WiMAX Group no.

10

Wireless Communication Systems’10

Security Issues on WiMAX

Prathap Mathiyalagan Pidishetty Mahesh Babu MD. Ansarul Haque

Pramat09@student.hh.se mahpid09@student.hh.se mdahaq09@student.hh.se

Babu Yadla

babyad09@student.hh.se

Abstract:-

WiMAX (Worldwide Interoperability for microwave access) day by day the WiMAX
technology is growing and getting popular because of its long distance communication, high
speed data transfer and mobility support. But when wireless devices are added to network it
security becomes main concern. In this paper we explain about security issues on WiMAX its
architecture and physical layer threats jamming and scrambling, MAC layer threats, Weaknesses,
Attacks. And in Counter measurements we discussed about the time stamping and preliminary
authorization key. By taking this measurements we can limit the security issues on WiMAX.

1
Table of Contents
1. INTRODUCATION TO WIMAX……………………………………………………………………… 3

2. SECURITY ARCHITECTURE………………………………………………………………………... 4

2.1 PROTOCOL LAYER…………………………………..…………………………………………….. 4

2.2 SECURITY SCHEME……………..…………..……………………………………………………… 4

2.2.1 AUTHENTIFICATION……………………..……………………………………………………… 5

2.2.2 AUTHORIZATION…………..…………………………………………………………………...... 6

2.2.3 ENCRYPTION……………………………………..……………………………………………….. 7

3. WIMAX SECURITY…………………………………………………………………………………… 7

3.1 PHYSICAL LAYER THREAT……………….………………………………………………………. 8

3.2 MEDIUM ACCESS LAYER THREAT………………………………………………………….....… 9

3.3. WEAKNESS AND ATTACKS……………………………………………………………………..... 9

3.4 REPLY ATTACK AND DENIAL OF SERVICES ATTACK……………………………………...... 9

3.5 COUNTER MEASUREMENTS AND RECOMANDATION…………….…………………………. 9

4. CONCLUSION…………………………………………………………………..…………………….. 10

5. REFERNCESS…………………………………………………………………………………………. 10

2
I. INTRODUCTION TO WIMAX
WiMAX stands for Worldwide Interoperability for Microwave Access. It is a
telecommunications technology; it delivers wireless transmission of data using a mixture
of transmission modes. Microwaves are electromagnetic waves which have frequencies
ranging between 300 MHz and 300 GHz. It provides broadband speeds of up to 10 Mbps
without the need of cables. IEEE 802.16 standard which is also called Broadband
Wireless Access represents this well-influenced technology.

The 802.16 standards are referred as "WiMAX", "mobile WiMAX", "802.16d" and
"802.16e. 802.16-2004 is known as 802.16d which is represented as "fixed WiMAX,"
since it has no support for mobility 802.16-2005 is known as 802.16e which is referred to
as "mobile WiMAX," since it has support for mobility and other facilities. WiMAX is
used as connecting Wi-Fi hotspots to the Internet, providing a wireless communication
alternative to cable and DSL communication for long distance which is usually called
"last mile" broadband access, providing telecommunication services and data, it provides
a internet source for connectivity as part of a business plan [5].

In December, 2004 Aceh, Indonesia was totally out of communication after the attack of
Tsunami. Except the radio there was no communication media in that area. For
communicating with the people of the disaster area, WiMAX provided broadband access
to communicate from Aceh, Indonesia. For assisting the FCC and FEMA in the purpose
of communication with the areas affected by Hurricane Katrina, WiMAX was also in the
effective mood. Intel Corporation also donated for WiMAX.

WiMAX has the capability to replace the ongoing cellular phone technologies (GSM and
CDMA) and it can be used as an overlay to increase the capacity. It can be used in the
developed and poor nations as a wireless backhaul technology for 2G, 3G, and 4G
networks. Why WiMAX is craze now-a-days? WiMAX increases the throughput by
using a scheduling algorithm in the Media Access Controller (MAC). It permits all the
subscriber stations to compete for only once for the primary entrance into the networks
which will eliminate the bottlenecks rather than random basis as in the Wi-Fi.

