

II. WIRELESS STANDARDS AND TECHNOLOGIES As beforementioned, this document focuses the attention into various currently widely used Wireless Networks. The technologies reviewed are: 1) 2) 3) 4) 5) 6) 7) 8) IEEE 802.11 IEEE 802.16 IEEE 802.15.1 Bluetooth IEEE 802.15.4 Zigbee HomeRF IrDA UMTS CDMA2000

Following we treat each technology separately.

3

III. 802.11 The IEEE 802.11 standards are a set of specifications to provide the same functionality as the IEEE 802.3 CSMA/CD (Ethernet) standard. That is, to implement LAN’s but with the air as a transmission medium instead of cables. The resulting communication networks are known as WLAN’s (Wireless LAN’s). IEEE 802.11 is a member of the family IEEE 802 which handles specifications for Local Areas Networks (LAN’s). In this study we will describe the specifications related with security. A bigger discussion of the several members of the IEEE 802 family can be found in [1]. The 802.11 standards have evolved since their first appearance in 1989 [1], [2]. The protocol covers specification for Layer 1 (physical) and Layer 2 (data link) of the OSI model. Access Points (APs) use also layer 3 (IP Layer), but it is for management purposes only. However, current APs could be configured as a mix of APs, switches, routers, and even firewalls. A light overview of some of the standards that form the IEEE 802.11 family that are more related to this study are: 802.11 This is the original standard, it specifies transmissions speed of 2Mbps or 1Mbps. It works in the 2.4GHz ISM band using either FHSS or DSSS with PSK modulation. 802.11a This standard came after 802.11b; therefore, trying to fix the problems encountered with 802.11 and 802.11b. It operates in the 5GHz band (U-NII). Therefore it can coexist with 802.11b without causing interference. It has 12 non-overlapping channels. The encoding scheme is OFDM and the data speeds depend in the modulation technique: 54 & 48 Mbps (64-QAM), 36 & 24 Mbps (16QAM), 18 & 12 Mbps (QPSK), and 9 & 6 Mbps (BPSK). The coverage range is approximately 60 feet [3]. The advantages of 802.11a are the speed (54Mbps) compared to 802.11b (11 Mbps), also the likelihood of interference in the 5 GHz is less than in the 2.4 GHz where other applications compete for the same frequency space (cordless phones, microwaves, baby monitors, Bluetooth). A disadvantage is the reduced range of coverage compared to 802.11b, which results in more APs to cover the same area. Other disadvantage is that there is no backward compatibility with 802.11b, so 802.11a equipment can not communicate directly with 802.11b equipment. Also, because it is not so popular, equipment is more costly; therefore, deployment costs are higher. Finally, the 5 GHz frequency band is allocated in USA; however, in other countries this band is already used for other purposes. 802.11b This is the most successful technology among the 802.11 family. The standard operates in the 2.4GHz band (ISM). It has 11 channels but only three (1, 6, 11) are non-overlapping. It uses DSSS as Encoding Scheme, and the data speed with its respective modulation are: 11 & 5.5 Mbps (CCK), 2 Mbps (DQPSK), 1 Mbps (DBPSK). Its range is approximately 300 feet [3]. The advantages of 802.11b are: The 2.4 GHz frequency band is available internationally. It is the most popular standard, which means that hot spots implemented in public areas (cafes, airports, libraries, book stores) use this standard to attract most people. For the same reason, the equipment is relatively affordable. The principal disadvantage is that it uses the 2.4 GHz ISM band, and the frequency band is polluted with other applications. This, added with the fact that 802.11b has only 3 non-overlapping channels, makes some environments too noisy, and to deploy a functional 802.11b network is a real challenge. As a consequence the throughput is usually much lower than the expected 11 Mbps. Also, the low tipical throughput speed makes it impractical for some bandwidth-hungry applications like multimedia or real time applications. 802.11g This technology evolved from the successful 802.11b. The standard operates in the 2.4GHz

4

band (ISM). It has 11 channels but still only three (1, 6, 11) are non-overlapping. It uses OFDM as Encoding Scheme, and the data speed with its respective modulation are: 54, 48, 36, 18, 12 & 6 Mbps (OFDM) 11 & 5.5 Mbps (CCK), 2 Mbps (DQPSK), 1 Mbps (DBPSK). Its range is approximately 300 feet [3]. The advantages is that 802.11g standard defines the way wireless LAN gear communicates at up to 54 megabits per second while remaining backward-compatible with 11-Mbps 802.11b. This important breakthrough enables streaming media, video downloads, and real time applications. Also, 802.11g enables networks to upgrade hardware while remaining backward compatibility with 802.11b. The principal disadvantage of 802.11g is the same one that 802.11b has. The frequency band has to be shared with a lot more applications. Another technical detail is that to be able to achieve 54 Mbps throughput, 802.11g gear must be present in the client and in the AP’s. If one of them is 802.11b only, then all the network will reduce the speed to work at 802.11b specifications. Within IEEE 802.11, there are several working groups devoted to solving several wireless issues. Some other groups that should be considered are: 802.11d This group works in the specifications of general Internationalization issues. 802.11e This group works in the specifications for QoS support for 802.11a, b, g. This is necessary for delay-sensitive applications such as Voice over Wireless IP. 802.11f This group works in IAPP: Inter-Access Point Protocol, which handles the issues that exists in inter-AP’s communication to properly roam mobile users. 802.11n A standard reportedly in the works that would boost 802.11a, 802.11b, and 802.11g speeds up to 108 Mbps and higher. 802.11n is not yet official. IEEE 802.11i is strictly related with security (the main topic of this study), so it will be widely discussed in the next section. Further information about these working groups can be found at [4].

Security Analysis of IEEE 802.11 The first approach of security in 802.11 was to offer a Wired Equivalent Privacy (WEP). However, today we know WEP do not offer the security level expected. Other solutions have being presented since the failure of WEP. Here we will review each one of them highlighting the most interesting points of each one.

A. Wired Equivalent Privacy WEP was the first attempt to offer security in the IEEE 802.11 standards. However, in the last few years the research community has proven that WEP design flaws and specially the poor implementations by vendors caused the failure of WEP to provide the security level required in critical communications. Several successful attacks have being published and are widely available to the community. First we will present how WEP works, and then analyze its design and the flaws that were present in the protocol since its design. Even though some of the problems with WEP are in the implementation by vendors, originally WEP was not envisioned as an ultimate solution for security, so WEP design was never cryptographically rigorous. The flaws in design of the protocol are the ultimate problem because they are really challenging to correct. The upper part of Figure 1 shows the WEP engine. The first step is to calculate a 32-bit Cyclic

5

Fig. 1.

WEP Engine & Frame Extensions

Redundancy Check (CRC) checksum operation of the plaintext in order to offer integrity of the plaintext. This is the first flaw of the protocol because CRC is not a cryptographic function to offer integrity like Hashing functions (SHA, MD5), CRC is an error detection function widely used in data communications. Consequently, some attacks use this flaw and successfully modify the packet and the CRC so the protocol still validate the packet as not modified. The CRC in WEP is known as Integrity Check Value (ICV); this ICV is appended to the plaintext and XORed with a keystream to generate the ciphertext. From the other side, the Secret Shared Key is appended to the Initialization Vector (IV) and passed to the RC4 Pseudo-Random Number Generator (PRNG) to generate a Keystream equal in length to the Plaintext-ICV combination. The Keystream is a sequence of 1’s and 0’s derived from the IV-Secret Key. The last step is to preppend the IV header ”in clear” to the ciphertext and this will be the frame to transmit as shown in the bottom part of Figure 1. For decryption WEP follows the same process but in reverse. First, the IV is extracted from the MAC Data Unit and prepended to the secret key, this is passed to the RC4 PRNG to obtain the keystream. The keystream is XORed with the encrypted frame to obtain the plaintext plus its ICV, a new CRC checksum of the plaintext is generated and compared with the value in the ICV to determine if the packet was modified in transit. If the values do not match, then the packet is assumed to be tampered and discarded. One of the problems with WEP is that 802.11 do not specify how to generate and implement IV’s. The IV are 24-bit sequences that are prepended to the secret shared key, and these together are the seed of the RC4 PRNG. One of the main requirements of RC4 in order to keep the information secure is that the seed value has never, ever to be repeated. However, the secret shared key normally are fixed and in a busy network, the 24-bit IV space will be exhausted in a matter of hours; consequently, IV’s will be inevitably repeated. This repetition of seed values are known as IV collisions. Reuse of IV is enforced in the 802.11 protocol. An attacker, who is logging data from the target wireless network can detect such IV collisions, and a number of attacks are possible when IV collisions occur [3]. One issue that has to be commented here is that vendors normally market WEP with the secret key as 64 or 128 bits long. However, 24 of those are reserved for the IV, so effectively the length of the keys are 40 or 104 bits long respectively. Another issue with WEP is Key Management. WEP is a symmetric key encryption mechanism; con-

6

sequently, the same key must be shared between any sender and any receiver. 802.11 does not address how to distribute the keys, and normally this is done manually by the system administrator. In a small network this is not complicated, but in a medium or big network this mechanism is simply not applicable. Moreover, if one of the machines is compromised, then the key must be changed in all the network because all the network shares the same key. Because reuse of IV is accepted, Message Injection is also a possibility. If the attacker knows the plaintext and ciphertext of a packet, then the keystream can be derived (Remember P laintext ⊗ Keystream = Ciphertext). Once the keystream is derived, any plaintext can be encrypted using the derived keystream and the resulting ciphertext will be accepted by the protocol because reuse of IV is allowed by the protocol. As an example, the authentication process using WEP is as follows: 1) 2) 3) 4) 5) Client send authentication request to AP. AP send a 128 bit challenge text to client. Client encrypts challenge text with Shared Key and sends back to the AP the encrypted challenge. AP receives encrypted challenge and compare it with one generated locally. AP responds with success or failure message.

Following this process, a potential attacker will have the plaintext and its associated ciphertext, and using the Message Injection technique the keystream can be derived. Using the same keystream, the attacker can request authentication to the AP, and gets authenticated even without knowledge of the WEP key. This attack will work because the AP will accept reused keystreams. Another issue comes from some poor vendor implementations. ”Security researcher Tim Newsham discovered that key generators from some vendors are flawed. A brute force attack on a 40-bit key using a weak key generator could take less than a minute to crack” [3]. The PRNG for the 128 bit WEP was not flawed. Finally, the ultimate hit against WEP came from a paper titled ”Weaknesses in the Key Scheduling Algorithm of RC4” from Scott Fluhrer, Itsik Mantin and Adi Shamir [5]. In this paper several weaknesses in the key scheduling algorithm of RC4 are presented, and their cryptanalytic significance is described. A large number of weak keys are identified, and if enough information is collected that use these keys, then the secret key can be determined with little work. The most important aspect of this passive ciphertext only attack is that it can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size. Implementing an attack using the weaknesses described in the paper is known as FMS attack. Programs widely available like AirSnort, WEPCrack, and dweputils are based in the FMS attack. The problem with the FMS attack is that it requires a considerable amount of traffic from the target network (5-10 million encrypted packets [6]). In a busy network this task can take hours, but in a low traffic network this can take days or weeks. Once enough data is collected, the secret key can be recovered with little computation. Because the FMS attacks have been successful, vendors have made available firmware updates for their network devices in order to avoid the usage of weak keys. As a consequence, in a network well maintained and with long keys, to break WEP is not a trivial task, but not impossible either. As an example, Neil Ferguson (the designer of ”Michael” the message integrity code algorithm used in TKIP) has been quoted saying that ”using a wireless network for mission-critical data is plain stupid. Using it for life-critical data is criminally negligent” [3].

7

B. 802.11i Because of the many issues WEP presented, the 802.11 group was under pressure to develop a reliable solution. In October 2002, Wi-Fi Alliance presented Wi-Fi Protected Areas (WPA - Originally called WEP2). WPA is a subset of the 802.11i standard, and was released before 802.11i because all the parts of the standard were not ready. Integrity Handling (TKIP), and Key Management (802.1X) were ready, while the symmetric cipher (AES), and secure de-authentication/dis-association were not. On June 24 2004, 802.11i was approved by the IEEE Standards Board. The Wi-Fi Alliance soon announced the creation of WPA2 in order to cover the new specifications dictated by 802.11i. Because the Wi-Fi Alliance is vendor driven and has focus in implementation, we are going to describe what the 802.11i standard says, and not analyze WPA, or WPA2. IEEE 802.11i defines a Robust Security Network Association (RSNA). In a RSNA, 802.11 provides function to protect data frames, IEEE 802.1X provides authentication and a Controlled Port, and 802.11 and 802.1x collaborate to provide key management. The security enhancements that 802.11i describes over the original 802.11 standard are the requirements and procedures to provide confidentiality of the user information being transfered in the Wireless Medium and authentication of 802.11 conformant devices. 802.11i, mainly defines a number of security features in addition to WEP and IEEE 802.11 authentication [7]. These features include the following:
• • • • •

Enhanced authentication mechanisms for Stations. Key management algorithms. Cryptographic key establishment. An enhanced data encapsulation mechanism, called CTR [counter mode] with CBC-MAC [cipherblock chaining (CBC) with message authentication code (MAC)] Protocol (CCMP). Optionally, Temporal Key Integrity Protocol (TKIP).

802.11i relies on several components external to the IEEE 802.11 architecture. The first component is IEEE 802.1X, and a second component is the Authentication Server (AS). In a RSNA, the 802.1X Port determines when data can flow through the connection. An 802.1X Port consist of one Controlled Port and one Uncontrolled Port. The Controlled Port is blocked to pass information until it is cleared by an 802.1X authentication procedure that is conducted through the Uncontrolled Port. Normally, all traffic should flow through the Controlled Port, except the authentication process. Two security services are provided by 802.11: Authentication and Confidentiality. For authentication, an RSNA uses 802.1X authentication service with TKIP and CCMP. For Confidentiality and Data Integrity, RSN key management with TKIP and CCMP are used. In an ad-hoc network (IBSS - Independent Basic Service Set), each station is in charge of enforcing the security policy. In a Infrastructure Network (ESS - Extended Service Set), the AP’s are in charge of enforcing the security policy. Let’s review each component of the standard. 1) Authentication: 802.11 defines three authentication methods: Open System, Shared Key, and RSNA. Open System Authentication admits any station to the Distribution System (DS:A system used to interconnect a set of basic service sets (BSSs) and integrated LANs to create an extended service set (ESS)). Shared Key Authentication relies in WEP to demonstrate knowledge of the WEP encryption key. An RSNA support authentication based on 802.1X, or preshared keys (PSK). 802.1X uses Extensible Authentication Protocol (EAP) to authenticate stations and the Authentication Server (AS). 2) Confidentiality: 802.11i accepts three different cryptographic algorithms to protect traffic information: WEP, TKIP, and CCMP. WEP and TKIP use RC4 as the encryption engine. CCMP is based on the Advanced Encryption Standard (AES). The default confidentiality state of data units in 802.11 is in the clear; if confidentiality is not used, then all information should be sent unprotected.

8

3) Key Management: The enhanced authentication, confidentiality, and replay protection mechanisms demand fresh cryptographic keys. The keys are distributed using 4-Way Handshake and Group Key Handshake protocols. 4) Data Origin authenticity: Data Origin Authenticity mechanisms means that a station can verify which station sent the MAC Protocol Data Unit (MPDU). This is to prevent possible masquerading attacks. This service is provided using CCMP or TKIP. Also, Replay Attacks are avoided using Replay detection mechanisms. This service is provided by CCMP or TKIP. 5) 802.1X & EAP: 802.1X is a protocol that enables port-based authentication. All stations have associated ports, and all traffic is blocked in the station port until the client gets authenticated by an Authentication Server (AS). Extensible Authentication Protocol (EAP) was created originally as an extension to the Point-to-Point Protocol used in dial-up connections. It defines a generalized framework for multiple authentications, so a particular application could use the EAP framework and authenticate its users using any authentication method. The open standard defined by EAP could also accept authentication mechanisms that have not being invented yet. 802.1X is just a protocol that implements EAP over wired or wireless networks. It has three basic components:
• • •

Supplicant: The client or stations that require access to the network. Authenticator: An entity that acts as an intermediary between the Supplicant and the Server (Usually the AP). It is in charge of blocking/allowing traffic flow and facilitating the authentication process. Authentication Server (AS): It is the machine that holds authentication information of the clients and processes the acceptance/rejection of a station in the authentication process.

As mentioned before, 802.11 depends on 802.1X to control the flow of MAC Protocol Data Units (MPDU) between the DS and the stations by using the 802.1X Controlled/Uncontrolled Ports. 802.1X authentication frames are passed through the Uncontrolled port of 802.1X. The Controlled Port is blocked for traffic until the 802.1X authentication procedure completes successfully between the Supplicant and the AS through the uncontrolled port. It is the responsibility of the Supplicant and Authenticator to implement port blocking. There exists a unique pair of ports for each association between stations. 802.11 uses 802.1X and the 4-Way Handshake and Group Key Handshake in order to establish and exchange cryptographic keys [7]. The cryptographic keys are generated only after a successful authentication has been granted. The 802.1X procedure is depicted in Fig. 2. The 4-Way Handshake is initiated by the Authenticator in order to perform the following tasks:
• • • • • •

Confirm that a live pair still uses a Pairwise Master Key (PMK). Confirm the PMK is current. Generate a fresh Pairwise Transient Key (PTK) from the current PMK. Set up the pairwise encryption and integrity keys into 802.11. Feed Group Temporal Key (GTK) information from Authenticator to stations and AP. Confirm the cipher suite selection.

