210

Authentication Authorization and

Accounting
(AAA)

Schemes in

WiMAX

Sasan Adibi, Bin Lin, Pin-Han Ho, G.B. Agnew, Shervin Erfani University of Waterloo, Broadband Communication Research Centre (BBCR) 200 University West Ave, Waterloo, Ontario Canada, N2L 3G1

Tel: (519) 888-4567 Ext. 7475

ABSTRACT
Authorization, Authentication, and Accouting schemes for WiMAX (Worldwide Interoperability for Microwave access) is the focus of this paper. WiMAX works as a wireless metropolitan area network (MAN) technology, based on IEEE 802.16 specifications, which was designed to provide highthroughput wireless broadband connections (up to 70 Mbps for fixed scheme and up to 15 Mbps for mobile scheme) over long distances (up to 30 miles) which is described as a "framework for the evolution of wireless broadband". The main focus of the authentication and authorization is based on the Privacy Key Management Extensible Authentication Protocol for Pairwise Key Manegement "EAP-PKM" and the accounting issue.
,

The organization of the paper is as follows: Section II discusses the problems encountered in the authentication and authorization of wireless links following an introduction to EAP (Extensible Authentication Protocol). Section III examines the authentication protocol "PKM-EAP" for WiMAX in detail. Finally, our concluding remarks and references are given in Section IV and V respectively.

II.

PROBLEMS IN AUTHENTICATION AND AUTHORIZATION - EAP

I.

INTRODUCTION

WiMAX has some similarities with the Wi-Fi, however its security aspects are stronger than that of Wi-Fi. The current standard for Wi-Fi security is specified in IEEE 802.1Ii, however 802.1 Ii has not been widely implemented and it is expected that 802.16 will take control of the market in 2006 due to the high bandwidth and long range in addition to the security strengths. This further incorporates the possibilities for higher integrated QoS (Quality of Service), minimum bandwidth guarantees and other performance improvements.

The purpose of authentication and authorization techniques mainly used in Wi-Fi systems are to prevent; snooping of the user ID, denial of service (DoS), offline dictionary attack, manin-the-middle (Mitm) attack, authentication method downgrading attacks, and breaking a weak key. In reference [3], the authentication protocol has to ensure information gathering about the user before choosing the protocol and to authenticate both sides equally (mutual authentication).
Pe,er
Identity Requett Idtnto fsponse

Authienticator

The main issues with WiMAX security scheme is the authentication and confidentiality [1]. Reference [1] mainly focuses on the authentication and authorization of WiMAX, since they are key components of any security solution. 802.16 security features are more promising as they are better designed as compared to those of 802.11 and the standard bodies of WiMAX have been prioritizing security options from the beginning. In fact, the WiMAX standard itself incorporates more flexible and better security support than the ones in the Wi-Fi standard [2]. Therefore we will give a brief overview of the currently existing authentication mechanisms of WLAN before that of WiMAX.

Rpeated as many tite sas needed

I1.

If mutual
Auth Is require

Identity Response

Repeatedl
needed
l

EAP Request
EAR Response With the sametype or a Nak

1---

EAP Success or ailure message

Figure 1. EAP Generic Messaging Flows

Here we introduce EAP that offers an authentication scheme, which prevents the above mentioned problems. EAP allows for mutual authentication. It is basically a request-response protocol based on four different types of messages: EAP request, EAP response, EAP success, and EAP failure. Figure 1 shows generic example of the EAP signaling, where the SS (Subscriber Station) and BS (Base Station) are in the authorization and authentication process. EAP integrates different authentication methods to match the nature of the communication channel. These methods are advised by IEEE including [4]: EAP-PKM, EAP-MD5, EAPOTP, EAP-GTC, EAP-TLS, EAP-SIM, and EAP-AKA, and in addition a number of vendor specific methods and new proposals exist. Commonly used modem methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP, and EAP-TTLS.

