towards secure wirelessman: revisiting and evaluating...
TRANSCRIPT
Towards Secure WirelessMAN: Revisiting and Evaluating Authentication in
WiMAX Raheel M. Hashmii, Arooj M. Siddiqui2, M. Jabeen\ K. s. Alimgeel
iPolitecnico di Milano, Milan, Italy
2,4 COMSATS Institute ofIriformation Technology, Islamabad, Pakistan 3Centre for Advanced Studies in Engineering, Islamabad, Pakistan
'[email protected], [email protected], [email protected], [email protected]
Abstract-Wireless communication is highly susceptible to security outbreaks with shear advancement in signal processing technology foUowed by immense deployment of high-speed mobile communication networks. Pitfalls in current architecture of IEEE 802.16 or Worldwide Interoperability for Microwave Access (WiMAX) have been put forth in recent literature, based on analytical reasoning and design methodologies. With identification of these vulnerabilities, some solutions have also been proposed for their rectification; however, the experimental assessment of these solutions has not been carried out in appropriate manners to justify the satisfaction of constraints. In this paper, we present a generic methodology to simulate and analyze the authentication protocols in WiMAX based on obtained results. We focus on the 1st and 2nd version of Privacy & Key Management (PKM) Protocols, which are implemented in the WiMAX architecture at present and compare their performance characteristics with another proposed solution ISNAP; which claims to eradicate most of the existing threats with introducing minimum overheads. The performance evaluation of these protocols has been carried out by simulating the behavior of BS and SS nodes in real-time wireless network using Linux based hosts. This work intends to establish the formal basis to justify the claims put forth in the specification of ISNAP against PKM vI & v2.
Kqwords-Authentication; Privacy & Key Management; Wireless Security; Authentication; Simulation; WiMAX.
I. INTRODUCTION
IEEE 802.16 is the standard for deployment of fixed wireless broadband networks and was put into practice in 2004 [1], with revisions for mobile access in 2005 [2]. At present, these network specifications are being adopted by major service providers across the globe for deployment of wireless broadband services and last-mile solutions, termed under the name World-wide Interoperability for Microwave Access (WiMAX). With rapid growth in the deployment of these nascent wireless metropolitan access methods, security risks have emerged endangering the Quality of Service (QoS) management and dependability of the wireless backhaul. Originally, WiMAX uses an authentication suite to constrain access to legitimate users, called as Privacy and Key Management (PKM) protocols [3], [4]. These protocols have two versions, namely: PKM
978-1-61284-941-6/11/$26.00 ©2011 IEEE
vi and PKM v2, used in fixed and mobile communication scenarios respectively. Several vulnerabilities have been identified in these protocols with advancement in technology and have been reported in [4], [5], [6]. PKM vi & v2 protocols use RSA-1024 bit asymmetric key encryption followed by I-way and 3-way secure handshakes, respectively [4]. Moreover, the key components used in the authentication process include the CCITI recommended X.509 version 3 digital certificates [7], [8], as hardcoded in the Subscriber Station (SS) and Base Station (BS) modules. In [3], a modified protocol titled Improved Secure Network Authentication Protocol (lSNAP) was proposed in place of PKM vi and v2, simultaneously, which claims to strengthen the authentication process and to rectify major existing threats. In this paper, we extend the approach of ISNAP and implement it, along with both the versions of PKM, to allow for verification of strength depicted in a highly vulnerable wireless enviromnent.
In order to implement these standards, we use a customized approach to simulate the scenarios as close to practical ones as possible, considering the available resources and trade-off relationships, described in the forthcoming sections. The major classes of attacks under consideration include replays, man-in-the-middle, BS masquerading, threats involving mutual authentication and pitfalls caused by synchronization failures. The statistics obtained in this experimental investigation shall be presented in terms of figures of merits, described in the sections to follow.
The rest of the literature has been organized as follows: Section II briefly reviews the models of PKM vi, PKM v2 and ISNAP. Section III presents the extension of ISNAP in reasonable detail while Section IV discusses the experimental setup and approach to be followed. Section V presents the results of the experiment along with the graphical statistics obtained. Section VI establishes comments on the trade-off relationships along with conclusions.