WiMAX can operate at higher bit rates or over longer distances. But its limitation is that
it cannot operate in both modes at the same time. As for example, if it operates at the
longer range of 40-50 km, it increases the bit error rate and it results is it is in a much
lower bit rate. Though in reality, there is no example of this service delivering at bit rates
above 40 Mbps. Regarding to the operational expenses, WiMAX is affording less than
others technology. It only uses a common network core called All-IP (all packet
technology without having circuit telephony) rather than using both packet and circuit
core networks. WiMAX is a technology of layer 1 (PHY or Physical layer) and layer 2
(MAC or Media Access Control layer).

3
2. SECURITY ARCHITECTURE
2.1. Protocol layer
The IEEE 802.16 standard describes the interfaces in MAC and Physical layer. The
protocol architecture consists of two layers, one is MAC layer and another is Physical
layer. The fig 1: shows the protocol layer with three sub layers of MAC layer.

Figure 1: Protocol Stack

In the figure the MAC layer is shown by combination of Convergence Sub Layer /
Services Specific Convergence Sub Layer, Common Part Sub Layer and the Security Sub
Layer. Explanation of MAC sub layers is follows

1. Convergence Sub Layer / Services Specific Convergence Sub Layer (CS). This layer is
used for classifying and mapping upper layer data service into IEEE 802.16 MAC layer
connections

2 Common Part Sub Layer (CPS). The CPS is responsible for connection establishment,
bandwidth allocation, maintenance of the connection between MAC CPS and CS

3. Security Sub layer. It is separate sub layer in MAC sub layer which is located in
between physical layer and MAC CPS. It function is to encrypt and decrypt the data
transfer to and from physical layer and security sub layer is used for authentication and
key exchange [6].

2.2. Security Scheme

The security sub layer is one of the separate sub layer of MAC sub layer, it performs
Authentication, Authorization and Encryption functions. Figure 2 shows the security sub
layer. The security features is enhanced in IEEE 802.16e standard Compared to the IEEE
802.16d.

4
 Figure 2: security sub layer

2.2.1 Authentication
The WiMAX supported Authentication protocols are as follows.

The RSA Authentication gets the identity of the base station by using the subscriber
station. The determination is done by using the X.509 certificate. The X.509 certificate
has shown in the figure 3 with eleven elements of X.509 certificate [7].

The certificate is classified into Manufacturer and subscriber station certificate. The third
party is identified by using manufacture station certificate, the BS determines the SS
whether the SS is authenticate or not.

Figure 3: X.509 certificate

First the BS attest the X.509 certificate before permitting Authorization Key (AK) and
then by using the attest public key the BS encrypt an AK and send that encrypted AK to
SS. The process of RSA is shown in the figure 4. In SS the message is encrypted and
sends to BS, the encryption at SS is done by using public key and formula. Then the
encrypted message is send to SS, in SS decryption is done by using the private key and
formula.

5
 Figure 4: RSA Authentication

Extensible Authentication Protocol (EAP) provides facility for both SS and BS to

authenticate each other by using X.509 certificate. EAP is introduced in 802.16e
standard; it is also a simple encapsulation. EAP can run over both PPP and it also run on
WiMAX. In the case of WiMAX system the EAP runs between the mobile station and BS
over the privacy key management v2. The EAP security protocol is clearly described in
IEEE 802.16e. The Authentication runs from the mobile station not in BS, the BS send
the Authentication procedure to Authenticator in access service network. When the EAP
is transmitting from Authenticator to Authentication, it is carried over RADIUS (Remote
Access Dial-in user service) . EAP frame work is shown in Figure 5.

Figure 5: EAP

For Authentication EAP uses HMAC. We can use CMAC in place of HMAC which is
described in IEEE 802.16e standard. By using HMAC the receiver can validate the
identity of the sender. The sender validation is possible because in sending message, the
sender include HMAC in the key which only know to receiver and sender. When the
message is received, the receiver computes HMAC which it has and compares it with
sender message. If there is match then the identity is verified. We can use Cipher
Message Authentication Code as alternate for HMAC.