211 III. AUTHENTICATION MECHANISMS FOR WiMAX (PKM)

In this section, we describe the authentication mechanism for WiMAX. For end-to-end authentication, WiMAX uses PKM-EAP Extensible (Privacy Key ManagementAuthentication Protocol), which relies on the TLS (Transport Layer Security) standard which uses public key cryptography [5]. There are two Privacy Key Management Protocols supported in 802.16e - PKMvl and PKMv2. In this paper we discuss the PKMv2 with more enhanced authentication features. PKM supports two distinct authentication protocol mechanisms:

1. RSA (support is mandatory in all devices) 2. EAP (Extensible Authentication Protocol)

A. Authorization via PKMRSA Authentication Protocol

Figure 2 shows the authorization and authentication processes of PKMv2 protocol which uses a Request/Grant access mechanism. For a Subscriber Station (SS), a PKM "client", to access a network the Base Station (BS), a PKM server ", has to authorize the connection and the SS also authenticated the BS, only then can the SS have a security association with the BS. Once the SS associates with the BS, it shares a private session key with the BS, and communication between the BS and SS can start using encrypted messages.
Subscriber Station

When EAP is invoked by an 802. lx enabled NAS (Network Access Server) devices such as an 802.11 alblg Wireless Access Point, modem EAP methods can provide a secure authentication mechanism and negotiate a secure PMK (Pair-wise Master Key) between the client and NAS. The PMK can then be used for the wireless encryption session which uses TKIP (Temporal Key Integrity Protocol) or AES encryption [4]. WiMAX uses two of these methods; EAP-PKM and EAPTLS. EAP-TLS is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, since TLS is considered the successor of the SSL (Secure Socket Layer) standard. It uses PKI (Public key infrastructure) to secure communication to the RADIUS authentication server, and this fact may make it seem like a daunting task to set up. So even though EAP-TLS provides excellent security, the overhead of client-side certificates may be its Achilles heel.
EAP-TLS is the original standard wireless LAN EAP authentication protocol. The requirement for a client-side certificate is what gives EAP-TLS its authentication strength and illustrates the classic convenience versus security trade-off. A password that has been compromised is not enough to break into EAP-TLS enabled systems because the hacker still needs to have the client-side certificate. When the client-side certificates are housed in smartcards, this offers the most secure authentication solution available because there is no way to recover user's private key from a smartcard without stealing the smartcard itself. Any physical theft of a smartcard would be immediately noticed and revoked and a new smartcard would be issued.
EAP-PKM on the other hand involves both one-way and mutual authentication schemes, which are discussed in detail in section III.

Ss

Base Station

Authentication Information (CA Certification)

(SS-Random CertSS) Authorization Request Capabilities Basic CID)

Authorization Reply (SS-Random BS-Random Cert/SS) Encryted AK AK Life-time AK Seq No SAID I Cert (BS) I Sig (BS))

1. Check SS's CA 2. Generate AK 3, Encrypted AK by SS's public key with RSA

algorithm

2. Decrypted AK by SS's private

Key

1. Check BS's Cert & Signature

Key Request (AK Seq No SAID |NIAC-Digest)

1. Check SS's AK 2. Generate TEK

Key Reply
IEVAC-Digest 2. Decrypted TEK by KEK by SS's private
Key 1. Check BS's by

(AK Seq No SAID TEKO TEK1 IAC-Digest)

by 3KEK, which is
by SS's public key with RSA algorithm
derived from AK

E2E Encryption using TEK

Figure 2. PKMv2 authentication and authorization process

212
The PKMv2 authentication and authorization process is explained as follows:
1.

Attribute

2.

3.

4.

5.

6.

An SS begins authorization by sending an Authentication Information (Auth Info) message which contains the SS manufacturer's X.509 certificate to its BS. It provides a mechanism that a SS can identify itself to the BS. The sign "I" denotes bitstring concatenation The SS sends an Authorization Request (Auth Req) message to its BS immediately after sending the Auth Info message. This is a request for an Authorization Key (AK), as well as for the SAIDs identifying any a Static Security SAs the SS is authorized to participate in. In response to an Auth Req message, a BS validates the requesting SS's identity, determines the encryption algorithm and protocol, shares with the SS, activates an Authorization Key (AK) for the SS, encrypts it with the SS's public key, and sends it back to the SS in an Authorization (Auth Reply) Reply message. Authorization Key (AK) is a shared key for SS and BS (derived from PKI) Once a SS is authorized, the SS sends a Key Request message to the BS. Additional security is enforced by initiating the Traffic Encryption Key (TEK) state machine for each SAID in the Authorization Reply message. TEK is in charge of managing the keys that are used for encryption for the actual data traffic. Each TEK state machine periodically sends Key Request messages to the BS, requesting a refresh of keying material for their respective SAIDs After verifying the SS, the BS sends SS a Key Reply message with a 128-bit TEK, which is encrypted using the KEK derived from the AK. KEK can be generated by AK: KEK= Truncate(SHA(K PAD KEKIAK),128) The BS and the SS will maintain active two set of keying material ("Older" and "Newer") at the same time per SAID, which ensures that the SS will be able to continually exchange encrypted traffic with the BS The SS verify the BS by interiority checking HMACDigest. If the BS is verified, then get TEK by decryption of KEK with AK. Once the TEK is active for each Security Association (SA), all data traffic is encrypted with symmetric key algorithms

