210

Authentication Authorization and

Accounting (AAA) Schemes in WiMAX

Sasan Adibi, Bin Lin, Pin-Han Ho, G.B. Agnew, Shervin ErfaniUniversity of Waterloo, Broadband Communication Research Centre (BBCR)

200 University West Ave, Waterloo, Ontario Canada, N2L 3G1

Tel: (519) 888-4567 Ext. 7475

ABSTRACT

Authorization, Authentication, and Accouting schemes forWiMAX (Worldwide Interoperability for Microwave access) isthe focus of this paper. WiMAX works as a wirelessmetropolitan area network (MAN) technology, based on IEEE802.16 specifications, which was designed to provide high-throughput wireless broadband connections (up to 70 Mbps forfixed scheme and up to 15 Mbps for mobile scheme) over longdistances (up to 30 miles) , which is described as a "frameworkfor the evolution of wireless broadband". The main focus of theauthentication and authorization is based on the Privacy KeyManagement - Extensible Authentication Protocol for PairwiseKey Manegement "EAP-PKM" and the accounting issue.

I. INTRODUCTION

WiMAX has some similarities with the Wi-Fi, however itssecurity aspects are stronger than that of Wi-Fi. The currentstandard for Wi-Fi security is specified in IEEE 802.1Ii,however 802.1 Ii has not been widely implemented and it isexpected that 802.16 will take control of the market in 2006 dueto the high bandwidth and long range in addition to the securitystrengths. This further incorporates the possibilities for higherintegrated QoS (Quality of Service), minimum bandwidthguarantees and other performance improvements.

The main issues with WiMAX security scheme is theauthentication and confidentiality [1]. Reference [1] mainlyfocuses on the authentication and authorization of WiMAX,since they are key components of any security solution. 802.16security features are more promising as they are better designedas compared to those of 802.11 and the standard bodies ofWiMAX have been prioritizing security options from thebeginning. In fact, the WiMAX standard itself incorporates moreflexible and better security support than the ones in the Wi-Fistandard [2]. Therefore we will give a brief overview of thecurrently existing authentication mechanisms of WLAN beforethat of WiMAX.

The organization of the paper is as follows: Section II

discusses the problems encountered in the authentication andauthorization of wireless links following an introduction to EAP(Extensible Authentication Protocol). Section III examines theauthentication protocol "PKM-EAP" for WiMAX in detail.Finally, our concluding remarks and references are given inSection IV and V respectively.

II. PROBLEMS IN AUTHENTICATION ANDAUTHORIZATION - EAP

The purpose of authentication and authorization techniquesmainly used in Wi-Fi systems are to prevent; snooping of theuser ID, denial of service (DoS), offline dictionary attack, man-

in-the-middle (Mitm) attack, authentication methoddowngrading attacks, and breaking a weak key. In reference [3],the authentication protocol has to ensure information gatheringabout the user before choosing the protocol and to authenticateboth sides equally (mutual authentication).

Pe,

Rpeated as manytitesas needed

If mutualAuthIs require Repeatedl

needed l

1---

erIdentity Requett

Authienticator

Figure 1. EAP Generic Messaging Flows

Id§tnto fsponse

Identity Response

EAP Request

EAR Response With the sametype or a Nak

EAP Success or ailure message

I1.

Here we introduce EAP that offers an authentication scheme,which prevents the above mentioned problems. EAP allows formutual authentication. It is basically a request-response protocolbased on four different types of messages: EAP request, EAPresponse, EAP success, and EAP failure. Figure 1 shows genericexample of the EAP signaling, where the SS (SubscriberStation) and BS (Base Station) are in the authorization andauthentication process.

EAP integrates different authentication methods to matchthe nature of the communication channel. These methods areadvised by IEEE including [4]: EAP-PKM, EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-SIM, and EAP-AKA, and inaddition a number of vendor specific methods and newproposals exist. Commonly used modem methods capable ofoperating in wireless networks include EAP-TLS, EAP-SIM,EAP-AKA, PEAP, LEAP, and EAP-TTLS.

When EAP is invoked by an 802. lx enabled NAS (NetworkAccess Server) devices such as an 802.11 alblg Wireless AccessPoint, modem EAP methods can provide a secure authenticationmechanism and negotiate a secure PMK (Pair-wise Master Key)between the client and NAS. The PMK can then be used for thewireless encryption session which uses TKIP (Temporal KeyIntegrity Protocol) or AES encryption [4].