When the 4-Way Handshake is successfully completed, the Supplicant and Authenticator have authenticated themselves. Then the Controlled Port is open and the flow of normal information is granted. The GTK is used by the Authenticator to send broadcast/multicast messages to the stations and receive unicast.

9

Fig. 2.

IEEE 802.1X EAP authentication [7]

When an 802.1X infrastructure is not implemented, the procedures are identical but the PSK is the PMK (See III-B.6). 6) Pre-Shared Key: In small Wireless Networks like SOHO’s, the deployment of an 802.1x infrastructure for key distribution is overkilling and not practical. Therefore, 802.11i introduces a special mode of key distribution called Pre-Shared Key (PSK). In this mode, a shared secret key called Master Key must be entered manually in all AP, and all clients. A 256-bit PSK may be configured in the clients cards and AP, or a pass-phrase may be configured. The method used to configure the PSK is outside the 802.11i standard, but one way that can be used is via user interaction. If a pass-phrase is configured, then a 256-bit key is derived and used as the PSK [7]. 7) Security Methods: 802.11i defines Pre-RSNA and RSNA security methods. Pre-RSNA methods are implemented by the following algorithms:
• •

WEP 802.11 entity authentication

RSNA security is provided by the following algorithms:
• • • •

TKIP CCMP RSNA establishment and termination procedures, including 802.1X authentication. Key management procedures

RSNA equipment is the hardware capable of establish RSNA associations. Pre-RSNA equipment conforms the equipment ready for WEP, and WPA only. These equipment need hardware upgrade in order to establish RSNA associations. WEP was already introduced in section III-A. 8) Entity Authentication: In an ESS, a station and an AP must complete an 802.11 authentication before an association. This exchange is optional in an IBSS. 802.11i defines two authentication methods.

10

”Open System Authentication” is the default authentication algorithm for Pre-RSNA equipment. It uses a two-message authentication transaction sequence. The first message states identity and request authentication. The second message confirms or denies authentication. ”Shared Key Authentication” authenticates stations that share a common known key. It is used with WEP, and 802.11i states that this mechanism is deprecated and should not be implemented, except for backward compability with Pre-RSNA hardware. 9) Temporal Key Integrity Protocol (TKIP): 802.11i states that implementation of TKIP is optional. TKIP has three main elements:
• • •

Per-Packet key mixing function. Message Integrity Code (MIC) function known as Michael. Enhancement in sequencing rules for IV.

TKIP offered a fix for the main problems related with WEP. Its main purpose is to be applied to existing hardware via software upgrades, and offers backward compatibility with major hardware existing. Therefore, it could be deployed right away.

Fig. 3.

TKIP engine [7]

Figure 3 shows the block diagram of the TKIP engine. First, the client obtains a pair of keys: a 128-bit encryption key called Temporal Key (TK), and a 64-bit data integrity key called Message Integrity Code (MIC) key. These keys are obtained securely by an 802.1x Key Distribution scheme (see III-B.5), or by a manual configuration (See III-B.6). As the diagram shows, the TK, the transmitter’s MAC address (TA) with a subset of the TSC (TKIP Sequence Counter) are fed to a cryptographic Phase 1 Key Mixing Function to obtain a intermediate key TTAK (TKIP-mixed transmit address and key). This is fed to a cryptographic Phase 2 Key Mixing function that also takes the second part of the TSC and the TK to produce the WEP Seed. This is passed as the IV-Secret key to the RC4 PRNG like done in normal WEP. From the other side, the MIC Key, the sender’s MAC address (SA), the destination MAC address (DA), a priority, and the plaintext message are used to calculate a keyed cryptographic message integrity code (MIC). The MIC is appended to the plaintext before any fragmentation and then passed to the WEP engine. As explained before in the WEP section, the WEP engine takes the IV-Secret Key value as an RC4 seed to generate a keystream that is then XORed with the plaintext to generate the ciphertext.

11

Let’s clarify some points. Michael uses a cryptographically sound one-way hash function designed by Neil Ferguson to offer integrity [3]. It uses the MIC key, the source address, and destination address; therefore, MAC integrity can be verified. The Michael output is 8 octet long and appended to the data frame. The IV space in TKIP and 802.11i has being incremented from 24 to 48 bits. With such IV space, the probability of collisions is negligible. Also, the Per-packet key is no longer stationary as in WEP (shared key), it is mixed in two phases with a secure key (TK), a Sequence Counter (TSC), and the transmitter address (TA) by a Feistel cipher designed by Doug Whiting and Ron Rivest [3]. This strategy eliminates per-packet key correlation and replay attacks; as a consequence, the FMS attacks are also eliminated. Some remote attacks are still conceivable because of the underlying use of the WEP engine; however, their impact is greatly reduced by all the countermeasures designed [7]. The changes in the Data Unit are shown in Fig 4.

Fig. 4.

Expanded TKIP Data Unit [7]

10) CCMP: 802.11i states that implementation of CCMP is mandatory for devices claiming to be RSNA compliant. CCMP stands for CTR (Counter mode) with CBC-MAC (Cipher-Block Chaining with Message Authentication Code) Protocol. It provides authentication, confidentiality, integrity, and replay protection. All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size. CCM is a generic mode that can be used with any block encryption algorithm. Some of the requirements of CCM are:
• • •

CCM requires a fresh temporal key for every session. CCM requires a unique nonce value for each frame to be protected. It uses a 48-bit Packet Number (PN) for this purpose. For CCM reuse of PN with same temporal key voids all security.

CCMP expands the MPDU by 16 octet as Fig 5 shows. 8 octet are for the CCMP header, and 8 octets for the MIC. The 48-bit PN is distributed in 6 octets. The ExtIV bit is set to 1 for CCMP. The encapsulation block diagram of CCMP is shown in Fig 6. Here the PN is incremented and used to construct the nonce and the CCMP header, so the PN never repeats with the same TK. The incremented PN with the Address 2 from the MPDU and the priority (reserved) are used to construct the nonce. Fields that need to be authenticated are incorporated in the Additional Authentication Data (AAD) for CCM. Information like Frame Control Fields, Addresses, Sequence Counter, and Quality of Service Control Field are present in the AAD. The AAD, nonce and TK, along with the MPDU, are used in the CCM encryption to generate the Encrypted Data and the MIC. Finally, the Expanded CCMP MPDU is assembled as shown

12

Fig. 5.

Expanded CCMP MPDU [7]

Fig. 6.

CCMP encapsulation Block Diagram [7]

in Fig. 5. In the decryption process, the CCMP recipient checks the authentication and integrity of the frame body and the ADD also decrypts the frame body and only if the MIC check is successful, the plaintext is returned. 11) RSNA Security Associations Management: Security Associations are used to guarantee secure communications, and these associations provide information about the cipher solutions to be used. A Security Association is the set of policies, keys, and parameters used to protect information. The information in the security association must be stored in each entity that will use the association, and has to be consistent with all parties. There are four security associations supported by RSNA:
• • • •

PMKSA: When a successful 802.1X, PSK, or PMK has been established. PTKSA: When a successful 4-Way Handshake has been established. GTKSA: When a successful Group Key Handshake, or 4-Way Handshake has been established. STAKeySA: When a successful STAKey has been established (Ad-Hoc Infrastructure).

12) Key Management procedures: RSNA defines two hierarchies of keys:


Pairwise key hierarchy. this is to protect unicast traffic.

13



GTK to protect multicast or broadcast traffic.

Pairwise key support with TKIP or CCMP allows the receiving station to identify and authenticate the MAC address of the sender station. Therefore, any MAC address spoofing will be detected. This feature is not supported with GTK. In an ESS, the 802.1X Authenticator MAC address (AA) and the AP BSSID are the same, and the Supplicant MAC address (SPA) and the station MAC address are the same. 802.11 Conclusions In this section we have reviewed the 802.11 standard. First, a short introduction to the several parts that form the standard were described; then, the principal points of the new amendment 802.11i were presented. It should be clear by now that the first approach of security WEP was not successful in delivering the security level expected. As a second and temporal solution, the Wi-Fi Alliance introduced WPA with the parts of 802.11i that were ready by 2002. Mainly, an adaptation of TKIP and 802.1X are used in WPA to solve the shortcomings of WEP. By the time of writing of this document the main achievement of WPA was to successfully solve the aforementioned problems, and still run in legacy hardware that were designed only to support WEP (Software and Firmware upgrades are necessary). 802.11i is a more consciously designed security protocol with Authentication, Identity and Confidentiality in mind since the design time. It includes per-port authentication (802.1X) and can be implemented to support highly sophisticated authentication schemes like per-user authentication using PKI (EAP). It uses a strong encryption algorithm (AES-CCMP), and supports per-MPDU authentication, integrity, and replay control; therefore, offering a strong solution for security in Wireless Networks. It also contains TKIP for cases where RSNA hardware has to coexist with Pre-RSNA hardware. 802.11i is a fairly new security protocol and still has to hold the test of time; however, the design principles applied and the amount of reviews that it has gone through give some comfort to Network Engineers and Implementators.

14

IV. 802.16 IEEE 802.16 also know as WiMax, which stands for Worldwide Interoperability for Microwave Access, is designed to provide metro area Broadband Wireless Access (BWA). The original idea behind WiMax was to deliver wireless Internet access to a fixed location to compete with technologies like cable modem and Digital Subscriber Line (DSL). Before getting into technical details let’s review the potential markets that are the driving forces of the technology.


Fixed location Private Line Services: The initial application was to provide traditional dedicatedlines via the air at transmission rates up to 100 Mbps using line-of-sight outdoor antennas. Broadband Wireless Access/Wireless DSL: To be direct competition with cable modem and DSL technologies, and to offer access to remote areas where other technologies were not viable. It would offer rates of 512 Kbps and 1 Mbps using low-cost, indoor, user installable premises that will not require line-of-sight with Base Station. Mobile Users: Using low frequencies (<6 GHz) 802.16e is developing support for mobile users with speeds up to 75 MPH and will be compatible with the fixed location systems.





There are several substandards that form the IEEE 802.16 family, here we will review the most relevant for our discussion: 802.16 The original IEEE 802.16-2001 standard approved in December 2001 developed a point-tomultipoint broadband wireless access standard for systems in the frequency ranges 10-66 GHz and sub 11 GHz. The standard covers both the Media Access Control (MAC) and the physical (PHY) layers. This standard requires line of sight between Base Station (BS) and a Subscriber Station (SS). It defines bit rates from 32 to 134 Mbps using modulation/coding schemes like QPSK, 16-QAM and 64-QAM. There are no mobility considerations in this standard. It has channel bandwidth of 20, 25, and 28 MHz. 802.16a The ”IEEE 802.16a-2003 Ammendment 2: Medium Access Control Modifications and Additional Physical Layer Specifications for 2-11 GHz”, approved in 2003, enables 2-11 GHz operation. It introduces a mesh mode to let nodes forward traffic to adjacent nodes. This standard supports non line-of-sight (NLOS) between BS and SS. It defines bit rates from less than 70 up to 100 Mbps using 256 sub-carrier OFDM with QPSK, 16-QAM, 64-QAM, and 256 QAM like modulation/coding scheme. There are no mobility considerations in this standard. It has a channel bandwidth selectable from 1.25 to 20 MHz. 802.16e The IEEE 802.16e draft is an ongoing standard that has not been approved by the time of writing of this article. This standard is reported to add mobility support to 802.16. This standard supports NLOS between BS and SS. It defines bit rates up to 15 Mbps using 256 sub-carrier OFDM with QPSK, 16-QAM, 64-QAM, and 256 QAM like modulation/coding scheme. It supports mobility up to 75 MPH. It has a channel bandwidth of 5 MHz. 802.16-2004 This standard consolidates IEEE 802.16, IEEE 802.16a, IEEE 802.16c. It retains all modes and major features of previous standards without adding modules. Its content has been revised to improve performance, easy deployment, and replace incorrect, ambiguous, or incomplete material [8]. It defines three frequency bands of interest:

15







10-66 GHz licensed band: where Line-of-Sight (LOS) is required and multipath is negligible. It uses 25 or 28 MHz channel bandwidth and achieves data rates in excess of 120 Mbps. It uses single-carrier modulation. Frequencies below 11 GHz: Supports NLOS but requires additional physical layer functionality like advanced power management techniques and management of multiple antennas. It also introduces additional mesh topologies and automatic repeat request. License-exempt frequencies below 11 GHz: The license exempt nature introduces additional interference and co-existence issues; therefore, the physical and MAC layer introduce extended capabilities like Dynamic Frequency Selection to detect and avoid interference.

Some important points to note. IEEE 802.16 can operate in either licensed or unlicensed spectrum (2-11 GHz). WiMax systems can be configured for dual-channel Frequency Division Duplex (FDD) or single channel Time Division Duplex (TDD) which makes the technology essentially duplex, compared with IEEE 802.11 wich is contention based TDD; therefore, half-duplex. The actual transmission speed depends on the bandwidth of the channel and the efficiency of the modulation/coding scheme. The trade off is that the more efficient the modulation/coding scheme, the more susceptible it is to noise and interference. 802.16 supports Adaptive Modulation; when the SNR and/or error rate goes above a threshold, the technology will switch to a more robust modulation/coding scheme trading performance for robustness [9]. IEEE 802.16 standard describes a sophisticated MAC protocol that can share the radio channel among hundreds of users providing QoS. It uses a Request/Grant access mechanism to minimize the probability of collisions and support consistent-delay voice and variable-delay data services. The BS is in charge of granting access to the channel. Four types of QoS are supported [9]:
• • • •

Unsolicited Grant-Real Time: For real time voice and video. Real Time Polling: Real time service where BS polls subscribers in turn. Variable Bit Rate-Non-Real Time: Non real time data for high priority users. Variable Bit Rate-Best Effort: IP-like best effort service for low priority data.

16

Security Analysis of IEEE 802.16 IEEE 802.16 defines a separate security sublayer within the MAC layer as shown in Fig 7. This security sublayer is in charge of authentication, secure key exchange, and encryption. In this study we will review the principal features of this sublayer.

Fig. 7.

IEEE 802.16 protocol layering [8]

A. IEEE 802.16 Security sublayer The security sublayer provides privacy by encrypting connections between SS and BS; in addition, this encryption provides operators with strong protection against theft of service. The privacy scheme uses an authenticated client/server key management protocol in which the BS distributes keying material to SS. The security services are strengthened by the use of digital-certificate-based SS authentication. 1) Packet Data Encryption: An encapsulation protocol to encrypt packet data across the BWA network. It defines the encryption and authentication algorithms and the necessary information to apply them. Only the MAC PDU payload is encrypted, the MAC header is not encrypted. MAC management messages are sent in the clear to facilitate network operation. 2) Key Management Protocol: The Privacy Key Management (PKM) provides a secure distribution of keying material from BS to SS. The information exchanged in the protocol includes conditions to access the several network services. The SS use PKM to request keying material from the BS and support periodic reauthorization and key refresh. PKM uses X.509 digital certificates, RSA public-key encryption algorithms, and strong encryption algorithms to perform key exchanges between SS and BS. In PKM, the SS acts as a ”client” when requesting material from the BS which acts as a ”server”. PKM uses

17

public-key cryptography to derive a shared secret Authentication Key (AK) between the SS and the BS. The AK is used thereafter to avoid computational intensive public-key operations to derive the subsequent key operations. A BS authenticates a SS during authentication exchange. Each SS carries its X.509 digital certificate issued by the SS’s manufacturer, or has an internal algorithms to generate the public-private key pair and certificate. The digital certificate contains the SS’s public key and the SS MAC address. When the BS receives an authorization request from the SS, the BS verifies the digital certificate and if valid, generates an AK and encrypts it with the SS’s public key and sends it back to the SS. When the BS authenticates the SS, it also links the SS to a paying subscriber, and hence to the data services the subscriber has access to. The public-key encryption protects the system against masquerading SS. 3) Security Associations: A SA is the set of security information a BS and one or more of its client SSs share in order to set secure communications. SA are identified by SAIDs. There are Primary, Static, and Dynamic SA. Each SS shall establish an exclusive SA with its BS. The SA’s keying material has limited lifetime, and this lifetime is one of the parameters of a SA. It is the responsability of the SS to request new keying material before the current one expires; therefore, there can be up to two keying materials active at the same time. If the lifetime expires before getting a new one, then the SS has to perform a new authentication request. 4) Cryptographic Suite: IEEE 802.16-2004 support the following cryptographic suites:
• • •

Data Encryption Algorithms: It currently supports no data encryption, CBC-Mode 56-bit DES, and AES CCM mode. Data Authentication Algorithms: Currently it does not support any data authentication algorithm. TEK Encryption Algorithm: It currently supports 3-DES EDE with 128-bit key, RSA with 1024-bit key, and AES with 128-bit key.

5) PKM protocol: A SS authorization is controlled by the Authorization state machine, and is controlled by the following process:
• • •

The BS authenticates the SS identity. The BS provides the authenticated SS an AK from where a Key Encryption Key (KEK) and message authentication key are derived. The BS provides the authenticated SS with the necessary SAID’s to provide the SS with the services the SS is subscribed to.