SS_Random

Cer(SS)

Capabilities

Basic CID

Contents A 64 bit random number generated in the SS. It is an unpredictable value SS generates. It severs two functions: it becomes SS's protocol instance identifier, and it is used by a new AK derivation scheme to guarantee SS that the resulting AK is fresh Contains the SS's X.509 user certificate, in which the SS's public key is included and lets the BS construct Authorization Reply message Describes requesting SS's security capabilities The Basic CID (Connection Identifier) in initial network entry. The Basic CID is the first static CID the BS assigns to an SS during initial ranging, which is the primary SAID (Security Association Identifier) same as the Basic CID. each service requiring its own security association

Table 1. The Authorization Request (Auth_Req) message

Contents A 64 bit random number received in auth request A 64 bit random number generated in the BS. It is an unpredictable value BS BS_Random generates. It severs two functions: it becomes BS's protocol instance identifier, and it is used by a new AK derivation scheme to guarantee BS that the resulting AK is fresh Contains the SS's X.509 user certificate Cert(SS) EncryptedAK An AK RSA encrypted with the SS's public key: RSA-OAEP-Encrypt (PubKey(SS), pre-PAK Id(SS)) AK Lifetime AK Aging timer. SS has to re-authorize with BS periodically AK Sequence Number 64 bit, which is used to distinguish between successive generations of AKs, and can avoid replay AK SeqNo

Attribute SS_Random

Cert(BS)
Sig(BS)

SAID

More details on the Authorization Request and Reply, Key Request and Reply, are given as follows (Tables 1-4):

attacks the Basic CID if in initial network entry The BS Certificate. BS can identify itself to the SS by CertBS and SigBS An RSA signature over all the other attributes in the message
message

Table 2. The Authorization Reply (Auth_Reply)

213
Attribute
AK SeqNo SAID

HMACDigest

Contents AK Sequence Number 64 bit, which is used to distinguish between successive generations of AKs, and can avoid replay attacks 16-bit security association Identifier Keyed SHA message digest of SeqNo SAID under AK's downlink HMAC key, which is used for BS to identify if SS has the right AK and avoid the forgeries by SHA algorithm. A valid HAMC value authenticates SS to BS

periodic reauthorization and key refresh. AK is encrypted by SS's public key, and from which a key encryption key (KEK) and TEK are derived B. Authorization via PKMExtensible Authentication Protocol [6]

After the SS associates with the BS, the EAP authorization process begins. The steps of the EAP authorization and authentication flow are shown in Figure 3:
1. EAP on the BS (ie. the EAP server) sends an EAPRequest message to the SS (ie. the EAP supplicant). This request might be an EAP identity request or the beginning of an EAP method. The message is encapsulated in a Media Access Control (MAC) management Protocol Data Unit (PDU) and transmitted. EAP on the SS receives the EAP-Request, passes it to the local EAP method for processing, and transmits EAP-Response 2. After one or more EAP-Request/Response exchanges, the authentication server (whether local to the Authenticator or connected remotely via an AAA protocol) determines whether or not the authentication is successful 3. Upon success, EAP on the BS transmits EAP-success, which is then encapsulated in a MAC management message and transmitted to the SS. EAP on the SS transmits a "success" indication on the logical control interface to fully activate the airlink. Both EAPs (authenticator BS and supplicant SS) export the AAAkey across the logical control interface. The AAA-key is the shared "master key" that is derived by the two sides in the course of executing the EAP inner method 4. The BS and SS each derive the EAP Master Key from the AAA-Key. BS sends the EAP-Establish-KeyRequest PKM message (including a 32-byte nonce) to the SS. The SS then generates its own 32-byte nonce, and derives a Transient Key (TK). The SS then derives Key Confirmation Key (KCK) and Authorization Key (AK) 5. MSS sends the EAP-Establish-Key-Reply PKM message (including the 32-byte nonce that it used to derive TK) to the BS.EAP-Establish-Key-Reply includes an HMAC Tuple TLV, which must be calculated using the KCK derived above 6. Upon receipt of the EAP-Establish-Key-Reply, the BS computes the TK, KCK, and AK. BS then validates the HMAC Tuple. BS sends the EAP-Establish-KeyConfirm PKM message to supply the MSS with its SA information and activate the Authorization Key (AK) 7. The authentication is now completed