2.2.2. Authorization
The Authorization process is follows the Authentication process. The Authorization
process first SS sends the Privacy Key Management Request (PKM-REQ) message with

6
the authentication information, the SS’s X.509 certificate. The BS authorized and sends it
back a public key with life time key to SS.

2.2.3. Encryption
To encrypt the data traffic, A Traffic Encryption Key (TEK) is used. The TEK is
encrypted with the Key Encryption Key (KEK). The figure6 shows the process of TEK
encryption [5].

Figure 6: TEK Encryption Process

3. WIMAX SECURITY
In WiMAX protocol architecture we have two layers one is Medium access control layer
(MAC) and other is Physical layer. And in the layer architecture of the WiMAX, MAC
layer contains Convergence layer, Common part layer and Security layer. The service
access point(SAP) is defined by standard and transfer the data between layers, the
Common part sub layer have MAC Protocol Data Unit(PDU) which places connection
and maintain bandwidth[2], Common part sub layer exchanges MAC services with the
converges layer. Common sub layer is surrounded with the security sub layer, in security
sub layer authentication of connection and data encryption is done [2]. The security sub
layer sends the MAC PDU to Physical layer, and the Convergence layer adjusts the data
(IP packets) of high level to MAC Services Data Unit (SDU) [2].

Figure 6: WiMAX layers

7
3.1. Physical layer threats
In Physical layer we have bit frames of same size and sequence, there are two types of bit
frames, one is downlink bit frame and other is uplink bit frame [2]. To process this
frames we use Frequency Division Duplex (FDD) and Time Division Duplex (TDD). The
brief study of TDD downlink shows a breakage of data frames. There are 2 parts in this,
the first part is Control information and second part is data. The Mobile Station (MS) will
have the ability to limit the breakage in signal, but it allows the breakage in the
transmission signal because it cannot demodulate due to security sub layer is above the
physical layer and it is unsecured[2], so physical layer gets attack (Interrupt) with the
threat called Jamming and Scrambling.

Jamming threat: - It reduces the channel capacity by introducing noise which interrupts
the transmission signal and it jams bandwidth, this jamming can be avoided in the spread
spectrum scheme [2].

Scrambling threat: - It effects the data transmission in the signal, scrambling, it is a short
form of jamming. It interrupts the specific frames of less time intervals. The problems of
scrambling are high amplitude, time delay and channel measurement; the scrambling can
be detected by monitoring irregularity in signal transmission process [2].

3.2. Medium Access Control layer threats

It is Connection oriented layer, Management connection and data transport connection.
Management connections are 3 types Basic, Primary and Secondary. When each mobile
station (MS) joins the network, the basic connection is created to use short and urgent
management message [2]. For each MS at the time of entering a network the Primary
connection is created to use delay tolerant management messages. And for IP
encapsulated management message the secondary connection is used. In Security
Association (SA) we see how security is maintained in connection between MS and Base
Station (BS). And we use security key encryption algorithm and association during
authorization in network. We have three types of security association primary SA, Static
SA and Dynamic SA, for each SA have identifier (SAID), Cryptographic suite identifier,
and Traffic Encryption key (TEK) and Initialization vector [2]. Every MS has a primary
SA, X.509 Certificate, Authorization key (AK), Key encryption key (KEK) and Hashed
message authentication code (HMAC) key [2]. Every MS is modified with X.509
certification, X.509 certificate contains public key of MS and it is used for authentication
with BS and X.509 is permanent. For every transport connection we have one or two SA
for downlink and uplink. In table we can see different types of security threats in that
Eavesdropping management message is a main threat which provides information to
attacker, and about the location of the victim before committing a crime [2].

8
 Table 1: Threats table

3.3. Weaknesses and Attacks

The two main areas which get attack in WiMAX are Authentication and Exchanging key
[1]. Each MS has X.509 certificate and it authenticates with itself, and BS does not
authenticate [1]. The attacker is capable to act like BS between MS and real BS and it
tries to authenticate with the MS and create a session through transferring authorization
key and creates authorization reply message including authorization key and send to MS
and controls the authentication of the MS. This type of attack is called man in the middle
(MIM) [1]. Because of MIM, the MS cannot recognize the original BS to authenticate.