After the SS achieves initial authorization, the SS periodically seeks reauthorization with the BS. The SS must be authenticated with the BS in order to be able to refresh aging TEKs. TEK state machines manage the refreshing of TEKs. The authentication procedure works as follows. The SS sends an Authorization Request message to the BS. The Authorization Request includes:
• • •

A manufacturer-issued X.509 certificate. A description of the cryptographic algorithms the requesting SS supports. The SS Basic Connection Identifier (CID).

The BS validates Authorization Request and the requesting SS’s identity. It determines the encryption algorithm and protocol support it shares with the SS, and generates an AK for the SS. The BS encrypts the AK with the SS public key, and sends it back to the SS in an Authorization Reply message. The

18

authorization reply includes:
• • • •

An AK encrypted with the SSs public key. A 4-bit key sequence number, used to distinguish between successive generations of AKs. A key lifetime. The identities (SAIDs) the SS is authorized to obtain keying information for.

As mentioned before, the SS is in charge of periodically refresh its AK by reissuing an Authorization Request to the BS. To avoid service interruptions during reauthorization, successive generations of the SS’s AKs have overlapping lifetimes. Both SS and BS shall be able to support up to two simultaneously active AKs. The Authorization state machine process is depicted in Fig. 8(a).

(a) AK management Fig. 8. AK and TEK Key Management [8]

(b) TEK management

6) TEK exchange overview: After a successful authorization, an SS starts a separate Traffic Encryption Key (TEK) state machine for each SAID in the Authorization Reply message. Each TEK state machine periodically sends Key Request messages to the BS, requesting a refresh of keying material for their respective SAIDs. The TEK is encrypted using the KEK derived from the AK. Again, the BS and the SS will maintain active two set of keying material at the same time per SAID. The Key Reply will contain the TEK, a CBC Initialization Vector (IV) and the remaining lifetime of each of the two sets of keying

19

material. Maintaining proper TEK keying material ensures that the SS will be able to continually exchange encrypted traffic with the BS. The TEK state machine process is depicted in Fig. 8(b). 7) Dynamic SA: Dynamic Security Associations are SAs that a BS establishes and eliminates dynamically in response to the enabling or disabling of specific service flows. The BS may dynamically establish SAs by issuing an SA Add message. Upon receiving an SA Add message, the SS shall start a TEK state machine for each SA listed in the message. 8) Data Encryption with DES in CBC mode: This is the cryptographic suite defined in the original IEEE 802.16-2001. Here the MAC PDU payload is encrypted using the CBC mode of the US Data Encryption Standard (DES). The CBC IV shall be calculated as follows: in the downlink, the CBC shall be initialized with the exclusive-or (XOR) of (1) the IV parameter included in the TEK keying information, and (2) the content of the PHY Synchronization field of the latest DL-MAP. In the uplink, the CBC shall be initialized with the XOR of (1) the IV parameter included in the TEK keying information, and (2) the content of the PHY Synchronization field of the DL-MAP that is in effect when the UL-MAP for the uplink transmission is created/received. The downlink map (DL-MAP) is a MAC message that defines burst start times for both time division multiplex and time division multiple access (TDMA) by a SS on the downlink. The uplink map (UL-MAP) is a set of information that defines the entire access for a scheduling interval. 9) Data Encryption with AES in CCM mode: In the new IEEE 802.16-2004, support is included for the encryption of the MAC PDU payload using the CCM mode of the US Advanced Encryption Standard (AES). The MAC PDU payload is preprocessed as shown in Fig. 9. The payload is prepended by a 4-byte Packet Number (PN) that is not encrypted. An 8-byte Integrity Check Value (ICV) is appended to the payload. The PDU plaintext and the ICV are encrypted and authenticated using the active TEK key.

Fig. 9.

PDU Payload Format using AES-CCM [8]

The PN associated with an SA shall be set to 1 when the SA is established and when a new TEK is installed. After each PDU transmission, the PN shall be incremented by 1. Any tuple value of <PN, KEY> shall not be used more than once for the purposes of transmitting data. The SS shall ensure that a new TEK is requested and transferred before the PN space is exhausted; otherwise, transport communications on that SA shall be halted until new TEKs are installed. Sending two packets with the same key and PN will eliminate all security guaranteed by the CCM mode. The CCM algorithm should be implemented as specified in the NIST Special Publication 800-38C, FIPS-197. On the recipient end, the PDU shall be decrypted and authenticated according to the CCM specification. Packets that fail the authentication shall be discarded. Receiving BSs or SSs will maintain a record of the highest value PN received for each SA.

20

If a packet is received with a PN that is equal to, or less than the recorded maximum, then the packet shall be discarded as a replay attempt. 10) Encryption of TEK: The BS encrypts the value fields of the TEK in the reply message sent to the client SS using one of the following algorithms available for the encryption of the TEK:
• • •

Using two-key 3-DES in the EDE mode. Using the RSA algorithm. Using 128-bit AES in ECB mode.

The BS is in charge of generating AKs, TEKs, and IVs. A random or pseudo-random number generator shall be used to generate these values. AKs in Authorization Reply messages shall be RSA public-key encrypted using the SS’s public key.

Analysis of IEEE 802.16 threats Any wireless technology will be succeptible to physical layer attacks like radio jamming, or continuously sending packets so the receiver is overwhelmed, and causing a Denial of Service, or fast battery consumption. These kind of attacks are outside the scope of this document and we will review some possible attacks at the MAC layer for which the standards are responsible. The obvious detail after reviewing the standard is the lack of mutual authentication. The SS identifies itself to the BS using its certificate, but the BS never identifies itself to the SS. Therefore; some ”Man in the Middle” attacks are a threat. In [10], David Johnston and Jesse Walker note that an AK can last up to 70 days [8], whereas the TEK lifetime can be as short as 30 min. Therefore a data SA can consume up to 3360 TEKs over the AK’s lifetime, requiring the SAID space to grow from 2 to at least 12 bits. It also notes that the BS is in charge of generating several keys (AK, TEK, KAK) and the quality of the random number generator in the BS is of utmost importance. Another issue is how correctly the PKI in place will be implemented. Ideally, there should not be any problem; however, many implementations lacking rigour in their development can compromise the security of all the system. Furthermore, the standard is not very rigorous in its specifications; this will give even more liberty to implementators. The IEEE 802.16 includes support for DES in CBC mode, and several issues arise. However, in the last revision of the standard, AES in CCM mode is introduced. We believe this was to solve all the problems that DES in CBC mode has. AES in CCM mode is also used in 802.11i and had several and extensive reviews; therefore, offering a more mature solution.

21

V. B LUETOOTH IEEE 802.15.1 The IEEE 802.15 is the ”Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for: Wireless Personal Area Networks”. Currently, there are 4 members of the IEEE 802.15 family: The IEEE Project 802.15.1 has derived a Wireless Personal Area Network (WPAN) standard based on the Bluetooth v1.1 Foundation Specifications [11]. The IEEE 802.15.2 Coexistence Task Group 2 for Wireless Personal Area Networks developed a Recommended Practices to facilitate coexistence of WPAN and WLAN (802.11). The Task Group developed a Coexistence Model to quantify the mutual interference of a WLAN and a WPAN [11]. The IEEE P802.15.3 High Rate Task Group for WPANs is chartered to draft and publish a new standard for high-rate (20Mbit/s or greater) WPANs. Besides a high data rate, the new standard will provide for low power, low cost solutions addressing the needs of portable consumer digital imaging and multimedia applications [11]. The IEEE 802.15.4 was chartered to investigate a low data rate solution with multi-month to multi-year battery life and very low complexity. It is operating in an unlicensed, international frequency band. Potential applications are sensors, interactive toys, smart badges, remote controls, and home automation [11]. In this section we review the IEEE 802.15.1 specification and in the next section we will review IEEE 802.15.4.

A. Bluetooth overview ”Bluetooth” is often used interchangably with IEEE 802.15.1; even though, sometimes this usage is not correct. Bluetooth is an industrial specification for WPAN first developed by Ericsson, later formalized by the Bluetooth Special Interest Group (SIG). The SIG was formally announced on May 20, 1999. It was established by Sony Ericsson, IBM, Intel, Toshiba and Nokia, and later joined by many other companies as Associate or Adopter members [12]. The system is named after a Danish king Harold Bluetooth. Bluetooth provides a way to connect and exchange information between consumer mobile devices like PDA, mobile phones, laptops, PCs, printers and digital cameras via a secure, low-cost, globally available short range radio frequency. It uses the IEEE 802.15 specification in the ISM frequency band with FHSS technology. IEEE Std 802.15.1-2002 WPAN technology and its architecture has been derived from the Bluetooth specifications (version 1.1). This standard provides specifications for the lower layers of the Bluetooth specifications or MAC and PHY. A goal of the IEEE 802.15.1 is to achieve a level of interoperability that could allow the transfer of data between a WPAN device and an IEEE 802.11 device [13]. Personal electronic devices are becoming more intelligent and interactive. Several of these personal devices have a personal information management (PIM) database maintaining personal calendars, address books, and to-do lists. It is desirable that PIM databases in one personal device should remain synchronized with PIM databases in other personal devices. For example, contact databases should be syncronized in mobile phones with PDAs and laptops and desktops. Solutions exist offering such interconnection like propietary special-purpose cables and software. However, managing different cables and different software for each device is quite challenging and frustrating. Therefore, an independent wireless solution platform is quite desirable. These solutions should not impact the devices original form factor, weight, power requirements, cost, ease of use, or other functionalities in significant ways. Personal devices could be part of an individual’s

22

productivity and entertainment tools, and could also be part of a corporate information technology infraestructure; therefore, the wireless solution should take into account the design and marketing requirements dictated not only by the consumer market but also by the business market [13]. A WPAN can be viewed as a personal comunications bubble around a device, as the device moves around, different devices can connect with one another with or wothout the interaction of the user or users. IEEE 802.15.1 is designed to work in noisy environments using fast acknowledgment and quick frequency-hopping scheme. Whenever any enabled device is in range of other enabled device, they instantly start information exchange in order to establish an ad-hoc network without user involvement. Furthermore, the technology supports non-line of sight; therefore, devices can communicate through walls or briefcases. As a comparison, in WLANs, devices tend to be connected to a power plug on the wall or use the wireless connection for short period of time when running on batteries. This offers WLAN portability but the network is almost static. Furthermore, in WLANs, the nodes or devices have to be deployed, and set up. In a WPAN, the technology is oriented to interconnect multiple mobile, personal devices. The difference is in ”mobility” against ”portability”. Mobile devices typically work running on batteries and interconnect with other devices in short periods of time; portable devices are moved less frequently, have longer time periods of connections, and usually run from power supplied by wall sockets. WPAN trades coverage for power consumption. WPAN is truly mobile. Because of the abundance of personal devices that can participate in a WPAN, the technology should support applications with demanding bandwidth requirements as well as applications with flexible bandwidth requirements. IEEE 802.15.1 WPAN is all time contention free; this is achieved using a master-slave relationship between devices and operating on a single, time multiplexed slotted system. Therefore, the master can assign bandwidth on demand to slaves and guarantee Quality of Service requirements. Using a frequency hopping scheme with small slots provides noise resilience from interference and several networks can operate within the same area. In a WPAN the connection between devices is created in an ad-hoc manner whenever an application in a device requires it, and it will be maintained as long as the application (master device) completed their task and no longer comunication is needed. The relationship between the OSI model and the Bluetooth wireless technology is depicted in Fig. 10.

Fig. 10.

OSI model related to IEEE 802.15.1 WPAN standard [13]

23

As shown the LLC and MAC sublayers encompass the DLL layer of the OSI model. Bluetooth WPAN was designed to support both synchronous communication channels for telephony-grade voice communication and asynchronous communications channels for data communications. So, a mobile phone can support circuit-switched channels to exchange audio from a headset while using packet-switch channel to exchange data with a laptop. As mentioned before, Bluetooth WPAN operates in the ISM band and uses FHSS (1600 hops/s) to avoid interference and fading. Binary frequency shift keying with a rate of 1 Msymbols/sec minimizes transceiver complexity. A slotted channel is used, which has a slot duration of 625 µs. Time division duplex (TDD) scheme is used that enables full duplex communications at higher layers. On the channel, information is exchanged through packets. Each packet is transmitted on a different frequency in the hopping sequence. A packet nominally covers a single slot, but can be extended up to either three or five slots. For data traffic, an asynchronous channel can support a unidirectional (asymmetric) maximum of 723.2 kbps between two devices with a bandwidth of 57.6 Kbps in the other direction. For synchronous communication, a bidirectional 64 kb/s channel can support voice traffic between two devices [13].

Fig. 11.

Format of a Bluetooth WPAN packet [13]

In Fig. 11 the general form of a single Bluetooth packet is depicted, one of the uses of the fixed sized access code is to distinguish a WPAN from another. The header is used for management purpooses, and the variable size payload carries upper layer information. 1) Bluetooth WPAN topologies: The subnetworks formed in Bluetooth are known as piconets. A piconet is formed by a device serving as a master and one or more devices serving as slaves. A frequency hopping sequence is derived from the address of the master device and defines each piconet. All devices belonging to a piconet are syncronized to the frequency hopping channel using the clock of the master. Fig. 12 depicts different Bluetooth topologies. The slave devices communicate only in a point-to-point fashion with the master, the master can communicate using point-to-point or point-to-multipoints. Multiple piconets with overlapping coverage form a scatternet. Slaves can participate in different

24

Fig. 12.

Bluetooth WPAN topologies [13]: (a) single slave operation; (b) multislave operation; (c) scatternet operation

piconets on a time-division basis as slaves or masters, but only one master can exist per piconet; where each piconet has its own hopping channel. A Bluetooth WPAN may communicate with other LANs in the IEEE 802 family (802.3, 802.11) through the use of an IEEE 802 LAN attachment gateway (AG). An IEEE 802 LAN AG is a logical architectural component that can be implemented into a Bluetooth device. Through an AG, MAC service data units can be conditioned for transport over a Bluetooth WPAN. 2) Bluetooth WPAN architecture: In order to enable the creation of interoperable, interactive applications, the Bluetooth specifications define a set of communication protocols, including transport protocols for carrying data between devices over Bluetooth links, and a set of interoperable applications used to define the usage scenarios addressed in the specification. The IEEE 802.15.1 standard covers only a subset of the communication protocols in the Bluetooth specifications related to PHY and MAC protocols as identified in Fig. 10. It includes both Bluetooth-specific protocols (LMP, L2CAP) and non-Bluetoothspecific protocols (grouped in the Other box). These other protocols include the Object Exchange Protocol (OBEX), the Point-to-Point Protocol (PPP), the Wireless Application Protocol (WAP), and so on. In designing the protocols and the whole protocol stack, the main principle has been to maximize the reuse of existing protocols to adapt existing applications to work with the Bluetooth wireless technology and ensure the smooth operation and interoperability of these applications [13]. B. IEEE 802.15.1 security review The Bluetooth technology provides peer-to-peer communications over short distances. In order to provide usage protection and information confidentiality, the system has to provide security measures both at the application layer and the link layer. Here we will review the link-layer security features. These security measures have to be appropriate for a peer environment in which each Bluetooth unit the authentication and encryption routines are implemented in the same way. Four different entities are used for maintaining security at the link layer:
• • •



Bluetooth Device Address: (BD ADDR) Public address which is unique for each user. It is the 48-bit IEEE address which is unique for each Bluetooth unit, it is publicly known. Authentication private key: It is 128 bits long. Encryption private key: It has a variable size from 8 to 128 bits to fit the different requirements in cryptographic algorithms in different countries and to facilitate upgrades in security without requiring a change in the architecture. RAND: A random number which is different for each new transaction, it has 128 bits. It can be generated from a Pseudo-Random Number Generator in the Bluetooth unit.

25

The life time of the authentication key is different from the lifetime of the encryption key. Once established, the particular application running on the Bluetooth device decides when, or if, to change the authentication key. To underline the fundamental importance of the authentication key to a specific Bluetooth link, it will often be referred to as the link key. Each time encryption is activated, a new encryption key should be generated. 1) Link Manager Protocol LMP: The Link Manager (LM) Protocol is used for link setup, security, and control. The LMP messages are transferred in the payload instead of L2CAP and are distinguished by a reserved value in the payload header. The messages are filtered out and interpreted by LM on the receiving side and are not propagated to higher layers. LM messages have higher priority than user data. The LM can use a PRNG to generate random numbers like RAND, Kinit , Kmaster , (see below). 2) Key types: The link key is a 128-bit random number, which is shared between two or more parties and is the base for all security transactions between these parties. The link key itself is used in the authentication routine. Moreover, the link key is used as one of the parameters when the encryption key is derived. The link keys are either semipermanent or temporary. A semipermanent link key is stored in nonvolatile memory and may be used after the current session is terminated. A session is defined as the time interval for which the unit is a member of a particular piconet. Consequently, once a semipermanent link key is defined, it may be used in the authentication of several subsequent connections between the Bluetooth units sharing it. The lifetime of a temporary link key is limited by the lifetime of the current session. It cannot be reused in a later session. There are several kinds of keys that have to be defined to accomodate different kind of applications:


• •





Combination key KAB : Is derived from information in both units A and B, and is therefore always dependent on two units. The combination key is derived for each new combination of two Bluetooth units. Unit key KA : Is generated in a single unit A. The unit key is generated once at installation of the Bluetooth unit; thereafter, it is very rarely changed. Temporal key Kmaster : Substitutes temporarily a link key where a common encryption key is useful, such as in a point-to-multipoint configuration where the same information is to be distributed securely to several recipients. It is valid only during the current session. Initialization key Kinit : It is used as a link key during the initialization process when no combination or unit keys have been defined and exchanged yet or when a link key has been lost. The initialization key protects the transfer of initialization parameters. The key is derived from a random number, an L-octet PIN code, and a BD ADDR. This key is only to be used during initialization. Encryption key KC : Is derived from the current link key. It is shorter that the authentication/link key to facilitate different encryption options without weakening the authentication key.