WiMAX uses two of these methods; EAP-PKM and EAP-TLS. EAP-TLS is an IETF open standard, and is well-supportedamong wireless vendors. It offers a good deal of security, sinceTLS is considered the successor of the SSL (Secure SocketLayer) standard. It uses PKI (Public key infrastructure) to securecommunication to the RADIUS authentication server, and thisfact may make it seem like a daunting task to set up. So eventhough EAP-TLS provides excellent security, the overhead ofclient-side certificates may be its Achilles heel.

EAP-TLS is the original standard wireless LAN EAPauthentication protocol. The requirement for a client-sidecertificate is what gives EAP-TLS its authentication strength andillustrates the classic convenience versus security trade-off. Apassword that has been compromised is not enough to break intoEAP-TLS enabled systems because the hacker still needs tohave the client-side certificate. When the client-side certificatesare housed in smartcards, this offers the most secureauthentication solution available because there is no way torecover user's private key from a smartcard without stealing thesmartcard itself. Any physical theft of a smartcard would beimmediately noticed and revoked and a new smartcard would beissued.

EAP-PKM on the other hand involves both one-way andmutual authentication schemes, which are discussed in detail insection III.

211III. AUTHENTICATION MECHANISMS FOR

WiMAX (PKM)

In this section, we describe the authentication mechanismfor WiMAX. For end-to-end authentication, WiMAX usesPKM-EAP (Privacy Key Management- ExtensibleAuthentication Protocol), which relies on the TLS (TransportLayer Security) standard which uses public key cryptography [5].There are two Privacy Key Management Protocols supported in802.16e - PKMvl and PKMv2. In this paper we discuss thePKMv2 with more enhanced authentication features. PKMsupports two distinct authentication protocol mechanisms:

1. RSA (support is mandatory in all devices)2. EAP (Extensible Authentication Protocol)

A. Authorization via PKMRSA Authentication Protocol

Figure 2 shows the authorization and authenticationprocesses of PKMv2 protocol which uses a Request/Grantaccess mechanism. For a Subscriber Station (SS), a PKM"client", to access a network the Base Station (BS), a PKMserver ", has to authorize the connection and the SS also

authenticated the BS, only then can the SS have a securityassociation with the BS. Once the SS associates with the BS, itshares a private session key with the BS, and communicationbetween the BS and SS can start using encrypted messages.

SubscriberStation

1. Check BS's Cert& Signature2. Decrypted AKby SS's privateKey

1. Check BS's byIEVAC-Digest2. Decrypted TEKby KEKby SS's privateKey

BaseSs Station

Authentication Information (CA Certification)

Authorization Request (SS-Random CertSS)Capabilities Basic CID)

Authorization Reply(SS-Random BS-Random

Cert/SS) Encryted AK AK Life-timeAK Seq No SAID I Cert (BS) I Sig (BS))

Key Request (AK SeqNo SAID |NIAC-Digest)

Key Reply

(AK Seq No SAID TEKO TEK1 IAC-Digest)

E2E Encryption using TEK

1. Check SS's CA2. Generate AK3, Encrypted AKby SS's publickey with RSAalgorithm

1. Check SS's AK2. Generate TEKby 3KEK, which isderived from AKby SS's publickey with RSAalgorithm

Figure 2. PKMv2 authentication and authorization process

The PKMv2 authentication and authorization process isexplained as follows:

1. An SS begins authorization by sending an

Authentication Information (Auth Info) message which

contains the SS manufacturer's X.509 certificate to itsBS. It provides a mechanism that a SS can identifyitself to the BS. The sign "I" denotes bitstringconcatenation

2. The SS sends an Authorization Request (Auth Req)message to its BS immediately after sending theAuth Info message. This is a request for an

Authorization Key (AK), as well as for the SAIDsidentifying any a Static Security SAs the SS isauthorized to participate in.

3. In response to an Auth Req message, a BS validatesthe requesting SS's identity, determines the encryptionalgorithm and protocol, shares with the SS, activates an

Authorization Key (AK) for the SS, encrypts it with theSS's public key, and sends it back to the SS in an

Authorization Reply (Auth Reply) message.