3.4. Reply Attack and Denial of Services Attack

The MS sends the request message with one SAID for key material to encrypt data. The
BS replies to the request message to the given SAID. Here, we have reply attack because
of key sequence number, the sequence number of key is part of traffic encryption key
(TEK) with the circle buffer ranges from 1to 4[1]. The attacker can attack the TEK and
collect the information to decrypt data traffic, to overcome the reply attack we have to
increase the length of sequence number, so the enough TEK sequence number is
generated to transmit data to long distance [1].

The authorization request message from MS get interrupt by attacker, and it continuously
sends message to BS to prove it real authentic MS[1]. The BS will get corrupt by the
reply attack and it stops sending reply messages to the MS. This is called as Denial of
services attack against the MS.

3.5. Counter Measurements and Recommendation

We have to modify the authorization request message by including time stamping in MS
request message, And MS should use a private key called signature in message to protect
information in request message[1]. The MS should authenticate with the BS when
authorization reply message contains certificate and time stamp including the key
information, then MS identify the authorization reply message and process the
communication. Other than the time stamp, we can use the Nonce which works same as
the time stamp for authentication between MS and BS [1]. To avoid BS from reply
attack, we have to insert preliminary authorization key [1]. With the help of preliminary
authorization key MS and BS can derive authorization key. Even the attacker can drive

9
the authorization key and information transmitted in plain text with the same time stamp
and algorithm of the MS and BS, when the preliminary authorization key is compressed
[1]. The main disadvantage of the time stamp is synchronization of time.

4. CONCLUSION
Although the popularity of WiMAX has been drastically increasing still security thread is
becoming a big concern. In this paper we conduct an analysis for security issues in
WiMAX. We have seen WiMAX physical layer gets attacked with the threat called
Jamming and Scrambling. And we have seen MAC layer threat, Weakness and Attacks
on signal, Reply attack and Denial of Services attack. These dreadful elements around
WiMAX which tend to break the Security should be sort out. To limit these threats we
need counter measurement and recommendation, we worked on the Time stamp,
increased sequence key length and we have inserted preliminary authorization key in
messages and signature to increase the security. So there have always been open offers
for the future engineers and researchers to deal with these Wimax security issues.

5. REFERENCES
[1]. Evren Eren ” WiMAX Security Architecture – Analysis and Assessment” IEEE
International Workshop on Intelligent Data Acquisition and Advanced Computing
Systems: Technology and Applications 6-8 September 2007, Dortmund, Germany.

[2]. Mahmoud Nasreldin, Heba Aslan, Magdy El-Hennawy, Adel El-Hennawy “WiMax
Security” 22nd International Conference on Advanced Information Networking and
Applications – Workshops.

[3]. Chin-Tser Huang, J. Morris Chang “Responding to Security Issues on Wimax” IEEE..

[4]. Wikipedia introduction to wimax “http://en.wikipedia.org/wiki/Wimax”. Date of access

is 02/03/2010.

[5]. Lang Wei-min, Wu Rung-shen, Wang, Jian-qiu, “A Simple Key Management Scheme
Based on WiMAX” in Proc International Symposium on Computer Science and
Computational Technology, 20-22 December 2008, Shangai, China.

[6]. Tao Han, Ning Zhang, Kaiming Liu, Bihua Tang, Yuan'an Liu” Analysis of Mobile
WiMAX Security: Vulnerabilities and Solutions” this paper appears in Mobile Ad Hoc
and Sensor Systems, 2008. MASS 2008. 5th IEEE International Conference on Sept. 29
2008-Oct. 2 2008.

[7]. LANG Wei-min, ZHONG Jing-li, LI Jian-Jun and QI Xiang-yu “Research on the
Authentication Scheme of WiMAX” 4th International Conference on Wireless
Communications, Networking and Mobile Computing in the Year 2008.

[8]. http://www.eyeforwireless.com/wimax_report.pdf Date of access 03/March/2010.

10