It depends on the application or the device whether a unit key or a combination key is used. Bluetooth units which have little memory to store keys shall use a unit key, so they only have to store a single key. Applications that require a higher security level shall preferably use the combination keys. These applications will require more memory since a combination key for each link to a different Bluetooth unit has to be stored. For details on how the different keys are generated please see the specification IEEE 802.15.1 [13]. 3) Encryption: The encryption process protects the user information by encryption of the packet payload; the access code and the packet header are never encrypted. The encryption of the payloads is carried out with a stream cipher called E0 that is re-synchronized for every payload. The block diagram of E0 is depicted in Fig. 13.

26

Fig. 13.

Stream cipher E0 block diagram [13]

The key stream bits are generated by a method derived from the summation stream cipher generator attributable to Massey and Rueppel. The method has been thoroughly investigated, and there exist good estimates of its strength with respect to presently known methods for cryptanalysis. Although the summation generator has weaknesses that can be used in so-called correlation attacks, the high re-synchronization frequency will disrupt such attacks. A LM-command is required to activate encryption, both for broadcast and unicast. Each packet payload is ciphered separately. The cipher algorithm E0 uses the master Bluetooth address, 26 bits of the master real-time clock (CLK26−1 ) and the encryption key as input, E0 , KC . The block diagram of the encription/decryption machine is depicted in Fig. 14.

Fig. 14.

Bluetooth encryption engine [13]

The encryption key KC is derived from the current link key, COF, and a random number ENR AN DA . ENR AN DA is publicly known since it is transmitted as plain text over the air. The encryption algorithm generates a binary keystream known as Kcipher , which is modulo-2 added to the data to be encrypted. The cipher is symmetric; decryption is performed in exactly the same way using the same key as used for encryption. 4) Authentication: The authentication procedure uses a challenge-response scheme in which a claimant’s knowledge of a secret key (link key) is checked through a two-move protocol using symmetric secret keys.

27

The latter implies that a correct claimant/verifier pair shares the same secret key. The authentication engine is depicted in Fig. 15.

Fig. 15.

Bluetooth authentication engine [13]

In the challenge-response scheme the verifier challenges the claimant to authenticate a random input (the challenge), denoted by AUR AN DA , with an authentication code, denoted by E1 , and return the result SRES to the verifier. The device address BDA DDRB is also included for authentication purposes. The verifier is not necessarily the master. The application is in charge of indicating who has to be authenticated by whom. Certain applications only require a one-way authentication. However, in some peer-to-peer communications, one might prefer a mutual authentication in which each unit is subsequently the challenger (verifier) in two authentication procedures. The LM coordinates the indicated authentication preferences by the application to determine in which direction(s) the authentication(s) has to take place. When the authentication attempt fails, a certain waiting interval shall pass before the verifier will initiate a new authentication attempt to the same claimant, or before it will respond to an authentication attempt initiated by a unit claiming the same identity as the suspicious unit. For each subsequent authentication failure with the same Bluetooth address, the waiting interval shall be increased exponentially. This procedure prevents an intruder from repeating the authentication procedure with a large number of different keys. The authentication function proposed for the Bluetooth is a computationally secure authentication code (MAC). E1 uses the encryption function called SAFER+. The algorithm is an enhanced version of an existing 64-bit block cipher SAFER-SK128, and it is freely available. 5) Link-Level Security Features: So far, we have reviewed the link-layer security features Bluetooth technology offers. In addition to these features, the frequency hopping scheme used with the spread spectrum signal, as well with the limited transmission range of devices makes eavesdropping difficult to perform. However, enforcing these mechanisms inhibits user-friendly access to more public-oriented applications, such as service discovery and exchange of virtual business cards [14]. To meet these demands, the Bluetooth specification defines three security models that cover the functionality and application of devices.

28

• •



Mode 1: No security. In this model, link-layer security is bypassed and access to nonsensitive information like business cards and calendars is granted. Mode 2: Provides service-level security allowing more flexible access policies. Depends on the applications how to reinforce security. In this mode it is possible to define security levels for devices and services. The security level of a service can be: Authorization required, Authentication required, or Encryption required. Mode 3: Provides link-layer security and the Link Manager enforces security in all communications. This forces a common security level and it is easier to implement than Mode 2. The first time two devices attempt to communicate, an initialization procedure called pairing or bonding is used to create a common link key in a safe manner.

C. IEEE 802.15.1 security analysis The Bluetooth technology is very ambitious and a lot of applications can be designed and implemented. This makes the technology somewhat complicated and cumbersome to deploy especially when security is a priority. The current Bluetooth System specification defines security at the link level. Application level security is not specified, allowing application developers the flexibility to select the most appropriate security mechanisms for their particular application. If applications are developed with security in mind since its conception, maybe the result would be robust applications that hold simple and somewhat elaborated attacks. However, current practices and specially current market pressure and business models dictate that functionality has higher priority than security and robustness. As a consequence, even widely known non-secure mechanisms are used just to facilitate an easy solution to elaborate certain features or funtionality in new applications. Here we list some recommendations based on the current specification. 1) Avoid the use of unit keys: Use combination keys instead. A unit key is only able to use one key for all its secure connections. Hence, it has to share this key with all other units that it trusts. Consequently all trusted devices are able to eavesdrop on any traffic based on this key. A trusted unit that has been modified or tampered with could also be able to impersonate the unit distributing the unit key. Thus, when using a unit key there is no protection against attacks from insiders. 2) Bonding in secure environments: Perform the bonding in an environment that is as secure as possible against eavesdroppers, and use long random Bluetooth passkeys. Let’s assume that an intruder records all communication during the key exchange and the first authentication between two units. He can then calculate, for each possible passkey value, the corresponding initialization key. Furthermore, for each initialization value, he can calculate the corresponding link key. Finally, for each link key value he can then check the response value for the observed challenge. If he finds a match, he has obtained the correct link key [15]. Therefore, it is strongly recommended not to associate or bond in public places, and use long passkeys numbers. Some other vulnerabilities exist in the technology that could not be seen as attacks but could be seen as spam messages. For example, Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers. Bluetooth has a very limited range, usually around 10 metres on mobile phones, but laptops can reach up to 100 metres with powerful transmitters. Furhtermore, attacks have been possible over exactly 1.08 miles using Bluesnarfing (Snarf attack [16]). Bluejacking is quite harmless, but because bluejacked people do not know what is happening, they think their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it is possible to send images or sounds as well [12]. Bluetooth sniping is the act of using modified equipment to receive and send Bluetooth signals at long distance ranges. It was shown on the G4techTV show The Screen Savers at DEF CON 12, a

29

hacker convention. The backdoor attack involves establishing a trust relationship through the ”pairing” mechanism, but ensuring that it no longer appears in the target’s register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything awkward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to. This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP, and GPRS gateways may be accessed without the owner’s knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also [17]. Trivial, and not so trivial solutions for these problems are available. However, it is up to the devices implementators to include security and robustness in the design of the applications.

30

VI. Z IGBEE IEEE 802.15.4 The Zigbee Alliance is an association of companies involved with building higher-layer standards based on IEEE 802.15.4. This includes network, security, and application protocols. In many contexts, ”ZigBee” is used interchangably with IEEE 802.15.4, just as ”Bluetooth” is often used interchangably with IEEE 802.15.1. Sometimes this usage is not correct. Here we will review the IEEE 802.15.4 specification that describes wireless and MAC protocols for Personal Area Networks (PAN) devices. This is interesting because the Sensor Networks community has begun to use these protocols as well. The IEEE 802.15.4 specification is meant to support a variety of applications, some of them demand security services. Some of these applications (sensor networks) are designed to operate with low power consumption constrains and not human intervention for long periods of time, which makes it difficult to design services to offer premier security services as we will review in this section. First, we review some basics about the packet types related to security in IEEE 802.15.4: the data packet and acknowledgment packet (See Fig. 16). The data packet is variable in length, and can be used for unicast or broadcast. Each packet has a 2-bytes Flag field that indicates if security is set or not, the addressing mode that is used, and if the sender requests acknowledgment from the receiver. The sequence number serves to identify the packet number for acknowledgment. It also includes the destination and source address that could be 0/2/4/10 bytes long. The payload is variable in size and up to 102 bytes, and also there is a 2-byte CRC checksum for error correction (see Fig. 16(a)).

(a) Data packet format

(b) Acknowledgment packet format Fig. 16. Data and acknowledgment packet formats [18]

The Acknowledge packet (see Fig. 16(b)) is sent when the sender request acknowledgment and the packet was not broadcasted. It has the Length and Flags bytes as the data packet. The Sequence Number of the packet to be acknowledged, and the 2-bytes CRC for error correction purposes. The IEEE 802.15.4 specification address the security services needs through a link-layer security package [18]. Applications sitting on top of the link layer must specify the security requirements. If an application does not set security parameters, then security is not enabled by default. A link-layer security protocol provides the following services:
• •

Access control. Message integrity.

31

• •

Message confidentiality. Replay protection.

A. Access Control and message Integrity Access Control means the security protocol should prevent unauthorized parties from participating in the network and Message Integrity means that legitimate nodes should detect if a message comes from an authorized node and if not reject them. A message authentication code provides the means to provide message authentication and integrity. A message authentication code is a cryptographically secure checksum of the message. Message Authentication Code is the name the Cryptography community calls what the Networking community knows as Message Integrity Code (MIC). Here we will use MIC for the message authentication code because the acronym MAC is already used for Medium Access Control. To provide message authentication and integrity, the sender calculates the MIC of the message using a shared secret key, and appends the MIC to the message and transmit both. The receiver, who shares the secret key with the sender, recalculates the MIC and compares it with the MIC that came with the message. If both MIC match, the message is accepted as authentic; otherwise, it is rejected and a notification can be sent to upper applications. MIC must be hard to forge without knowledge of the secret key.

B. Message Confidentiality Confidentiality means to keep the information secret from any unauthorized parties. This security service is usually provided by encryption schemes. The encryption scheme should prevent message recovery and also prevent the learning of partial information from the encrypted message. This is known as semantic security [19]. One of the implications that semantic security imposes is that encrypting the same plaintext two times should give different ciphertext. This is achieved by using a unique nonce in the encryption algorithm. The main purpose of the nonce is to add variation to the encryption process when there is little variation in the set of plaintexts. The security of the encryption system should not rely on the nonce to be secret; therefore, nonces are usually sent in the clear and included in the packet with the ciphertext.

C. Replay protection To provide Replay Protection, the sender will assign a monotonically increasing sequence number to each packet, and the receiver will detect and store the sequence number. If the receiver gets a packet with an old number, it should discard it and notify to the upper layers the replay attempt.

D. Security Suites Before reviewing the Securities Suites supported in IEEE 802.15.4, first let’s review how an application indicates the security suite to be used. This is done using Access Control Lists (ACL). The ACL has the following information:
• • • • •

Address: Address of the sender (receiver) party, given it is a reception (transmission) of a message. Security Suite: The cryptographic algorithms to be used. Key: The secret key to be used with the address indicated. Last IV: The nonce state that must be preserved across different packet encryption algorithms. Replay Counter: The counter used to protect against replay-attacks.

32

IEEE 802.15.4 supports up to 255 ACL entries. When an applications wants to communicate using security services with another party, the transmitting station looks for the address of the destination party in the ACL and if found it will use the security suite, key, IV, and replay counter (if required) to communicate securely. If no entry is found, the sending station will use the default ACL list. If no default information is provided, then an error notification should be reported to the application. On the receiver end, the receiving station checks the flag fields to determine if any security suite has been applied to the packet. If true, the receiving station shall look in the ACL for the address of the sender station and apply the cryptographic information included in the ACL to the incoming packet and then pass the information to the application. If no information is found in the ACL, then an error message is passed to the application. If the flags field indicates no security suite was applied, then the packet is passed to the application with no further computations. Now, let’s review each of the security suites: 1) Null: This suite will not offer any security service. It is mandatory to be supported, and all information is sent in the clear. 2) AES-CTR: This suite offers encryption only using the AES cipher in Counter (CTR) mode. In CTR mode, the sender breaks the cleartext packet into 16-byte (128 bits) and computes ci = pi ⊗ Ek (xi ). Each 16-byte block must use its own and unique counter xi . In the receiver end, the receiver computes pi = ci ⊗ Ek (xi ). The xi counter is known as nonce or IV. The IV is formed by a static flags field, the sender’s address, and 3 separate counters: a 4 byte frame counter that identifies the packet, a 1 byte key counter field, and a 2 byte block counter that numbers the 16 byte blocks within the packet. The IV form is depicted in Fig. 17

Fig. 17.

IV form for the AES-CTR and AEC-CCM suites. [18]

In AES-CTR, the Flags field is constant. The Frame Counter is under control of the hardware radio and it is incremented after the encryption of each packet. The Key Counter is under control of the application and can be incremented when the frame counter reaches its maximum. The algorithm requirement is that a packet can not be encrypted using the same nonce and key. If this happens the security of the algorithm is void. The role of the frame and key counters is to prevent nonce reuse. The block counter ensures that each block of information will use a different nonce value; the sender does not need to include it with the packet, since the receiver can infer its value for each block. In summary, the sender includes the frame counter, key counter, and encrypted payload into the data payload field of the packet, as shown in the Fig. 18.

Fig. 18.

AES-CTR data payload form for the Data packet format. [18]

33

3) AES-CBC-MAC: This security suite offers authentication only using the AES cipher in CBC-MAC mode. The MIC can be 32, 64 or 128 bits long and can be computed only by parties sharing a secret key. The MIC protects headers and the data payload. The MIC is appended to the payload as shown in Fig. 19. The receiver calculates a new MIC over the payload and header and compares it against the MIC that came with the packet. If it matches the packet is accepted; otherwise, it is rejected.

Fig. 19.

AES-CBC-MAC data payload form for the Data packet format. [18]

4) AES-CCM: This security suite offers authentication using the AES cipher in CBC-MAC mode and confidentiality in CTR mode. The MIC can be 32, 64 or 128 bits long and can be computed only by parties sharing a secret key. The MIC protects headers and the data payload. The form of the data payload field is shown in Fig. 20. First, it calculates the MIC over the header and payload, and then it encrypts the payload and MIC using AES-CTR mode. The receiver first decrypts the packet and then calculates a new MIC over the header and payload and compares it against the MIC that came with the packet. If it matches the packet is accepted; otherwise, it is rejected.

Fig. 20.

AES-CCM data payload form for the Data packet format. [18]

As the message authentication code increases in size, the more secure are the authentication and integrity of a message. The receiver can optionally enable replay protection when using a suite that supports confidentiality protection. In such case, the recipient uses the frame and key counter as a 5 bite value; this is known as the replay counter. When a new packet arrives, the receiver compares the received replay counter against the one stored in the respective ACL entry; if its a higher value, then the packet is accepted and the replay counter in the ACL is updated; otherwise, it is rejected and the application is notified as a replay attempt.

E. Keying Models In symmetric encryption, a key must be shared among the parties that want to communicate. Here we will review the keying schemes supported by IEEE 802.15.4: 1) Network shared keying: In this model, a single key is shared among the network. Each station uses the same key to communicate with any other station. Key management becomes trivial and memory requirements are minimal. Therefore, deployment of this mode is very straight forward. However, this mode suffers several weaknesses. First, it is vulnerable to insider attacks where a malicious node has access to all communications in the network. Other vulnerability is single key compromise, where an attacker has to compromise only one node and will have access to all the network communications.

34

2) Pairwise keying: In this model, each pair of nodes shares a unique key, so if a node is compromised, then only that node’s communications are affected; all other communications remain secure. This solution provides much better robustness but adds overhead for key management. If the network increases in size, then the memory requirements also increment, and in devices with minimal resources it could be prohibitive. 3) Group keying: This model is a compromise between Network shared keying and Pairwise keying. A single key is shared among a predetermined sub-group of the network. The total network can be partitioned in sub-groups based on location, network topology, or type of data. Hybrid approaches are also possible where a system can use a combination of the keying models presented to suit better the necessities of a particular application.