Authorization Key (AK) is a shared key for SS and BS(derived from PKI)

4. Once a SS is authorized, the SS sends a Key Requestmessage to the BS. Additional security is enforced byinitiating the Traffic Encryption Key (TEK) statemachine for each SAID in the Authorization Replymessage. TEK is in charge of managing the keys thatare used for encryption for the actual data traffic. EachTEK state machine periodically sends Key Requestmessages to the BS, requesting a refresh of keyingmaterial for their respective SAIDs

5. After verifying the SS, the BS sends SS a Key Replymessage with a 128-bit TEK, which is encrypted usingthe KEK derived from the AK. KEK can be generatedby AK:

KEK= Truncate(SHA(K PAD KEKIAK),128)The BS and the SS will maintain active two set ofkeying material ("Older" and "Newer") at the same

time per SAID, which ensures that the SS will be ableto continually exchange encrypted traffic with the BS

6. The SS verify the BS by interiority checking HMAC-Digest. If the BS is verified, then get TEK bydecryption of KEK with AK. Once the TEK is activefor each Security Association (SA), all data traffic isencrypted with symmetric key algorithms

More details on the Authorization Request and Reply, KeyRequest and Reply, are given as follows (Tables 1-4):

212Attribute Contents

A 64 bit random number generated in theSS. It is an unpredictable value SS

SS_Random generates. It severs two functions: itbecomes SS's protocol instance identifier,and it is used by a new AK derivationscheme to guarantee SS that the resultingAK is freshContains the SS's X.509 user certificate, in

Cer(SS) which the SS's public key is included andlets the BS construct Authorization Replymessage

Capabilities Describes requesting SS's securitycapabilitiesThe Basic CID (Connection Identifier) ininitial network entry. The Basic CID is the

Basic CID first static CID the BS assigns to an SSduring initial ranging, which is the primarySAID (Security Association Identifier)same as the Basic CID. each servicerequiring its own security association

Table 1. The Authorization Request (Auth_Req) message

Table 2. The Authorization Reply (Auth_Reply) message

Attribute ContentsSS_Random A 64 bit random number received in auth

requestA 64 bit random number generated in theBS. It is an unpredictable value BS

BS_Random generates. It severs two functions: itbecomes BS's protocol instance identifier,and it is used by a new AK derivationscheme to guarantee BS that the resultingAK is fresh

Cert(SS) Contains the SS's X.509 user certificateEncryptedAK An AK RSA encrypted with the SS's

public key: RSA-OAEP-Encrypt(PubKey(SS), pre-PAK Id(SS))

AK Lifetime AK Aging timer. SS has to re-authorizewith BS periodicallyAK Sequence Number 64 bit, which isused to distinguish between successive

AK SeqNo generations of AKs, and can avoid replayattacks

SAID the Basic CID if in initial network entryCert(BS) The BS Certificate. BS can identify itself

to the SS by CertBS and SigBSSig(BS) An RSA signature over all the other

attributes in the message

Attribute ContentsAK Sequence Number 64 bit, which isused to distinguish between successive

AK SeqNo generations of AKs, and can avoid replayattacks

SAID 16-bit security association IdentifierKeyed SHA message digest ofSeqNo SAID under AK's downlink

HMAC- HMAC key, which is used for BS toDigest identify if SS has the right AK and avoid

the forgeries by SHA algorithm. A validHAMC value authenticates SS to BS

Table 3. The Key Request message

Attribute ContentsAK Sequence Number 64 bit, which is usedto distinguish between successive

AK SeqNo generations of AKs, and can avoid replayattacks.

SAID 16-bit security association IdentifierKeyed SHA message digest ofSeqNo SAIDITEKOITEKI under AK's

HMAC- uplink HMAC key, which is used for SS toDigest identify if BS has the right AK and avoid

the forgeries by SHA algorithm"Older" generation of key parametersrelevant to SAID, including the

TEKO initialization vector, remaining lifetime, andsequence number for the data SA specifiedby SAID"Newer" generation of key parametersrelevant to SAID, including the next TEK's

TEKI initialization vector, lifetime, and sequencenumber for the data Sa specified by SAID

Table 4. The Key Reply message

In summary, the digital-certificate-based mutual

authorization between SS and BS, controlled by the PKMv2 isthe process of the following three entities:

a) The BS authenticating a client SS's identity

b) The SS authenticating the BS's identity

c) c) An Mobile Station Subscriber (MSS) uses the PKM

protocol to obtain authorization key (AK) and traffickeying material (i.e. TEKs) from the BS, and to support

213periodic reauthorization and key refresh. AK isencrypted by SS's public key, and from which a keyencryption key (KEK) and TEK are derived

B. Authorization via PKMExtensible AuthenticationProtocol [6]

After the SS associates with the BS, the EAP authorizationprocess begins. The steps of the EAP authorization andauthentication flow are shown in Figure 3:

1. EAP on the BS (ie. the EAP server) sends an EAP-Request message to the SS (ie. the EAP supplicant).This request might be an EAP identity request or thebeginning of an EAP method. The message isencapsulated in a Media Access Control (MAC)management Protocol Data Unit (PDU) and transmitted.EAP on the SS receives the EAP-Request, passes it tothe local EAP method for processing, and transmitsEAP-Response