Table 3. The Key Request message Attribute

AK SeqNo SAID

HMACDigest

TEKO

TEKI

Contents AK Sequence Number 64 bit, which is used to distinguish between successive generations of AKs, and can avoid replay attacks. 16-bit security association Identifier Keyed SHA message digest of SeqNo SAIDITEKOITEKI under AK's uplink HMAC key, which is used for SS to identify if BS has the right AK and avoid the forgeries by SHA algorithm "Older" generation of key parameters relevant to SAID, including the initialization vector, remaining lifetime, and sequence number for the data SA specified by SAID "Newer" generation of key parameters relevant to SAID, including the next TEK's initialization vector, lifetime, and sequence number for the data Sa specified by SAID
Table 4. The Key Reply message

In

authorization between SS and BS, controlled by the PKMv2 is the process of the following three entities: a) The BS authenticating a client SS's identity

summary,

the

digital-certificate-based

mutual

b) The SS authenticating the BS's identity

c)

protocol to obtain authorization key (AK) and traffic keying material (i.e. TEKs) from the BS, and to support

c)

An Mobile Station Subscriber

(MSS)

uses

the PKM

214
FAP

Authentfcator

EAP Supplicant

Arter Associate to BS

EAP REQUEST

RA~P RESPONSE

RADI'IS Protool
Derive the EAP Master Key
Coinpute TK KCK Ak V1ldate the IIMAC Tuke
Atahte thoe AK Authorizato:n KDD

EAP Aer Key

(l.ased oi PRY 3841)
DM" KC&AK f1om TI

I)erive the

EAP StUCCESS
ESTAB

ISFH KEY REQ JES

.A. . . . ....... .......

8. PKM-EAP relies on the TLS (Transport Layer Security) standard which uses public key cryptography and is very costly for some wireless devices. Thus, each base station in WiMAX has a dedicated high performance security processor, which gives us a chance to implement a mutual authentication system in WiMAX. In other words, an authentication protocol can be designed in a way where most of computational procedures are done inside of the base station

EAP K. TABL2ISH KEY REPIA'

EAP_ESTALISMI KEY CONFIRM!

Figure3. 802.16e EAP Authentication Process

C. Security Analysis of WiMAXAuthentication
area

However, there are also some known issues existing in the security architecture of WiMAX. Currently, WiMAX only defines ways to protect wireless communication at the MAC layer, but hasn't considered the threats from any attacks targeting the physical layer, for example, radio jamming, or continuously sending packets. This could result in an overwhelmed receiver, and eventually cause Denial of Service (DoS) or fast battery consumption. Despite the above shortcomings, the authentication and authorization mechanism used in WiMAX is still very promising.

The PKM-EAP of WiMAX has been introduced into the of WLAN in a more robust and secure way. As discussed above, the following enhancements have been addressed as shown as follows:
1. Mutual authentication is provided in PKMv2, which could avoid "Man in the Middle" attacks 2.

D. Accounting (Part of the AAA Scheme) [15]

The X.509 digitally signed certificate that is issued is unique to each SS and cannot be easily forged

3. Each service has a different SAID, if one service is compromised, the other services are not compromised 4. The limited lifetime of AK provides periodic reauthorization and key refresh, which prevents attackers from having large amount of data to perform cryptanalysis on

Accounting is dealt with in the management section where service is procured and delivered to the business owners and individual users. The issue is that the broadband wireless service provider needs to establish a facility-based metropolitan-area scalable, secure wireless broadband offering to be wholesaled through ISP channel partners. This is usually done by the deployment of low-cost WiMax (802.16) wireless technologies to provide broadband data services that are customized to support the access requirements of residential, small/home office, and business-class subscribers.
This solution includes:
*

5. 6.

Adding a random value from the BS and SS to authorization SA is a way to prevent replay attacks
WiMAX security supports two quality encryptions standards- DES3 and AES, which are considered secure for the foreseeable future

7.