F. Security analysis of IEEE 802.15.4 The main concern when implementing an application using the IEEE 802.15.4 specifications is the limited amount of resources the nodes have. Usually power and memory constraints limit the possibilities of deploying a strong security solution. Now let’s review some of the vulnerabilities noted in [18]: 1) IV Management problems: There is a vulnerability possibility when the same key is used in multiple ACL entries. As noted before, the duple < nonce, key > should be unique for each packet in AES-CTR, if the same key is used in different ACL, then there is a possibility that nonces can be repeated and the security of AES can be compromised. The nonces have the probability to be repeated because the entries of the replay counters in different ACLs are independent; therefore, exist the probability that they can be the same number. 2) Loss of ACL State Due to power issues: In the case of power failure, the state of the ACL can be lost and counters can be reinitialized with zero values; therefore, nonces will be repeated, and the security of the system would be compromised. The IEEE 802.15.4 specifications do not cover the issue of power failure, and applications not designed with power failures in mind can easily appear to work but fail to secure communications. Another similar issue happens when the devices go to low power operation. If the state of the ACL entries are not preserved, then nonces will be reused. Again, the specifications do not address this issue [18]. 3) Key Management Problems: The specification for Group Keying is not specific, and poses difficult scenarios to deployment of secure applications. A network composed of several nodes requiring confidential services can be implemented with several ACL, all of them with the same key. Using the argument noted before, the nonces will be repeated and the security of the system would be compromised. Another solution would be to have only one entry in the ACL, and dynamically change the address for each packet to be sent. However, on the receiver end there is no easy solution to set the ACL entries ahead of time when the next packet will arrive and be processed with the information present in the ACL. Therefore, implementing Group keying securely appears to be cumbersome. In network shared keying there is no way to deploy replay protection. All the networks share the same key, and consequently the replay counter should be updated any time a packet is received with no consideration what station the receiver was. For example, station 1 sends packet 1 one to station 2 and the replay counter in station 2 is 1; then, station 3 sends a packet to station 2 and the replay counter is updated to 2. Now station 1 sends packet 2 to station 2 but its replay counter already has value 2, so the valid packet is dropped.

35

Pairwise keying needs memory requirements proportional to the size of the network. The IEEE 802.15.4 mandates support for up to 255 ACL entries but does not specify a minimum. Consequently, there is compliant hardware that has support for up to 2 entries in the ACL; therefore, deploying pairwise keying in such hardware is not possible unless there are only three nodes in the network. There are also issues with the integrity and confidentiality of the acknowledgment packets. Currently, the specifications do not protect ack packets and some attacks are conceivable using acks packets only. For example, the attacker can send ack packets to a sender who request acknowledgment and block the delivery of the packets (jamming) to the original recipient. This attack can be performed with no difficulties because ack packets travel in the clear. Furthermore, supporting confidentiality with no integrity also gives the possibility of existence to some attacks. For example, if the attacker sends a packet with the replay counter at its maximum value, the receiver will accept the packet because there is no check in integrity and will update the replay counter to the maximum value. Then any valid packet will be dropped because it will came with lower replay counter and will be considered a replay attempt. Therefore, using AES-CTR is dangerous and should not be applied. These issues with the specifications make the deployment of secure application over IEEE 802.15.4 compliant devices still uncertain. Application developers must be really careful in designing new solutions until a new revision considers these issues.

36

VII. H OME RF The HomeRF Working Group was disbanded on January 2003 [20]. Here we include a little review of was HomeRF was: The Home Radio Frequency Working Group developed a single specification (Shared Wireless Access Protocol-SWAP) for a broad range of interoperable consumer devices. SWAP is an open industry specification that allows PCs, peripherals, cordless telephones and other consumer devices to share and communicate voice and data in and around the home without the complication and expense of running new wires. The SWAP specification provides low cost voice and data communications in the 2.4GHz ISM band. The membership of the group exceeded 100 companies and was made up of leading companies across the PC, consumer electronics, networking, peripherals, communications, software, retail channel, home control and semiconductor industries worldwide. Unlike other wireless LAN standards, the HomeRF protocol provides high quality, multi-user voice capabilities. HomeRF combines the best of broadband wireless data networking technology with the most prevalent digital cordless telephony standard in the world [20].

37

VIII. I R DA The Infrared Data Association (IrDA) defines physical specifications and communication protocols for the short range exchange of data over infrared light, for uses such as personal area networks (PANs). In 1995 only 38% of the leading portable computer manufacturers shipped Infrared with their product. By 1997 that number reached 100%, and now is widely expected that a personal device (laptops, PDA, mobile phones) will include an infrared port. The reason is simple: Cost, reliability and flexibility have all contributed to the overwhelming acceptance the Infrared standard now enjoys [21]. The IrDA protocol stack can be divided into two groups, required and optional layers. The required layers of IrDA include Physical Layer (IrPHY), Infrared Link Access Protocol (IrLAP) and Infrared Link Management Protocol (IrLMP), and the Information Access Service (IAS). The optional protocol layers include the TinyTP transport protocol, an object exchange protocol (IrOBEX), and a serial and parallel port emulation protocol (IrCOMM). IrPHY: The mandatory IrPHY (Infrared Physical Layer Specification) is the lowest layer of the IrDA specifications. The most important specifications are:
• • • •

range (1.0m, low-power 0.1m) angle speed (2.4kbit/s - 16Mbit/s) modulation

IrLAP: The mandatory IrLAP (Infrared Link Access Protocol) is the second layer of the IrDA specifications. It lies on top of the IrPHY layer and below the IrLMP layer. It represents the Data Link Layer of the OSI model. IrLAP provides reliable data transfer using retransmission, low-level flow control, and error detection. IrLAP allows IR systems to deal with data transfer at a low level. By handling data transfer at a low level, IrLAP frees the upper layers of an IrDA system from dealing with data transmission. As a result, the upper layers are assured that their data will be delivered (or at least that they will be informed if it was not). The most important specifications are:
• • • •

Access control Discovery of potential communication partners Establishing of a reliable bidirectional connection Negotiation of the Primary/Secondary device roles

On the IrLAP layer the communicating devices are divided into a Primary Device and one or more Secondary Devices. The Primary Device controls the Secondary Devices. Only if the Primary Device requests a Secondary Device to send it is allowed to do so. IrLMP: The mandatory IrLMP (Infrared Link Management Protocol) is the third layer of the IrDA specifications. It can be broken down into two parts. First, the LM-MUX (Link Management Multiplexer) which lies on top of the IrLAP layer. Its most important achievements are: • Provides multiple logical channels • Allows change of Primary/Secondary devices Second, the LM-IAS (Link Management Information Access Service), which provides a list, where service providers can register their services so other devices can access these services via querying the LM-IAS. The IrLMP layer provides multiplexing, high-level discovery, address conflict resolution of the IrLAP discovery, and an Information Access Service (IAS). This protocol layer depends on the reliable

38

connection and negotiated performance provided by the IrLAP layer. The IAS acts as the ”yellow pages” for a device. All of the services/applications available for incoming connections must have entries in the IAS. These entries are used to determine the service address (LSAP-SEL). These entries are also queried for additional information about services. TTP: The optional Tiny TP (Tiny Transport Protocol) lies on top of the IrLMP layer. It provides: • Transportation of large messages by SAR (Segmentation and Reassembly) • Flow control by giving credits to every logical channel Even though TTP is an optional IrDA layer, it is so important that engineers should consider it a required layer (except in the case of current printing solutions). IrOBEX: The optional object exchange protocol layer (IrOBEX) allows systems of all sizes and types to exchange a wide variety of data and commands in a resource-sensitive standardized fashion. This protocol layer takes an arbitrary data object (a file, for instance) and sends it to whomever the IR device is pointing. IrOBEX also provides tools that enable the object to be intelligently recognized and handled on the receiving side. The potential range of objects is wide, encompassing not only traditional files, but also pages, phone messages, digital images, electronic business cards, database records, handheld instrument results, and machinery diagnostics. The common thread is that the application doesn’t need or want to get involved in managing connections or dealing with the communications process at all. The application simply wants to take an object and ship it to the other side with the least amount of hassle. Messages that are supported are: vCard, vCalendar, vNotes, vMessage, vBookmark. IrCOMM: When the IrDA standards were developed, there was a strong desire to allow existing PC applications that use serial and parallel ports to operate via IR without change. These applications, collectively known as legacy applications, include printing, file transfer applications, and modem communications. IrCOMM is an optional IrDA protocol that applies only to certain applications. In general new applications are better served if they avoid IrCOMM and directly use other IrDA applications protocols such as IrOBEX, IrLAN, or TTP.

39

IX. W IRELESS C ELLULAR T ECHNOLOGIES The wireless technologies have improved significantly over the last few years. These improvements have generated some technologies that because the fast pace of development of newer and improved technologies did not see much deployment. The same is true for wireless cellular technologies, where business models and return on investment (ROI) govern the prevalence or decay of any technology. Therefore, instead of having a clean cut between a technology and its successor, new technologies have always to adapt themselves to offer strong backward compatibility making it look like an upgrade rather than a radical change of technology. This reality plus the commercial reality that each region of the planet, or group of countries wants to have their own technology (USA, Europe, Japan), makes the proliferation of cellular technologies. We will name a few here with some of its highlights [14]:


AMPS: Advanced Mobile Phone System. It is the USA standard for analog cellular service. It is a first-generation wireless technology. It operates at 800 MHz and is a voice-only analog service. TDMA: Time Division Multiple Access. The first USA digital standard, wherein multiple subscribers are granted access to the same radio frequency spectrum by limiting the time slots to access the transmitting and receiving channels. It is considered a second-generation wireless technology. CDMA: Code Division Multiple Access. In CDMA the frequency spectrum is shared among subscribers, and each subscriber can send and receive their signal over the spectrum using spreading codes. CDMA is considered second-generation technology and was developed originally by Qualcomm in the USA. CDMA has being in use as a digital transport by the U.S. military since the 1940’s; however, as a commercial wireless transport is fairly new compared to AMPS and TDMA. CDMA supports more simultaneous users than AMPS or TDMA, and uses less power, thus enlarging battery life. GSM: Global System for Mobile Communications. It is similar to TDMA but it uses 200 KHz wide channels and has a voice coder of 13 Kbps. It is widely used in Europe and is considered secondgeneration technology. It was the first widely used technology with more than 200 countries using the same technology. Originally was conceived to work in the 900 MHz frequency; however, due to its success networks have deployed GSM also in the 1800 MHz frequency range. It is also known as PCN (Personal Communication Network). CDPD: Cellular Digital Packet Data. It is a TCP/IP-based mobile data-only service that runs over AMPS. It requires a modem to convert TCP/IP data into analog data. It has a raw output of 19 Kbps, however 9600 bps is the effective throughput because of protocol overhead. NMT: Nordic Mobile Telephone. The original 1981 Nordic Countries standard for analog cellular service. It is a first generation technology. TACS: Total Access Communication System. It is an analog cellular service used in United Kingdom and some parts of Asia. It is a first-generation technology. PDC: Personal Digital Cellular. It is a TDMA-based technology used in Japan and uses the 800 MHz and 1500 MHz frequency bands to offer digital cellular service. It is considered second-generation technology.















40



HSCSD: High-Speed Circuit-Switched Data. It is a circuit-switched protocol based on GSM which offers speeds up to 38.4 Kbps. It is considered 2.5 generation. GPRS: General Packet Radio Service. It is an IP-based packet-switched wireless protocol. It is based on GSM and it is already deployed in many networks. It offers data rates up to 144 Kbps, and because of high available speeds GPRS offers a smooth transition for operators to 3G systems. It is considered a 2.5G technology. EDGE: It is a higher bandwidth upgrade over GPRS with transmission speed up to 384 Kbps. It is considered a 2.5 generation technology.





So far we have reviewed up to what is known as 2.5 generation technologies. The next step is 3G, which promises very high transmission speeds and performance (2 Mbps). For the 3G framework the International Telecommunications Union (ITU) defined the International Mobile Telecommunications 2000 program (IMT-2000). The key goals of IMT-2000 are:
• • • • • •

Enable global roaming with a single low-cost terminal. Support information access all the time everywhere. Increase efficiency and capacity. Enable services like WAN for PCs and multimedia. Offer bandwidth on demand. Integrate satellite services and fixed wireless access with the cellular network.

IMT-2000 provides a framework for worldwide wireless access by linking the diverse systems of terrestrial and/or satellite based networks. It will exploit the potential synergy between digital mobile telecommunications technologies and systems for fixed and mobile wireless access systems. Following the guidelines of IMT-2000, there are mainly two systems in the race for the 3G mobile communication systems. These systems aim also to create a global standard for mobile cellular technologies:


UMTS: Universal Mobile Telecommunications System is the European answer to the ITU IMT2000 standard, it represents the 3G evolution of GSM. UMTS development is regulated by the 3rd Generation Partnership Project (3GPP). cdma2000: cdma2000 is the trademark for the technical nomenclature for certain specifications and standards produced by the 3rd Generation Partnership Project 2 (3GPP2). cdma2000 is the 3G evolution of cdmaOne.



These two main technologies shall become the de facto standards for 3G cellular systems worldwide, and in this study we will focus the attention to the security architectures supported by these two candidates.

41

X. UMTS As noted before, Universal Mobile Telecommunications System is the European answer to the ITU IMT-2000 standard, and its development is regulated by the 3rd Generation Partnership Project [22]. The purpose of 3GPP is to prepare, aprove and maintain a set of globally applicable technical specifications and technical reports for a 3rd generation mobile system based on the evolved GSM core network, and the radio access technologies supported to be transposed into appropiate standards. A quick and very light overview of the UMTS technology follows. UMTS offers data rates of 144 kbits/s for satellite and rural outdoor, 384 kbits/s for urban outdoor, and 2048 kbits/s for indoor and low range outdoor. With these, there are four types of traffic to support network services with QoS:
• • • •

Conversational class (voice, video telephony, video gaming) Streaming class (multimedia, video on demand, webcast) Interactive class (web browsing, network gaming, database access) Background class (email, SMS, downloading)

A UMTS network consists of three interacting domains: Core Network (CN), UMTS Terrestrial Radio Access Network (UTRAN) and User Equipment (UE). The CN is in charge of providing switching, routing and transit for user traffic, and also contains the databases and network management functions. The basic CN architecture for UMTS is based on GSM network with GPRS. The CN is divided into circuit switched and packet switched domains. Some of the circuit switched elements are Mobile services Switching Centre (MSC), Visitor location register (VLR) and Gateway MSC. Packet switched elements are Serving GPRS Support Node (SGSN), and Gateway GPRS Support Node (GGSN). Some network elements, like EIR, HLR, VLR, and AUC are shared by both domains. In the UTRAN, Wide band CDMA (W-CDMA) technology was selected for the air interface. W-CDMA is a Direct Sequence CDMA system where user data is multiplied with quasi-random bits derived from WCDMA Spreading codes. In UMTS, in addition to channelization, Codes are used for synchronization and scrambling. WCDMA has two basic modes of operation: Frequency Division Duplex (FDD) and Time Division Duplex (TDD). For the UE, the UMTS standard does not restrict the functionality of the UE in any way. The UE simply works as an air interface counter part for a Base Station (Node-B), and has many different types of identities. For facility of analysis, the UE is divided into Mobile Station (MS), which performs the subscriber application computations, and the USIM which runs on the UICC and is in charge of Authentication and Key Agreement (AKA) [23]. The specifications for the UMTS technology is spread among several recommendations, and its analysis is outside the scope of this study; the previous introduction was presented for clarity purposes only. Here, we focus on the security architecture of UMTS, and we follow the presentation of the paper ”An Introduction to Access Security in UMTS” by Geir M. Koien [24].

A. UMTS Security Architecture The Universal Mobile Telecommunications System (UMTS) is the next evolution of the GSM. Because of this, backward compatibility had to be ensured and security mechanisms in GSM were the starting point for the design of access security in UMTS. UMTS security has been designed to improve over the second generation security mechanisms and add new features. The UMTS security architecture is defined

42

in the technical specification 3G TS 33.102 ”Security Architecture” [25]. The main points are: [24]:
• • •

Authenticate the User Equipment (UE) to the network through the USIM. Provide the UE and Serving Network (SN) with session keys. Allow the UE and SN to set up connections protected by the session keys.

The primary user identity is the International Mobile Subscriber Identity (IMSI) number. This is not to be confused with the subscriber number (MSISDN - Mobile Station Integrated Services Digital Network). The MSISDN and IMSI are associated in the operator databases. The IMSI is used for internal identification and routing purposes, and it has the following structure: • It is no more that 15 decimal digits long. • The first three digits are the Mobile Country Code (MCC). It is issued by the ITU. • Two or three digits are the Mobile Network Code (MNC) and it is issued by the national regulatory authority. • The Mobile Subscriber Identification Number (MSIN) is set by the network operator. To avoid subscriber tracking, the IMSI is transmitted over the air just the first time a UE enters a service area. After identification is set, the SN issues a Temporary Mobil Subscriber Identification (TMSI) to the UE and is sent encrypted for enhanced protection. Therefore, it is hard to track a particular subscriber. There is also an International Mobile Station Equipment Identity (IMEI) and is a unique identity used to check against a database called the Equipment Identity Register (EIR) to verify if a handset has being stolen and is being used fraudulently. The Universal Subscriber Identity Module (USIM) is an application running on a smartcard (UICC). The Universal Integrated Circuit Card (UICC) is the chip card that contains the USIM application and also provides a platform for other IC Card applications. The UICC is a tamper-resistant smartcard subscriber identity module.