2. After one or more EAP-Request/Response exchanges,the authentication server (whether local to theAuthenticator or connected remotely via an AAAprotocol) determines whether or not the authenticationis successful

3. Upon success, EAP on the BS transmits EAP-success,which is then encapsulated in a MAC managementmessage and transmitted to the SS. EAP on the SStransmits a "success" indication on the logical controlinterface to fully activate the airlink. Both EAPs(authenticator BS and supplicant SS) export the AAA-key across the logical control interface. The AAA-keyis the shared "master key" that is derived by the twosides in the course of executing the EAP inner method

4. The BS and SS each derive the EAP Master Key fromthe AAA-Key. BS sends the EAP-Establish-Key-Request PKM message (including a 32-byte nonce) tothe SS. The SS then generates its own 32-byte nonce,and derives a Transient Key (TK). The SS then derivesKey Confirmation Key (KCK) and Authorization Key(AK)

5. MSS sends the EAP-Establish-Key-Reply PKMmessage (including the 32-byte nonce that it used toderive TK) to the BS.EAP-Establish-Key-Replyincludes an HMAC Tuple TLV, which must becalculated using the KCK derived above

6. Upon receipt of the EAP-Establish-Key-Reply, the BScomputes the TK, KCK, and AK. BS then validates theHMAC Tuple. BS sends the EAP-Establish-Key-Confirm PKM message to supply the MSS with its SAinformation and activate the Authorization Key (AK)

7. The authentication is now completed

EAP Supplicant

I)erive theEAPAer Key

(l.ased oi PRY 3841)

DM" KC&AK f1om TI

Arter Associate to BS

EAP REQUEST

RA~P RESPONSE

EAP StUCCESS

ESTAB ISFH KEY REQ JES.A....... ....... .......

EAP K. TABL2ISH KEY REPIA'

FAP Authentfcator

RADI'IS Protool

Derive theEAP Master Key

Coinpute TK KCK AkV1ldate the IIMAC Tuke

Atahte thoe AKAuthorizato:n KDD

2148. PKM-EAP relies on the TLS (Transport Layer

Security) standard which uses public key cryptographyand is very costly for some wireless devices. Thus, eachbase station in WiMAX has a dedicated highperformance security processor, which gives us achance to implement a mutual authentication system inWiMAX. In other words, an authentication protocolcan be designed in a way where most of computationalprocedures are done inside of the base station

However, there are also some known issues existing in thesecurity architecture of WiMAX. Currently, WiMAX onlydefines ways to protect wireless communication at the MAClayer, but hasn't considered the threats from any attackstargeting the physical layer, for example, radio jamming, orcontinuously sending packets. This could result in anoverwhelmed receiver, and eventually cause Denial of Service(DoS) or fast battery consumption. Despite the aboveshortcomings, the authentication and authorization mechanismused in WiMAX is still very promising.

C. Security Analysis of WiMAXAuthentication

The PKM-EAP of WiMAX has been introduced into thearea of WLAN in a more robust and secure way. As discussedabove, the following enhancements have been addressed as

shown as follows:

1. Mutual authentication is provided in PKMv2, whichcould avoid "Man in the Middle" attacks

2. The X.509 digitally signed certificate that is issued isunique to each SS and cannot be easily forged

3. Each service has a different SAID, if one service iscompromised, the other services are not compromised

4. The limited lifetime of AK provides periodicreauthorization and key refresh, which preventsattackers from having large amount of data to performcryptanalysis on

5. Adding a random value from the BS and SS toauthorization SA is a way to prevent replay attacks

6. WiMAX security supports two quality encryptionsstandards- DES3 and AES, which are considered secure

for the foreseeable future

7. SS can attempt to use a cached or handover-transferredMaster Key and avoid a full re-authentication

D. Accounting (Part ofthe AAA Scheme) [15]

Accounting is dealt with in the management section whereservice is procured and delivered to the business owners andindividual users. The issue is that the broadband wireless serviceprovider needs to establish a facility-based metropolitan-areascalable, secure wireless broadband offering to be wholesaledthrough ISP channel partners. This is usually done by thedeployment of low-cost WiMax (802.16) wireless technologiesto provide broadband data services that are customized tosupport the access requirements of residential, small/home office,and business-class subscribers.

This solution includes:

* The implementation of AAA functions usingspecialized wireless gateways and routers thatinterfaced to different back-end RADIUS servers andaccounting systems

* The configuration of 802.16-based wireless equipmentsare required to provide customers with broadband dataservices using CPE-based wireless access for end-users.WiMAX itself benefits from an urban-scale 802.16wireless coverage without using specialized wirelessaccess equipment

* The configuration of 802.16 equipments providewireless backhauls to extend telecommunication access

to and from 802.16 wireless network hubs andcustomers

EAP_ESTALISMI KEY CONFIRM!

