Improving MBMS Security in 3G

Wenyuan Xu wenyuan@winlab.rutgers.edu Rutgers University

Outline

Motivation The security problem The existing MBMS scheme Our improved scheme Experimental results
2

Motivation

The coming future: group-oriented applications on wireless networks Network basis: multicast 3G: Multimedia Broadcast/Multicast Service (MBMS) Security problem: control access to multicast data
MB-SC 3G Networks MB-SC: Broadcast Multicast - Service Center

Security Goal Access Control

Session Key
MB-SC: Broadcast Multicast - Service Center

MB-SC

3G Networks

Security Goal Access Control

Session Key MB-SC MBSC

3G Networks

Dilemmas in 3G Networks

Underlying Scenario:

Mobile Equipment (ME)

Powerful Not a secure device to store session key An attacker who is a subscribed user can distribute the decryption keys to others.

User Services Identity Module (USIM): SIM card

Not powerful enough to decrypt bulk data Secure device to store session key

Dilemmas in 3G Networks

Attacks:

An adversarial subscriber find out the Session Key (SK) and send it out to non-paying users.

In summary:

The need to store decryption keys in insecure memory makes it impossible to design a scheme where nonsubscribed users CANNOT access the data

What can we do?

7

What can we do?

Dissuade our potential market from using illegitimate methods to access the multicast content What is the potential market?

Users that desire cheap access to multicast services while being mobile.

Attacks we should not be concerned about:

Attacks that are expensive to mount (per-user basis) Attacks that assume the user is not mobile. 8

What can we do? (cont.)

Assumption

It is not easy for an adversarial subscriber to send out the Session key (SK). Thus, we assume there is a underlying cost associated with sharing the Session Key. There is a Registration Key established once the user subscribes to the service.

Strategy for protecting Keys

Make the Session Key change so frequently that the cost of attacking is more expensive than the cost of subscribing to the service. This strategy is used in Qualcomms S3-030040 proposal to 3GPP.

Requirement

The overhead of changing the SK should be modest. 9

Qualcomms Key Hierarchy

3G Core Network
Radio Access Network

MB-SC

Random number

f
BAK (Broadcast access key) SK (Session key)

RK (Registration key)

10

Qualcomms SK Distribution

Scheme
3G Core Network
Radio Access Network

MB-SC

CipherText || SK_RAND || BAK_ID || BAK_EXP

BM-SC send out the encrypted multicast data together with SK_RAND, BAK_ID, BAK_EXP

CipherText = ESK(content)
11

SK Distribution (Cont.)
3G Core Network
Radio Access Network

MB-SC

CipherText || SK_RAND || BAK_ID || BAK_EXP

Once ME finds that a new SK is used:

If USIM has BAK corresponding to BAK_ID

USIM: SK = f (SK_RAND, BAK) USIM sends the new SK to ME

ME asks USIM to calculate the new SK

12

Qualcomms BAK Distribution Scheme

3G Core Network
Radio Access Network

MB-SC

BAK request || USIM_ID

Each USIM sends out a BAK request to MB-SC from the ME

13

BAK Distribution (Cont.)

3G Core Network
Radio Access Network

MB-SC

Once the request passes the legality check, BM-SC:

Generates temporary key: TK = f (TK_RAND, RK) Sends: ETK(BAK) || TK_RAND 14

Session Key

Drawbacks

Bandwidth: network resources will be wasted on sending out SK_RAND.

SK_RAND has to be appended to each package. For higher level of security, SK_RAND has to be large.

BAK update problem: at the moment that a new BAK is used, every USIM will send out a BAK request to BMSC

BAK implosion problem High peak bandwidth

15

Improvements: One Way Function

3G Core Network
Radio Access Network

MB-SC

CipherText || SK_RAND || BAK_ID || BAK_EXP

Using one way function to generate SKs within USIM

SK0 = SK_SEED SK1 = f (SK0,BAK) SKi+1 = f (SKi, BAK)

16

Improvements: BAK Distribution

At the moment that a new BAK is used, every USIM will request BAK from BAK distributor almost at the same time BAK distributor pushes the new BAK to USIM instead of pulling by USIM

17

Improvements: Key Tree

Using additional set of keys (Key Encryption Keys KEK) to achieve key hierarchy Join: Use old shared key (SEK) to encrypt and distribute new session key Leave: Use lower level old key (KEK) to encrypt the higher level key, and only change the keys known by the leaving user

18

Simulation Setup

NS-2 Simulation Topology

Use two nodes to represent the Network since we are primarily concerned with capturing the bottleneck effect in the Network.
U1 Network B1 Link 1 N1 Link2 N2 U2

Queue length (l) Service rate (u) Bottleneck bandwidth Loss rate Delay Wired link Ui Users inter arrival time Duration time

19

Simulation Setup (cont.)

Movie session

Multicast traffic: statistical data from Star Wars IV Group member join/leave behavior:

Inter-arrival times and session durations are modeled as exponential distributions Inter-arrival time consists of two phases:

Beginning of movie (first 150 seconds): Users arrive more frequently Remainder of movie: Users arrive less frequently Mean duration = 46min 20

Session durations:

Simulation Results: Bandwidth Used for Group Size 760

Bandwidth (kb/s) Bandwidth (kb/s)

Qualcomms scheme

Our improved scheme

21

Simulation Results: Peak bandwidth vs. Group size

. . .

22

Conclusions:

An improved security framework was presented that involves:

The use of chained one-way functions for generating SKs The BM-SC pushing new BAKs to the users based on a keytree Reduce amount of bandwidth needed for updating keys Avoid potential BAK implosion problems associated with rekeying 3G multicasts Scales well as group size increases

These improvements:

The proposed mechanisms can be mapped to other network scenarios.

23

Future work:

We plan to formulate the relationship between the group join/leave behavior and the amount of communication overhead associated with rekeying? Our simulations only captured the bottleneck effect in 3G Core Networks

We plan to study different multicast strategies at the Radio Access Network and how key management affects RAN network performance.
24

Questions?

25

Thank you!