B. Identity Verification and Key Agreement At connection setup, the UE presents its IMSI or TMSI to the SN. The network then executes an authentication procedure known as Authentication and Key Agreement (AKA) where the UE is authenticated and also session keys for confidentiality (CK) and integrity protection (IK) are generated. The AKA procedure is performed in two stages. The first stage involves the transfer of the Authentication Vector (AV) from the home environment (HE) to the SN. The HE is formed by the Home Location Register (HLR) and the Authentication Center (AuC). The SN is formed by the Serving GPRS Support Node (SGSN), which handles packet-switched traffic, and the Visitor Location Register (VLR) with the Mobile Switching Center (MSC) that handles circuit-switched traffic. The AV contains sensitive information like challenge-response data and cryptographic keys. If the network needs to verify a subscriber identity and the (VLR/SGSN) does not posses a valid AV, then the (VLR/SGSN) requests an AV from the HLR/AuC. The AV is computed and stored at the AuC node in the HE. A simplified diagram of the security architecture of UMTS is given in Fig. 21 The second AKA stage is a mutual authentication between the network (SN,HE) and the UE (USIM). The cryptographic functions used in the AKA procedure are implemented exclusively in the USIM and AuC. 3GPP developed a set of algorithms known as MILENAGE, which is based in the symmetric block cipher Rijndael (AES). Even though it is given as an example set of algorithms, in practice MILENAGE is widely used for the AKA functions. MILENAGE is a family of cryptographic functions that provide

43

Fig. 21.

Simplified Security Architecture of UMTS [24]

different security services like challenge-response authentication function, cipher key derivation function, and the integrity key derivation function. Confidentiality service is provided by encryption using the keys generated by the AKA procedures. The confidentiality key is 128 bits long but the number of significant bits can be configured. The confidentiality service covers user data and user related signaling from the Mobile Station (MS) to the Radio Network Controller (RNC) in the SGSN/VLR as shown in Fig. 21. Integrity service is performed by Message Authentication Code (MAC) mechanisms providing authentication and integrity service. The integrity key is 128 bits long but the number of significant bits can be configured. Integrity and authentication key generation is provided by the MILENAGE Integrity key derivation function. Integrity protection covers only system signaling from the Mobile Station (MS) to the Radio Network Controller (RNC). The authentication sequence is based on a mutual authentication scheme between the SGSN/VLR and the USIM using a long-term preshared secret key K. The master key K is only stored on the UICC/USIM and in the AuC in the HE. The (VLR/SGSN) initiates the local AKA procedure by sending the challenge message to the UE. Authentication of the network side is based on message authentication of the challenge data; only an entity with knowledge of the secret key K could have produced the received challenge. The procedure is executed in a single round-trip (one-pass). The choice of an one-pass authentication function is to avoid non-necessary transmission of data for performance purposes. For the same performance reasons a MACbased solution was preferred over a public key technology; another reason for this decision is because MAC mechanisms were already in use in GSM/GPRS systems. The USIM also verifies a sequence number that must be within a range using a window mechanism to avoid replay attacks. Then, the USIM is in charge of generating the session keys CK and IK. It is worth to mention that the cryptographic functions for AKA are in principle operator-specific, and an example set of functions was decided to be available to vendors and operators to speed up deployment times. The example algorithms were based on a core cryptographic engine that was explicitly required to be a block cipher. The result was the MILENAGE framework, which can be made to work with any block cipher with 128-bit blocks with a 128-bit key. The Rijndael block cipher was chosen for its excellent performance on platforms with limited computing resources and because it was extensively evaluated during the AES selection process. Specially important is the performance characteristics because

44

the authentication functions shall be executed on the fly in smartcards with limited resources [24]. The analysis of each function of the MILENAGE framework is beyond the scope of this study.

C. Confidentiality and Integrity Protection The UICC/USIM module is issued by the HE; and the authentication security information on the USIM have their counterpart in the AuC which is located in the HE. In contrast, the encryption and integrity functions are located in the MS and the corresponding SN (RNC). Therefore, if was essential that the security architecture in UMTS had fully standardized default encryption and integrity functions to ensure the required compatibility among the several serving networks. The security architecture allows 16 different encryption algorithms and 16 different integrity algorithms, but only one has being made available so far. The crytographic core engine of the standard encryption and integrity algorithms is based on the KASUMI block cipher. KASUMI is a Feistel cipher with eight rounds that operates on a 64-bit data block with a 128-bit key. The guidelines on KASUMI were to make it reasonably fast in software on any processor and fast in hardware. It had to be provable secure against differential and linear cryptoanalysis. The KASUMI has been evaluated and the general conclusion was that the KASUMI algorithms were based on sound design principles and no practical attacks were found for use within the UMTS context [24]. The UMTS access security encryption function is a link layer symmetric synchronous stream cipher. It is specified to generate a pseudo-random keystream that is combined with a plaintext block by bitwise modulo 2 operations. It takes a 128-bit key CK, but operates internally on a 64-bit block. As mentioned before, the integrity protection in UMTS is limited to cover signaling messages between the MS and the RNC. The integrity function takes as input the integrity key IK, the message to be protected, a sequence number, a direction bit and a random number. The computed MAC is included in the signaling message by the sending party. The receiving end should recompute the MAC and accept the message if both MACs match. The integrity function is based on the KASUMI block cipher and is a variant of the cipher-blockchaining message authentication code (CBC-MAC) method. The final output of the integrity function is a 64-bit cipherblock which is truncated to become the 32-bit MAC value.

D. Security analysis of UMTS One of the most relevant shortcomings of the security architecture in UMTS is the lack of support for public key technology. The reasoning was the performance responses of the system. However, public key is very useful for e-commerce purposes and now work is being done to support digital subscriber certificates capabilities. Another issue is that the Initialization Vector used in the encryption algorithm is essentially predictable. Koein in [24] argues that given the low entropy, an attacker can perform known plaintext attacks. However, the designers of the encryption algorithm in KASUMI analyzed this situation and the algorithm was designed to be very difficult to predict the pattern of the IV. In conclusion, even if there is some theoretical weakness, it is very unlikely that the KASUMI algorithm would be vulnerable to this kind of attack. Other big shortcomming is the lack of integrity for the user data. Specially in some circumstances encryption might not be available, and integrity would be the only solution. However, the service is not offered, and in these cases there is not hope. Vulnerabilities based on the birthday paradox are also conceivable, but the KASUMI integrity protection is intended to protect real-time signaling messages with short expiry periods. The same reasoning goes with the length of the MAC values. A final 32-bit MAC could sound dangerously short but a compromise must be made between overhead introduced by longer MACs and performance of the system. Furthermore, increasing the MAC size would lead to segmentation

45

of packets, which is very performance undesirable. Other issue is that the transfer of the CK and IK from the SGSN/VLR to the RNC is not standardized. It is up to the implementations to secure this sensitive information. However, experience shows that the weak link in well designed security systems lies in poor implementations. Finally Koien states that if KASUMI is used within its intended scope, it should remain cryptographically safe for the next few years.

46

XI. CDMA 2000 cdma2000 is the other 3G mobile telecommunications technology that follows the guidelines of the ITU’s IMT-2000 standard. It is a successor to 2G CDMA (IS-95 or cdmaOne) and the underlying signaling standard is known as IS-2000. The development of cdma2000 is in charge of the 3GPP2 [26]. cdma2000 is the trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners of 3GPP2. cdma2000 is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States. cdma2000 is the evolution of cdmaOne to 3rd generation technology. It can be deployed in several phases. The first phase, cdma2000 1x also known as 3G1X is the core of the 3G cdma2000 technology; it supports an average of 144 kbps packet data rate in a mobile environment. The designation 1x is used to identify the version of CDMA2000 radio technology that uses the same 1.25 MHz spectrum as CDMA IS-95. The evolution of cdma2000 1x is labeled cdma2000 1xEV. 1xEV will be implemented in steps: 1xEVDO (1x Evolution Data Only) and 1xEV-DV (1x Evolution Data and Voice). Both 1xEV cdma2000 evolution steps will use a standard 1.25 MHz carrier. 1xEV-DO will support 2.4 Mbps for fixed environment, 384 Kbps for pedestrian and 144 kbps for vehicular. 1xEV-DV should should support speeds up to 3.09 Mbps. cdma2000 3x is part of what the ITU has termed IMT-2000 CDMA MC (Multi Carrier). It uses less than 5 MHz spectrum (3x 1.25 MHz channels) to give speeds of over 2 Mbps. cdma2000 1x with lower data speed is considered to be a 2.5G technology. cdma2000 1xEV-DO and cdma2000 3x are part of the ITU’s IMT-2000 (3G) standards. As with UMTS, a complete analysis of cdma2000 is outside of the scope of this study. Here, we will focus on a review of the security architecture adopted in cdma2000. As we will review, UMTS and cdma2000 have a lot on common, both have to assure backward compatibility with its 2G predecessor (GSM and cdmaOne), and this inevitably makes it cumbersome to develop a proper security architecture. Therefore, UMTS and cdma2000 face the same problems, risks, and threats. In this study we will follow the presentation of the paper ”Access Security in cdma2000, including a comparison with UMTS Access Security” by Greg Rose and Geir Koien [27].

A. Security Architecture of cdma2000 cdma2000 access security architecture shares a number of common mechanisms including the Authentication and Key Agreement (AKA) mechanism from UMTS. Probably, the most important requirement for cdma2000 security is that any cryptographic algorithm used in the architecture shall be a published and peer reviewed algorithm. The following entities are directly related in the cdma2000 security architecture:
• • • •

The Home Network (HN), in particular the Home Location Register (HLR) and Authentication Register (AC). The Serving Network (SN), in particular the Visited Location Register (VLR) and the Mobile Station Controller/Packet Data Serving Node (MSC/VLR or PDSN). The Mobile Station (MS) or subscriber handset. The User Identity Module (UIM), or (R-UIM) if its removable.

As it is shown, cdma2000 shares a lot of the structural organization with UMTS because both are developed following the guidelines of the IMT-2000 specifications. Therefore, much of the discussion of

47

security architecture in UMTS applies also to cdma2000. In this section we will highlight the similarities, and discuss and review the differences. One of the delicate issues in cdma2000 is the initial provision of the authentication shared key K into the UIM and AC. If the R-UIM is used, the procedure is pretty much the same as in UMTS, the HN is in charge of issuing the R-UIM and also to store the copy of the shared key K in the AC. The subtlety arises if the UIM is not removable. There are different options in this case. The first one is that the identity of the MS is assigned when the MS is manufactured. Under this case, the identity of the MS must be handled very carefully since manufacture time, distribution time and sale time. Here the MS have to be built specificly for each service provider, and this reduces the possibility of different phones for the customers. However, this reduces the value of the MS in case it is lost or stolen because the phone’s UIM can not be changed. MS theft is a major problem in the GSM system. Other option is to assign the key K at the point of sale of the handset (MS). Here we have two options, a first case is that the sales person enters a special code of about 26 digits provided by the home service provider. This is error prone but perfectly achievable. The other method and the preferred one is an OverThe-Air Service Provisioning (OTASP) where a Diffie-Hellman Key establishment algorithm is performed between the UIM and the AC to generate the key K. A possible Man-in-the-Middle attack could be performed but the attacker will loose the advantage whenever it ceases to exist. Then the customer will call again to re-perform the OTASP. The authentication key K generated by OTASP is 128-bits long. B. Authentication and Key Agreement Once the authentication key K is properly generated and distributed, it can be used to perform an Authentication and Agreement (AKA) protocol in order to verify the identity and authentication of the MS to the network and the identity of the network to the MS. Once both parts are authenticated, session keys shall be generated to protect the confidentiality and integrity of the subscriber and network data. Also, the continued presence of the UIM can also be verified at any time. The AKA protocol used in cdma2000 is the same used in UMTS with an extension. The same protocol was adopted by the 3GPP2 to have a common core authentication infrastructure to facilitate global roaming. To review, the AKA protocol is performed in two stages. In the fist stage an Authentication Vector (AV) with security credentials is passed from the HE to the SN. For this transmission, IPSec is recommended or a mechanism at least that strong should be used. Tunneling SS7 protocols are another option. A simplified diagram of the security architecture of cdma2000 is given in Fig. 22

Further discussion of the AKA protocol is done in the UMTS section X-B. The second AKA stage is a mutual authentication between the network (SN,HE) and the MS (UIM). The extension to the UMTS AKA protocol is another key derivation function that produces the UIM Authentication Key (UAK), and a function called UMAC. The UIM in the AKA protocol generates a confidentiality key (CK) and an integrity key (IK) that are passed to the MS to provide confidentiality and integrity services to the subscriber’s data. The UIM also generates the key UAK, which is not passed to the MS, and is used with the function UMAC to authenticate important signaling messages. This mechanism was introduced to solve the rogue shell problem, where a MS does not delete CK and IK whenever the R-UIM is removed, or somehow sends CK and IK to another MS; this can lead to perform illegal uses. The UMAC procedure voids this attack without performing the AKA procedure again. In the authentication procedure, a sequence number SQN is included in the process in order to avoid replay attacks. Only if the SQN is good and there is no synchronization problems, the CK, IK, and UAK are generated, and the network authorizes the MS (UIM).

48

Fig. 22.

Simplified Security Architecture of cdma2000 [27]

The cryptographic functions used in the AKA procedure are implemented exclusively in the UIM and AC, and all the functions are standardized based on the SHA-1 compression function. This way, subscribers that want to change to a new service provider can do it with the same handset. Operators could choose their own algorithm set for AKA, and the network infrastructure would continue to work, but it is intended that this capability should be reserved for mobiles with R-UIMs.

C. Core Cryptographic Algorithms The security architecture of cdma2000 provides mechanism to negotiate between multiple integrity and confidentiality algorithms; however, only one is currently defined. As mentioned before, the cryptographic algorithms used in cdma2000 are public known and peer reviewed methods. This is to follow the principle of Open Design. ”The principle of open design states that the security of a mechanism should not depend on the secrecy of its design or implementation” [28]. In cdma2000, the Advanced Encryption Standard) is used. AES (Rijndael) is a block cipher that encrypts 128-bit blocks using a 128-bit key. For the confidentiality service, ESP AES is used. ESP AES uses AES in Counter Mode (AES-CTR), with an explicit initialization vector (IV) as an Encapsulating Security Payload (ESP) confidentiality mechanism. Here, the calling application specifies a ”freshness” variable (which must be unique for the life of the CK), constructed from the system time and transmission direction. This value is concatenated with a 32- bit counter to form the input to the block cipher operation [27]. The output of the encryption is used as a stream cipher to encrypt or decrypt the data as required. Confidentiality service is applied to all user and signaling data, and the service is provided between the MS and the MSC as shown in Fig. 22. The CK is always 128 bits long, although its actual strength might have been artificially reduced. For user authentication, key derivation, and message authentication, the SHA-1 one-way function is used in cdma2000; however, in some cases like in the pseudo random function just the core compression function of SHA-1 is used. Key strength reduction is necessary due to some government regulations on confidentiality. This will require that the MS, UIM, and SN renegotiate a lower entropy for CK. The key strength reduction algorithm is performed in the following way:


An intermediate key K1 is formed by hashing SHA(CK, salt).

49

• •

All but the desired number of bytes of K1 are set to zero. A new CK is formed by hashing SHA(K1, salt) and truncating it to 128 bits [27].

Here, a salting technique is used to ensure that even for a small effective key strength, it will not be easy to precompute the possible keys. Even if the reduced strength CK is recovered, this will not yield information about the original strong CK. As UMTS, integrity service is offered only to signaling data; subscriber data is not protected. The reasoning for this design is that if the user’s data is sensitive enough to require integrity service, then integrity shall be provided at the application level. This assumption goes against the principle of fail-safe defaults, which can be adapted and stated like that unless a certain user’s data is explicitly declared to go in the clear, it should always be protected by the integrity service. When integrity is granted, the MAC is calculated and truncated to the desired size but never less than 32 bits long. If the signaling is important, like billable services, then the authentication function used is UMAC. UMAC relies on IK and UAK, and can be computed only in the UIM. This way, UMAC provides an extremely efficient method for reauthentication. The algorithm used for calculating the MAC is a more efficient variant of HMAC-SHA-1 called EHMAC. EHMAC is optimized for short messages, which is the general case for the signaling data of cdma2000. If UMAC is required, then the result of the normal MAC is passed to the UIM, and the UMAC function is calculated over the MAC value using the UAK key; this result is returned as the value of UMAC.

D. Analysis of the security of cdma2000 Because cdma2000 and UMTS almost use the same security infrastructure, the same reasoning applies to the analysis of its security. Briefly, we note the lack of support for public key technology, which is highly desired for e-commerce. Another interesting and concerning point is the safety of the SHA-1 hash function. Recent work by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, states that they have developed a set of new techniques that are very effective for searching collisions on SHA-1. Even though the attack is not practical in the full 80-steps of SHA-1, it is successful in a reduced 58-step [29]. These results give a clear warning that a new function or reinforcement method should be designed, especially because EHMAC is the standard and the only algorithm available. We should note also, that the support of integrity in the subscriber’s data is highly desirable. For the confidentiality service, given the amount of review over AES, the choice of ESP AES looks for now a good solution. Another point is that like UMTS, the transfer of the AV, CK and IK from the HE to the SN is not standardized. It is up to the implementations to secure this sensitive information. However, experience shows that the weak link in well designed security systems lies in poor implementations. The recommendation is to use IPSec or a method as secure as IPSec. A final note about implementations is the fact that even if fully standardized, well designed mechanisms are provided, it is up to the implementation and the deployment, to properly install and configure the system in order to guarantee the proper security goals.