Figure3. 802.16e EAP Authentication Process

* Enabled support for multiple security mechanism forsecuring and encrypting wireless communication usingPPTP/MPPE, L2TP/IPSec, and 802.lx securityprotocols

* Installation and configuration of routers, gateways,network switches, and other equipment required toensure scalable and reliable network infrastructures

* Construction of internet and web services providingportal-based subscriber-management functions

* Configuration of Windows and Linux servers tomanage security policies and provide for network-operating functions - DHCP, DNS, VPN and WVPNtermination, routing, certificate management, webservers, and etc

* Verification of range, functionality, and volume testingof wireless network deployments in order to validateperformance and capacity models

* Performance testing of Windows client softwareconfigurations and network-interfaces cards to ensurethe supportability of multiple client configurations andequipment; Intel, Netgear, Linksys, Proxim/Orinoco,DLink, Cisco, IBM/ActionTec, etc

* Development of specialized wireless-access-pointmanagement software using http and automated CLI-based interfaces as required enabling remoteconfiguration and management of wireless equipment

* Development of specialized SNMP-based networktools to optimize the pointing direction of 802.16antennas during the installation of wireless customerpremise equipment and wireless point-to-pointbackhauls

* Development of web-accessible reporting tools used toprovide analytical information for network performancemonitoring and providing summarized usageinformation, or on a per-subscriber basis.

* Construction of training materials and providingtraining to network support staff using real-lifeenvironments that simulated various network failureand response scenarios

IV. CONCLUSION

The authentication for WiMAX using EAP-TLS and EAP-PKM were presented here along with the complete handshakingschemes of PKMv2. It is obvious that WiMAX has far greatersecurity authentication than Wi-Fi, which indicates WiMAX hasthe potential to achieve greater market success than Wi-Fi.However the perception of their safety will have to be highbefore they win the trust of enterprise and carrier users. Thechallenge is that the greater range and available bandwidth in

215WiM\AX also increase the potential for attackers and theimprovement in security schemes can also come at a price;increased processing power and the need to support public keycertificates.

V. REFERENCE

[1] Hunglin Zhou, Wi-Fi Task Group Current Status, http://lee-1.com/hlchou/ 1 WiFi_ TaskGroup_ Meeting_ok.ppt

[2] WiMAX FAQs, http://www.unwiremycity.com/archives/2005/09/wimax _faqs 1I.html

[3] IEEE 802.11, Wireless Local Area Networks (WAN's), Thestudent reports, The Hebrew University of Jerusalem

[4] The Extensible Authentication Protocol, From Wikipedia,the free encyclopedia

[5] WiMAX Technology, www.hifn.com/docs/WiMAX_AB_1.4.pdf

[6] JunHyuk Song, Yong Chang, Privacy Sublayer Clean Up,http://www.ieee802.org/ 16/tge/contrib/C80216e-04 521rl.pdf

[7] Fabian Andre Perez, Security in Current CommercialWireless Networks: A Survey, http://www.csociety.org/-fperez/Wireless Survey.pdf

[8] G. Schafer, A. Festag, H. Karl, Current Approaches toAuthentication in Wireless and Mobile CommunicationsNetworks, http:// www.tkn.tu-berlin.de/ publications/papers/ tknO 1_002.pdf

[9] David Johnston, Mutual Authorization for PKMv2,http://www.ieee802.org/ 16/tge/contrib/C80216e-04 229.pdf

[10] HungLin Chou, 802.16 & 802.11 Security Overview, http://www.kjhole.com/ Seminar/Spring2005/PDF/802.16sec.pdf

[11] Colonel Donald J. Welch, A Survey of 802.1 1a WirelessSecurity Threats and Security Mechanisms, http://www.itoc.usma.edu/Documents/ITOC_TR-2003 - 101_(G6) .pdf

[12] Chris Griffin, Creating a Secure Network for Your Business[13]Don MacVitte, 802.11i to Lock Down WLANs,

http://www.networkingpipeline.com/specwatch/802.1 lijhtml

[14]Dave Molta, Does 802.11i Solve Your WLAN SecurityProblems?,http://www.networkcomputing.com/showitem.jhtml?docid=1512colmolta

[15] CASE STUDY: Design and Implement a BroadbandWireless Service Offering - Wireless Access, WirelessExtension, Boldtech Systems, 2004