SS can attempt to use a cached or handover-transferred Master Key and avoid a full re-authentication

The implementation of AAA functions using specialized wireless gateways and routers that interfaced to different back-end RADIUS servers and accounting systems The configuration of 802.16-based wireless equipments are required to provide customers with broadband data services using CPE-based wireless access for end-users. WiMAX itself benefits from an urban-scale 802.16 wireless coverage without using specialized wireless access equipment The configuration of 802.16 equipments provide wireless backhauls to extend telecommunication access to and from 802.16 wireless network hubs and
customers

215
*

* *
*

* *

Enabled support for multiple security mechanism for securing and encrypting wireless communication using PPTP/MPPE, L2TP/IPSec, and 802.lx security protocols Installation and configuration of routers, gateways, network switches, and other equipment required to ensure scalable and reliable network infrastructures Construction of internet and web services providing portal-based subscriber-management functions Configuration of Windows and Linux servers to manage security policies and provide for networkoperating functions - DHCP, DNS, VPN and WVPN termination, routing, certificate management, web servers, and etc Verification of range, functionality, and volume testing of wireless network deployments in order to validate performance and capacity models Performance testing of Windows client software configurations and network-interfaces cards to ensure the supportability of multiple client configurations and equipment; Intel, Netgear, Linksys, Proxim/Orinoco, DLink, Cisco, IBM/ActionTec, etc Development of specialized wireless-access-point management software using http and automated CLIbased interfaces as required enabling remote configuration and management of wireless equipment Development of specialized SNMP-based network tools to optimize the pointing direction of 802.16 antennas during the installation of wireless customer premise equipment and wireless point-to-point backhauls Development of web-accessible reporting tools used to provide analytical information for network performance monitoring and providing summarized usage information, or on a per-subscriber basis. Construction of training materials and providing training to network support staff using real-life environments that simulated various network failure and response scenarios

WiM\AX also increase the potential for attackers and the improvement in security schemes can also come at a price; increased processing power and the need to support public key certificates.

V. REFERENCE
[1] Hunglin Zhou, Wi-Fi Task Group Current Status, http://lee1.com/hlchou/ 1 WiFi_ TaskGroup_ Meeting_ok.ppt [2] WiMAX FAQs, http://www.unwiremycity.com/archives /2005/09/wimax _faqs 1I.html [3] IEEE 802.11, Wireless Local Area Networks (WAN's), The student reports, The Hebrew University of Jerusalem [4] The Extensible Authentication Protocol, From Wikipedia, the free encyclopedia [5] WiMAX Technology, www.hifn.com/docs/WiMAX_AB_ 1.4.pdf [6] JunHyuk Song, Yong Chang, Privacy Sublayer Clean Up, http://www.ieee802.org/ 16/tge/contrib/C80216e04 521rl.pdf [7] Fabian Andre Perez, Security in Current Commercial A Wireless Networks: Survey, http:// www.csociety.org/-fperez/Wireless Survey.pdf [8] G. Schafer, A. Festag, H. Karl, Current Approaches to Authentication in Wireless and Mobile Communications Networks, http:// www.tkn.tu-berlin.de/ publications/ papers/ tknO 1_002.pdf [9] David Johnston, Mutual Authorization for PKMv2, http://www.ieee802.org/ 16/tge/contrib/C80216e04 229.pdf [10] HungLin Chou, 802.16 & 802.11 Security Overview, http:// www.kjhole.com/ Seminar/Spring2005/PDF/802.16sec.pdf [11] Colonel Donald J. Welch, A Survey of 802.1 1a Wireless Security Threats and Security Mechanisms, http:// www.itoc.usma.edu/Documents/ITOC_TR-2003 - 101_

IV. CONCLUSION
The authentication for WiMAX using EAP-TLS and EAPPKM were presented here along with the complete handshaking schemes of PKMv2. It is obvious that WiMAX has far greater

[12] Chris Griffin, Creating a Secure Network for Your Business [13]Don MacVitte, 802.11i to Lock Down WLANs, http://www.networkingpipeline. com/specwatch/802.1 li jhtml [14]Dave Molta, Does 802.11i Solve Your WLAN Security Problems?, 1512colmolta [15] CASE STUDY: Design and Implement a Broadband Wireless Service Offering - Wireless Access, Wireless Extension, Boldtech Systems, 2004

(G6) .pdf

security authentication than Wi-Fi, which indicates WiMAX has the potential to achieve greater market success than Wi-Fi. However the perception of their safety will have to be high before they win the trust of enterprise and carrier users. The challenge is that the greater range and available bandwidth in

http://www.networkcomputing.com/showitem.jhtml?docid=