50

G LOSSARY 3GPP: The 3rd Generation Partnership Project (3GPP) is a collaboration agreement that was established in December 1998. The scope of 3GPP was to make a globally applicable third generation (3G) mobile phone system specification within the scope of the ITU’s IMT-2000 project. 3GPP specifications are based on evolved GSM specifications, now generally known as the UMTS system [12]. It uses the standard IMT-2000 CDMA Direct Spread also known as W-CDMA. 3GPP2: 3GPP2 was born out of the International Telecommunication Union’s (ITU) International Mobile Telecommunications ”IMT-2000” initiative, covering high speed, broadband, and Internet Protocol (IP)-based mobile systems featuring network-to-network interconnection, feature/service transparency, global roaming and seamless services independent of location. 3GPP2 is the standardization group for CDMA2000, the set of 3G standards based on earlier 2G CDMA technology. It uses the standard IMT-2000 CDMA Multi-Carrier also known as CDMA2000. 4-Way Handshake: (In IEEE 802.11) A pairwise key management defined by IEEE 802.11i that confirms the mutual possesion of a pairwise master key by two parties. AES: The Advanced Encryption Standard, also known as Rijndael, is a block cipher adopted as an encryption standard by the US government. AES is the successor of the Data Encryption Standard (DES), and it was adopted by the National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardization process. [12]. AES is fast in both software and hardware, requires little memory, and is relatively easy to implement. AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. In 2002, a theoretical attack known as the XSL-attack was announced showing a potential weakness in the AES algorithm. It seems that the attack, if the mathematics is correct, is not currently practical, as it would have a prohibitively high ”work factor”. As of 2005, no successful practical attacks against AES have been recognized. AK: (In IEEE 802.16) Authentication Key: Secret shared key used to conceal management information between BS and SS in IEEE 802.16 networks. AKA: (In cdma2000) Stands for Authentication and Key Agreement. It follows the same guidelines as the AKA procedure in UMTS. AKA is in charge of the double authentication between the UIM and the AC, and session key distribution. The cryptographic functions used in the AKA procedure are fully standardized and known as EHMAC. They are implemented exclusively in the (R-)UIM and AC. AKA: (In UMTS) Stands for Authentication and Key Agreement. It is a mechanism which performs double authentication between the USIM and the AuC, and session key distribution in UMTS networks. AKA is a challenge-response based mechanism that uses symmetric cryptography. The cryptographic functions used in the AKA procedure are implemented exclusively in the USIM and AuC. The MILENAGE framework is widely used for the AKA functions. AMPS: Advanced Mobile Phone System was the analog mobile phone system standard introduced in the Americas during the early 1980s. It was a first-generation technology using FDMA which meant that each cell site would transmit on different frequencies, allowing many cell sites to be built near each other. However, it had the disadvantage that each site did not have much capacity for carrying calls. It also had a poor security system which allowed people to steal a phone’s

51

serial code to use for making illegal calls. AC: (In cdma2000) The Authentication Center is a function to authenticate each (R)UIM card that attempts to connect to the core network. The AC is usually collocated with the Home Location Register (HLR), although this is not necessary. The Home Environment is formed by the HLR and the AC.

AuC: (In UMTS) The Authentication Center is a function to authenticate each USIM card that attempts to connect to the core network. The AuC is usually collocated with the Home Location Register (HLR), although this is not necessary. The Home Environment is formed by the HLR and the AuC. Bluetooth: The term Bluetooth is often used interchangeably with IEEE 802.15.1; even though, sometimes this usage is not correct. Bluetooth is an industrial specification for WPAN first developed by Ericsson, and later formalized by the Bluetooth Special Interest Group (SIG). The system is named after a Danish king Harold Bluetooth. Bluetooth provides a way to connect and exchange information between consumer mobile devices like PDAs, mobile phones, laptops, PCs, printers and digital cameras, via a secure, low-cost, globally available short range radio frequency. It uses the IEEE 802.15 specification in the ISM frequency band with FHSS technology. IEEE Std 802.15.1-2002 WPAN technology and its architecture has been derived from the Bluetooth specifications (version 1.1). This standard provides specifications for the lower layers (MAC and PHY) of the Bluetooth specifications. BS: (In IEEE 802.16) Base Station: A generalized equipment set providing connectivity, management, and control of the subscriber station (SS).

BSS: (In IEEE 802.11) Basic Service Set: A set of stations controlled by a single coordination function (Access Point). BWA: Broadband Wireless Access. Wireless access in which the connection(s) capabilities are broadband. CBC: Cipher Block Chaining mode: A mode of use of a block cipher. In CBC mode, each ciphertext block yi is XORed with the next plaintext block xi+1 before being encrypted with the key K . It requires an Initialization Vector (IV) defined as y0 , and then the ciphertext is constructed using the following formula yi = eK (yi−1 ⊗ xi ) for i ≥ 1. CCK: Complementary Code Keying is the modulation format for current Wi-Fi (IEEE 802.11b) systems. The preamble/header and the payload can both be transmitted using CCK modulation. CCK is a single-carrier waveform, whereby data is transmitted by modulating a single radio frequency or carrier. The bit stream is processed with a special coding and then modulated using QPSK. CCM: Counter mode (CTR) with CBC-MAC (Cipher-block chaining with message authentication code): A symmetric key block cipher mode providing confidentiality using CTR and data origin authenticity using CBC-MAC. CDMA: Code Division Multiple Access is the use of any form of spread spectrum by multiple transmitters to send information to the receiver on the same frequency channel at the same time without harmful interference. All forms of CDMA use a spreading code or chip sequence

52

to allow receivers to partially discriminate against unwanted signals. Signals with the desired spreading code and timing are received, while signals with different spreading codes appear as wideband noise reduced by the process gain [12]. cdmaOne: It is the brand name for the Interim Standard 95 (IS-95), and it is the first CDMA-based digital cellular standard pioneered by Qualcomm. The Telecommunication Industry Association (TIA-USA) branded 2G CDMA standard (aka IS-95) as cdmaOne.

CDMA2000: Code Division Multiple Access 2000 is a 3G mobile telecommunications standard, one of the approved radio interfaces for the ITU’s IMT-2000 standard, and a successor to 2G CDMA (IS-95 or cdmaOne). The underlying signaling standard is known as IS-2000. CDMA2000 is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States, not a generic term like CDMA. TIA has branded their 2G CDMA standard (aka IS-95) as cdmaOne [12]. CDMA2000 1xEV: cdma2000 is the evolution of cdmaOne to 3rd generation technology. It can be deployed in several phases. The first phase, cdma2000 1x is the core of the 3G cdma2000 technology; it supports an average of 144 kbps packet data rate in a mobile environment. The evolution of cdma2000 1x is labeled cdma2000 1xEV. 1xEV will be implemented in steps: 1xEV-DO (1x Evolution Data Only) and 1xEV-DV (1x Evolution Data and Voice). Both 1xEV cdma2000 evolution steps will use a standard 1.25 MHz carrier. 1xEV-DO will support 2.4 Mbps for fixed environment, 384 Kbps for pedestrian and 144 kbps for vehicular. 1xEV-DV should should support speeds up to 3.09 Mbps. CDMA2000 3x: cdma2000 3x is part of what the ITU has termed IMT-2000 CDMA MC (Multi Carrier). It uses less than 5 MHz spectrum (3x 1.25 MHz channels) to give speeds of over 2 Mbps. cdma2000 1x with lower data speed is considered to be a 2.5G technology. cdma2000 1xEV-DO and cdma2000 3x are part of the ITU’s IMT-2000 (3G) standards. Diffie-Helman: The Diffie-Hellman key exchange is a cryptographic protocol which allows two parties to agree on a secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. A general description of the protocol is as follows: 1) Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is usually done long before the rest of the protocol; g is assumed to be known by all attackers.) This means that Alice and Bob agree to use a prime number p and base g . 2) Alice picks a random natural number a and sends g a mod(p) to Bob. 3) Bob picks a random natural number b and sends g b mod(p) to Alice. 4) Alice computes (g b mod(p))a mod(p). 5) Bob computes (g a modp)b mod(p). Both Alice and Bob are now in possession of the group element g ab which can serve as the shared secret key because the values of (g b )a and (g a )b are the same. The protocol is vulnerable to the ”Man-in-the-Middle” attack, in which the attacker is able to read and modify all messages between Alice and Bob. As g is not secret, the attacker can easily create his own power of g and send that to Bob. When Bob replies, the attacker intercepts the message and will share his key with Bob. Therefore, authentication is desirable [12]. DS: (In IEEE 802.11) Distribution System: A system used to interconnect a set of basic service sets

53

(BSSs) and integrated local area networks (LANs) to create an extended service set (ESS). DSL: Digital Subscriber Line is a family of technologies that provides a digital connection over the copper wires of the local telephone network. For conventional (asymmetrical) ADSL, downstream rates start at 256 kbit/s and typically reach 9 Mbit/s within 1000 feet (300 m) of the central office. Rates can go as high as 52 Mbit/s within 100 meters (so-called VDSL). Upstream rates start at 64 kbit/s and typically reach 256 kbit/s but can go as high as 768 kbit/s. DSSS: Direct-Sequence Spread Spectrum is a signal structuring technique utilizing a digital code sequence having a chip rate much higher than the information signal bit rate. Each information bit of a digital signal is transmitted as a pseudorandom sequence of chips. Simply, DSSS transmissions multiply a ”noise” signal to the data being transmitted. This noise signal is a pseudorandom sequence of 1 and -1 values at a frequency much higher than that of the original signal, thereby spreading the energy of the original signal into a much wider band [12]. ESS: (In IEEE 802.11) Extended Service Set: A set of one or more interconnected basic service sets (BSSs) and integrated local area networks (LANs) that appears as a single BSS to the logical link control layer and any station associated with one of those BSSs. All stations in an ESS share the same ESSID. FHSS: Frequency-Hopping Spread Spectrum is a spread-spectrum method of transmitting signals by rapidly switching a carrier among many frequency channels using a pseudorandom sequence known to both transmitter and receiver. Spread-spectrum signals are highly resistant to noise and interference, and are difficult to intercept. A Frequency-Hop spread-spectrum signal sounds like a momentary noise burst or simply an increase in the background noise for short Frequency-Hop codes on any narrowband receiver except a Frequency-Hop spread-spectrum receiver using the exact same channel sequence as was used by the transmitter. Spread-spectrum transmissions can share a frequency band with many types of conventional transmissions with minimal interference [12]. GSM: The Global System for Mobile Communications is the most popular standard for mobile phones in the world. GSM phones are used by over a billion people across of more than 200 countries. The ubiquity of the GSM standard makes international roaming very common with ”roaming agreements” between mobile phone operators. GSM is a second generation (2G) mobile phone system. GSM is an open standard which is currently developed by the 3GPP [12]. GPRS: General Packet Radio Service is a mobile data service available to users of GSM mobile phones. It is often described as 2.5 generation technology. It provides moderate speed data transfer, by using unused TDMA channels in the GSM network. Packet-switched data under GPRS is achieved by allocating unused cell bandwidth to transmit data. As dedicated voice (or data) channels are setup by phones, the bandwidth available for packet switched data shrinks. A consequence of this is that packet switched data has a poor bit rate in busy cells. The theoretical limit for packet switched data is approx. 170 kbit/s. A realistic bit rate is 30-70 kbit/s. A change to the radio part of GPRS called EDGE allows higher bit rates up to 384 kbit/s. The maximum data rates are achieved only by allocation of more than one time slot in the TDMA frame. HE: (In cdma2000) The Home Environment mainly consists of the Home Location Register (HLR) and the Authentication Center (AC), and it is associated with the SN (PDSN or VLR/MSC). (In UMTS) The Home Environment mainly consists of the Home Location Register (HLR) and

HE:

54

the Authentication Center (AuC), and it is associated with the SN (SGSN or VLR/MSC). HLR: (In cdma2000) The Home Location Register is a central database that contains details of each mobile phone subscriber that is authorized to use the core network. It stores location information to track subscribers, authorizing and routing calls, and managing services. It also stores details of every (R)UIM and the telephone numbers used to make and receive calls to the mobile phone. HLR: (In UMTS) The Home Location Register is a central database that contains details of each mobile phone subscriber that is authorized to use the core network. It stores location information to locate the user and for routing purposes. It also stores details of every USIM and the telephone numbers used to make and receive calls to the mobile phone, known as MSISDNs [12]. IBSS: (In IEEE 802.11) Independent Basic Service Set: A BSS that forms a self-contained network, and in which no access to a distribution system (DS) is available. An Ad-Hoc network. IEEE 802.1x authentication: Extensible Authentication Protocol (EAP) authentication transported by the IEEE 802.1x protocol. IEEE 802.3: Standards for CSMA/CD (Ethernet) based LANs. IEEE 802.11: A set of specifications to provide the same functionality as the IEEE 802.3 Ethernet standard but with the air as a transmission medium instead of cables. The resulting communication networks are known as WLANs (Wireless LANs). For further discussion see III IEEE 802.16: Also know as WiMax, is a set of specifications designed to provide metro area Broadband Wireless Access (BWA). IMEI: (In UMTS) The International Mobile Station Equipment Identity is a unique identity associated with every GSM and UMTS mobile phone, and it is used to check against a database called the Equipment Identity Register (EIR) to verify if a handset has been stolen and is being used fraudulently.

IMSI: (In UMTS) The International Mobile Subscriber Identity (IMSI) number is the primary user identity associated with every GSM and UMTS mobile phone. It should not be confused with the subscriber’s number (MSISDN). The IMSI is used for internal identification and routing purposes. It is no more that 15 decimal digits long where the first three digits are the Mobile Country Code (MCC), which is issued by the ITU. Then, two or three digits are the Mobile Network Code (MNC), which is issued by the national regulatory authority. Finally, the Mobile Subscriber Identification Number (MSIN), which is set by the network operator. In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a randomly generated TMSI is sent instead. IMT-2000: International Mobile Telecommunications-2000 is the global standard for third generation (3G) wireless communications defined by a set of interdependent ITU Recommendations. IMT2000 provides a framework for worldwide wireless access by linking the diverse systems of terrestrial and/or satellite based networks. It will exploit the potential synergy between digital mobile telecommunications technologies and the fixed and mobile wireless access systems. IMT2000 is intended to bring high-quality mobile multimedia telecommunications to a worldwide mass market by achieving the goals of increasing the speed and ease of wireless communications,

55

responding to the problems faced by the increased demand to pass data via telecommunications, and providing ”anytime, anywhere” services. IrDA: The Infrared Data Association defines physical specifications and communications protocols for the short range exchange of data over infrared light for uses such as personal area networks (PANs). IPSec: IP Security is a standard for securing IP communications (packet flow) by encrypting and authenticating all IP packets. IPSec provides security at the network layer of the OSI model; therefore, it will protect both TCP and UDP-based protocols. IPSec is a protocol suite consisting of protocols for securing packet flows (ESP and AH) and key exchange protocols (IKE) used for setting up those secure flows. To secure packets there are two modes: Encapsulating Security Payload (ESP), which provides confidentiality, and the rarely used Authentication Header (AH) which provides authentication and message integrity, but does not offer confidentiality. Currently only one key exchange protocol is defined, the IKE protocol. IS-95: See cdmaOne. ITU: The International Telecommunication Union is an international organization established to standardize and regulate international radio and telecommunications. It was founded as the International Telegraph Union in Paris in May 17, 1865, and is today the world’s oldest international organization. Its main tasks include standardization, allocation of the radio spectrum, and organizing interconnection arrangements between different countries to allow international phone calls. It is one of the specialized agencies of the United Nations, and has its headquarters in Geneva, Switzerland. The international standards that are produced by the ITU are referred to as ”Recommendations”. Due to its longevity as an international organization and its status as a specialized agency of the United Nations, standards promulgated by the ITU carry a higher degree of formal international recognition than those of most other organizations that publish technical specifications of a similar form [12]. ISM: The Industrial, Scientific, and Medical (ISM) radio bands were originally reserved internationally for non-commercial use of RF electromagnetic fields for industrial, scientific, and medical purposes. Individual countries’ use of the bands may differ due to variations in national radio regulations. In recent years they have also been used for license-free error-tolerant communications applications such as wireless LANs and Bluetooth: • 900 MHz band (33.3 cm wavelength) • 2.4 GHz band (12.2 cm wavelength) • 5.8 GHz band (5.2 cm wavelength) KASUMI: (In UMTS) KASUMI, also termed A5/3, is a block cipher used in the confidentiality and integrity algorithms for 3GPP mobile communications. KASUMI was designed by the Security Algorithms Group of Experts (SAGE), part of the European standards body ETSI. Rather than invent a cipher from scratch, an existing algorithm, MISTY1, was selected by SAGE and slightly optimized for implementation in hardware. KASUMI has a block size of 64 bits and a key size of 128 bits, it is a Feistel cipher with eight rounds [12]. LOS: Line-Of-Sight. It refers to the requirement that a set of antennas must have line of sight in order to set up and maintain connection.

56

MAC: Medium Access Control: In the networking community this is usually a sublayer of the Layer 2 (Data Link) in the OSI model. MAC: Message Authentication Code: In the cryptography community, MAC is a cryptographic secure checksum of a message that provides message authentication and integrity. In the networking community, this is know as Message Integrity Code (MIC) MIC: Message Integrity Code: In the networking community, MIC is a cryptographic secure checksum of a message that provides message authentication and integrity. In the cryptographic community, this is know as Message Authentication Code (MAC) Michael: (In IEEE 802.11) The Message Integrity Code (MIC) for the TKIP. MILENAGE: (In UMTS) MILENAGE is a family of cryptographic functions that provide different security services like challenge-response authentication function, cipher key derivation function, and integrity key derivation function. The MILENAGE framework can work with any block cipher with 128-bit blocks with a 128-bit key. The Rijndael block cipher was chosen to be used in MILENAGE for its excellent performance on platforms with limited computing resources like smartcards with limited resources. MPDU: Medium access control (MAC) Protocol Data Unit: The unit of data exchanged between two peer MAC entities using the services of the physical layer (PHY). MS: (In cdma2000) The Mobile Station in cdma2000 refers to the user equipment. For analysis purposes, it should not include the UIM or R-UIM. MS: (In UMTS) The Mobile Station refers to the computational hardware, not including the UICC, in a UMTS User Equipment (UE). The USIM also does not form part of the MS because it runs on the UICC. MSC: (In UMTS) The Mobile services Switching Center is a sophisticated telephone exchange which provides circuit-switched calling, mobility management, and GSM services to the mobile phones roaming within the area that it serves. This means voice, data and fax services, as well as SMS and call divert [12]. MSISDN: (In UMTS) The Mobile Station Integrated Services Digital Network is the assigned subscriber phone number, which is a maximum 15-digit number. NLOS: Non-Line-Of-Sight, Near-Line-Of-Sight. It refers to the ability of a set of antennas to set and maintain a connection without the requirement of line of sight. OFDM: Orthogonal Frequency-Division Multiplexing (OFDM) is the mandatory high-rate waveform in the 2.4 GHz band. Data rates of up to 54 Mbits/s are now available in the 2.4 GHz band. In addition, backward compatibility with Wi-Fi devices is assured. OFDM, also sometimes called discrete multitone modulation (DMT), is a method of digital modulation in which a signal is split into several narrowband channels at different frequencies. OFDM breaks an individual transmission frequency down into multiple low-frequency signals (typically dozens to thousands). This, coupled with the use of advanced modulation techniques on each component, results in a signal with high ”orthogonality”, which means high resistance to interference. The benefits of using OFDM are many, including high spectrum efficiency, resistance against multipath

57

interference (particularly in wireless communications), and easiness to filter out noise, and that the upstream and downstream speeds can be varied by allocating either more or fewer carriers for each purpose [12]. OSI: The Open Systems Interconnection Reference Model (OSI Model or OSI Reference Model) is a layered abstract description for communications and computer network protocol design developed as part of the Open Systems Interconnect initiative. It is also called the OSI seven layer model. OTASP: (In cdma2000) The Over-The-Air Service Provisioning algorithm is an authentication key provisioning mechanism, where a Diffie-Hellman Key establishment algorithm is performed between the UIM and the AC to generate the key K. A possible Man-in-the-Middle attack could be performed but the attacker will loose the advantage whenever it ceases to exist. Then the customer will call again to re-perform the OTASP. The authentication key K generated by OTASP is 128-bits long. PDSN: (In cdma2000) The Packet Data Serving Node handles packet-switched traffic. The cdma2000 PDSN functions as a connection point between the Radio Access and IP networks. PN: (In IEEE 802.16) The Packet Number is a counter associated with an SA used in the CCM mode of encryption to detect replay-messages.

PSK: (In IEEE 802.11) A static key distribution scheme where the key is distributed among the network in a fashion not specified in 802.11i; normally, done manually by the system administrator. PSK: Phase Shift Keying: In a communications system, PSK is the representation of characters, such as bits or quaternary digits, by a shift in the phase of an electromagnetic carrier wave with respect to a reference, by an amount corresponding to the symbol being encoded [12]. QAM: Quadrature Amplitude Modulation (QAM) is the encoding of information into a carrier wave by variation of the amplitude of both the carrier wave and a ’quadrature’ carrier that is 90 out of phase with the main carrier in accordance with two input signals. What this actually means is that the amplitude and the phase of the carrier wave are simultaneously changed according to the information to be transmitted [12]. Rijndael: Rijndael is a block cipher adopted as an encryption standard by the US government (AES). The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name ”Rijndael”. Rijndael is a substitutionpermutation cipher, not a Feistel cipher and is fast in both software and hardware, requires little memory, and is relatively easy to implement. AES is not precisely Rijndael; Rijndael supports key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. RNC: (In UMTS) The Radio Network Controller is the element in the UMTS radio network responsible for control of base stations which are distributed throughout its service area. The RNC carries out some of the mobility management functions and is the point where encryption is done before user data is sent to and from the mobile station on the user equipment. The RNC is connected to the GSM Circuit Switched Core Network or the GPRS Core Network. RSN: (In IEEE 802.11) Robust Security Network: A security network that allows only the creation of Robust Security Network Associations (RSNA).

58

RSNA: (In IEEE 802.11) Robust Security Network Associations: The type of association used by a pair of stations if the procedure to establish authentication or association beetween them is the 4-Way handshake. Salt: The salting technique consists of random bits used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is often stored as the encrypted version of the password. A salt value is typically used in a hash function. The salt value may or may not be protected as a secret. In either case the additional salt data makes it more difficult to conduct a dictionary attack using pre encryption of dictionary entries because each bit of salt used doubles the amount of storage and computation required [28], [12]. SA: (In IEEE 802.16) Security Association: Is the set of security information a BS and one or more of its client SS’s share in order to set secure communications.

SGSN: (In UMTS) The Serving GPRS Support Node is responsible for the mobility management and IP packet session management. It routes user packet traffic from the radio network to the appropriate Gateway providing access to external packet data networks such as the Internet, Intranets, and Extranets. SHA-1: The Secure Hash Algorithm family is a set of related cryptographic hash functions. The most common is SHA-1. It is employed in a large variety of popular security applications and protocols. The SHA algorithms were designed by the National Security Agency (NSA) and published as a US government standard. Recent work states that attacks can find collisions in the full version of SHA-1, requiring less than 269 operations (a brute-force search would require 280 ) [12]. This is a clear indication that stronger mechanisms should begin to be considered. SN: (In cdma2000) The Serving Network consists of the parts of the core network that are directly involved in setting up connections and are out of the Home Environment (HE). It can contain the Packet Data Serving Node (PDSN), which handles packet-switched traffic, the Visitor Location Register (VLR) with the Mobile Station Controllers (MSC), which handle circuit-switched traffic, and the Base Transceiver Systems (BTS). (In UMTS) The Serving Network consists of the parts of the core network that are directly involved in setting up connections and are out of the Home Environment (HE). It can contain the Serving GPRS Support Node (SGSN), which handles packet-switched traffic, the Visitor Location Register (VLR) with the Mobile Switching Center (MSC) that handles circuit-switched traffic, the RNC and base stations. (In IEEE 802.16) Subscriber Station: A generalized equipment set providing connectivity between subscriber equipment and a base station (BS).

SN:

SS:

SS7: Signaling System #7 is a set of protocols defined by ITU-T, specifically in the Q.7* set of documents used to set up telephone calls. SS7 moved to a system in which the signaling information was out-of-band, carried in a separate signaling channel. This avoided the security problems earlier systems had, as the end user had no connection to these channels. SS7 is the interface that telecoms network operators usually use to interconnect with other telecoms network operators.

59

TDMA: Time Division Multiple Access is a technology for shared medium (usually radio) networks. It allows several users to share the same frequency by dividing it into different time slots. The users transmit in rapid succession, one after the other, each using their own timeslot. This allows multiple users to share the same transmission medium while using only the part of its bandwidth they require. TDMA is a type of Time-division multiplexing, with the special point that instead of having one transmitter connected to one receiver, there are multiple transmitters. TEK: (In IEEE 802.16) Traffic Encryption Key: Secret shared key used to conceal the MAC PDU payload in the exchange of data packets in IEEE 802.16 networks. TMSI: (In UMTS) The Temporary Mobile Subscriber Identity is a temporal identity used to protect the global IMSI, which is permanently assigned to a subscriber. The TMSI is the most common identity sent between the mobile and the network, it is a randomly allocated number which is given to the mobile the first time that it is switched on. The TMSI is local to a location area so must be updated every time the mobile does a location update procedure. The network can also force the mobile to accept a new TMSI at any time. These procedures make it difficult to trace subscribers except briefly when the first time the mobile is switched on, or when the data in the mobile becomes invalid for some reason. At that point the global IMSI must be sent to the network. UAK: (In cdma2000) UIM Authentication Key is another key derived from the Authentication and Key Agreement mechanism used in cdma2000. UAK, compared to CK and IK, is not passed to the MS and is used with the function UMAC to authenticate important signaling messages. UE: (In UMTS) The User Equipment is the subscriber’s mobile equipment. Usually for facility of analysis, the UE is divided into the Mobile Station, and the USIM which runs on the UICC. UICC: (In UMTS) The Universal Integrated Circuit Card is a tamper-resistant chip card used in mobile terminals in 3G telecom networks-Systems. The UICC contains the USIM application and also provides a platform for other IC Card applications. It ensures the integrity and security of all kinds of personal data, enabling secure support for all kinds of multi-application schemes. UIM: (In cdma2000) The User Identity Module keeps the long term pre-shared authentication key K. The UIM can be removable (R-UIM), or fixed (UIM). The authentication shared key K can be assigned at manufacture time, or at sales time using the OTASP mechanism. The UIM is also in charge of generating CK, IK, UAK, and of performing the authentication function UMAC. UMAC: (In cdma2000) UIM MAC is one of the extension to the UMTS AKA protocol. The UIM generates the key UAK, which is not passed to the MS, and is used with the function UMAC to authenticate important signaling messages. This mechanism was introduced to solve the rogue shell problem, where a MS does not delete CK and IK whenever the R-UIM is removed, or somehow sends CK and IK to another MS with the purpose of performing illegal operations. The UMAC procedure voids this attack without performing the AKA procedure again. UMTS: Universal Mobile Telecommunications System is one of the third-generation (3G) mobile phone technologies, and it is standardized by the 3GPP. UMTS is the combination of the WCDMA air interface (the protocol that defines over-the-air transmissions between UMTS mobile phones and towers), GSM’s Mobile Application Part (MAP) core (the protocol that provides mobile functionality such as routing calls to and from mobile subscriber), and the GSM family of speech codecs like AMR and EFR (the protocols which define how audio is digitized, compressed and encoded). Technically speaking, W-CDMA is merely the air interface, while UMTS is the

60

complete stack of communication protocols designated for 3G global mobile telecommunications and a direct successor to GSM. UMTS uses a pair of 5Mhz channels, one in the 1900 MHz range for uplink and one in the 2100 MHz range for downlink. [12] USIM: (In UMTS) The Universal Subscriber Identity Module is an application running on a smartcard (UICC) and is issued by the network operator in charge of the Home Environment (HE). The USIM stores the long-term preshared secret key K, which is shared with the AuC. The USIM also verifies a sequence number that must be within a range using a window mechanism to avoid replay attacks, and is in charge of generating the session keys CK and IK to be used in the confidentiality and integrity algorithms of the KASUMI block cipher. U-NII: Unlicensed National Information Infrastructure. It was designated to provide short-range, highspeed wireless networking communication at low cost, U-NII consists of three frequency bands of 100 MHz each in the 5 GHz band: 5.15-5.25GHz (for indoor use only), 5.25-5.35 GHz and 5.725-5.825GHz. The three frequency bands were set aside by the FCC in 1997 initially to help schools connect to the Internet without the need for hard wiring. U-NII devices do not require licensing. VLR: (In cdma2000 and UMTS) The Visitors Location Register is a temporary database of the subscribers who have roamed into the particular area which it serves. Each Base Transceiver Station in the network is served by exactly one VLR, hence a subscriber cannot be present in more than one VLR at a time. The data stored in the VLR has either been received from the Home Location Register (HLR) or collected from the Mobile Station (MS) [12]. W-CDMA: Wideband Code Division Multiple Access is a type of 3G cellular network as defined in IMT-2000. W-CDMA is the technology behind UMTS and is allied with the 2G GSM standard. W-CDMA is a wideband spread-spectrum 3G mobile telecommunication air interface that utilizes code division multiple access. W-CDMA is more than a multiplexing standard, W-CDMA is a complete set of specifications, a detailed protocol that defines how a mobile phone communicates with the tower, how signals are modulated, and how datagrams are structured. W-CDMA is not compatible with cdmaOne or CDMA2000. WEP: (In IEEE 802.11) Wired Equivalent Privacy: An optional cryptographic confidentiality algorithm specified by IEEE 802.11 that may be used to provide data confidentiality that is subjectively equivalent to the confidentiality of a wired local area network (LAN) medium that does not employ cryptographic techniques to enhance confidentiality [7]. Wi-Fi: The Wireless Ethernet Compatibility Alliance formed the Wi-Fi ”Wireless-Fidelity” certification program. The Wi-Fi program is in charge of ensuring that equipment claiming to be 802.11 complaint really achieves interoperability. Wi-Fi certified equipment has demonstrated standards compliance in an interoperability laboratory. However, since the standards involve not only radio and data format interoperability, but security protocols, and since there have been several releases and versions in both categories, interoperability is still not trivially achieved [30]. WiMax: Stands for Worldwide Interoperability for Microwave Access. It is designed to provide metro area Broadband Wireless Access (BWA). The original idea behind WiMax was to deliver wireless Internet access to a fixed location to compete with technologies like cable modem and Digital Subscriber Line (DSL). It is defined in the IEEE 802.16 and looks to develop interoperability among multi-vendor devices that will result in lower cost and compliance to open standards.

61

X.509 Certificate: In the X.509 system, a Certification Authority (CA) issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an email address or a DNS-entry. An organisation’s trusted root certificates can be distributed to all employees so that they can use the company PKI system. Browsers such as Internet Explorer, Netscape/Mozilla and Opera come with root certificates pre-installed, so SSL certificates from larger vendors who have paid for the privilege of being pre-installed will work instantly; in essence the browser’s owners determine which CAs are trusted third parties. Although these root certificates can be removed or disabled, users rarely do so. [12].

62

R EFERENCES
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] M. Gast, 802.11 Wireless Networks: The Definitive Guide. Sebastopol, CA: O’Reilly, 2002. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specification, IEEE Std. 802.11, 1997. L. Barken, How Secure Is Your Wireless Network? Upper Saddle River, NJ: Prentice Hall, 2004. IEEE 802.11. [Online]. Available: http://grouper.ieee.org/groups/802/11/ S. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key scheduling algorithm of RC4,” Lecture Notes in Computer Science, vol. 2259, pp. 1–24, 2001. Airsnort. [Online]. Available: http://airsnort.shmoo.com/ Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specification. Amendment 6: Medium Access Control (MAC) Security Enhancements, IEEE Std. 802.11, 2004. IEEE Standard for Local and metropolitan area networks Part 16: Air Interface for Fixed Broadband Wireless Access Systems, IEEE Std. 802.16-2004 (Revision of IEEE Std 802.16-2001), 2004. M. F. Finneran, “Wimax versus Wi-Fi,” White Paper, 2004. J. Johnston, D.; Walker, “Overview of IEEE 802.16 security,” IEEE Security & Privacy, May/June 2004. IEEE 802.15. [Online]. Available: http://www.ieee802.org/15/ Wikipedia. [Online]. Available: http://www.wikipedia.org/ Part 15.1: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Wireless Personal Area Networks (WPANs), IEEE Std. 802.15.1-2002, 2002. R. Vines, Wireless Security Essentials. Indianapolis, IN: Wiley Publishing, 2002. C. Gehrmann, “Bluetooth security white paper,” BLUETOOTH DOC, April 2004. Bluesnarfing. [Online]. Available: www.trifinite.org/trifinite stuff lds.html Virus-. [Online]. Available: http://lists.virus.org/bugtraq-0311/msg00135.html D. Sastry, N.; Wagner, “Security considerations for IEEE 802.15.4 networks,” October 2004. B. M. D. A. J. E. R. P., “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation,” 1997. HomeRF. [Online]. Available: http://www.palowireless.com/homerf/ IrDA. [Online]. Available: http://www.palowireless.com/irda/tutorials.asp The 3rd generation partnership project (3GPP). [Online]. Available: http://www.3GPP.org Overview of the universal mobile telecommunication system. [Online]. Available: http://www.umtsworld.com/technology/overview.htm G. Koien, “An introduction to access security in UMTS,” Wireless Communications, vol. 11, Feb 2004. 3GPP TS 33.102; 3G security: Security architecture. [Online]. Available: ftp://ftp.3gpp.org/TSG SA/WG3 Security/ Specs/ The 3rd generation partnership project 2 (3GPP2). [Online]. Available: http://www.3GPP2.org G. Rose, G.; Koien, “Access security in cdma2000, including a comparison with UMTS access security,” Wireless Communications, vol. 11, Feb 2004. M. Bishop, Computer Security: Art and Science. Boston, MA: Addison-Wesley, 2003. Y. Wang, X.; Yin, “Collision search attacks on SHA1.” Wi-Fi alliance. [Online]. Available: http://en.wikipedia.org/wiki/Wi-Fi Alliance

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close