II. TECHNICAL BACKGROUND
Literally, authentication means the verification of an identity. In order to allow legitimate access to services provided by the broadband networks, IEEE 802.16 uses
165
variants of PKM protocols. As described in [3], PKM protocols consist of three major implementations namely: RSA-Certificate based Authentication (CBA), EAPAuthorization Key Agreement (AKA); which includes EAP-TLS/EAP-TTLS and RSA-EAP serial substantiation. The process of securing admission to the network includes the scanning of Uplink and Downlink Maps (ULIDLMaps) followed by adjustments to the Uplink and Downlink Channel Descriptors (UCDIDCD) [9]. This process is converged under the title of SS-Ranging, after which, the authentication phase arrives and is handled by the Privacy & Key Management (PKM) protocol in use.
Legitimate admission control is established by PKM protocols which basically manage the exchange of keying data between network entities along with enforcing intrusion prevention. The keying data includes information regarding the shared Authorization Key (AK) and the derived counterparts: Key Encryption Keys (KEKs) and Traffic Encryption Keys (lEKs) [6].
Cryptographic suites employed in 802.16 include the Data Encryption Standard (DES - CBC) and Advanced Encryption Standard (AES - CCM) as in [1], [2] and [9]. Along with these integrity protection methods, hashing algorithms have been introduced in PKM v2 for digital signatures as well. Now let us have a brief glance into the structure of the PKM protocols and ISNAP, which is needed to proceed with the implementation and analysis to be followed.
A. Fixed Authentication Structure (PKM vI):
The model described below is according to the specifications of IEEE 802.16 2004 Fixed Line-of-Sight (F-LOS) version and is being used by the fixed service deployments of Wi MAX [1], [3].
1. SS-BS: Mcerss 2. SS-BS: Nssl Cerssl Capbl BCID 3. BS-SS: EPublicss(AK)1 Seq. No.1 Life-timel
SAIDL
Fig. I Exchanged Messages between SS and BS in PKM vI
In Fig 1, Mcerss and Cerss are the manufacturer's X509 certificate and Certificate of SS issued by the service provider, respectively. Nss is the nonce, a 64-bit numeric token, Capb is a bit-combination identifier of SS security capabilities and BCID is the identifier obtained by the SS during admission initiation request. AK being communicated by BS has been encrypted using the public key of SS and Life-time is the bit-sequence limiting the exhaustion of the AK. It is the responsibility of SS to reinitiate the authentication cycle before the AK expires. Detailed description of working of PKM vI has been provided in [3], [4] and [6].
The identified classes of attacks associated on PKM vI include replays, impersonation, water-torture class; ultimately leading to denial of service (DoS) caused by flooding and session stealing. The detailed classification of these attacks can be found in [5]. In [10], a more general and formal view regarding replay and impersonation attacks has been presented as well. Security
issues in PKM vI are explored in detail in [14] with special reference to the model presented in Fig 1, also considering the issues of inter BS key exchange and vulnerabilities in the existing architecture.
B. Mobile Authentication Structure (PKM v2):
The structure of PKM v2 was an extension of PKM vI for use in mobile broadband networks with introduction of a 3-way handshake between SS and the serving BS [2], [3]. In Fig 2, an outline of the structural model has been provided. In addition to the components described in previous section, PKM v2 contains interchanging nonce tokens which help in linking corresponding messages. Along with that, additional steps to counter message integrity were inducted in terms of digital signatures (DS), generated in junction with Secure Hash Algorithm [11].
1. SS-BS: Mcerss 2. SS-BS: Nss-II Cerssl Capbl BCID 3. BS-SS: Nss-II NBS-II EPublicss(AK;SSID)1 Seq.
No.1 Life-timel SAIDLI AAIDI CerBsl DSBS 4. SS-BS: NBS-II MACssl EAK(NBS-II MACss)
Fig. 2 Exchanged Messages between SS and BS in PKM v2
In [3] and [4], PKM v2 has been deeply analyzed and censured with the point of view of possible intrusion aspects. Moreover, in [5], a comprehensive comparative analysis of PKM v2 has been performed with PKM v2,
depicting their 'computational overhead to introduced immunity' relationship. According to the prescriptions stated in [3], [4] endorsed with the findings in [5], [10] and [12], the PKM v2 countered the threats regarding mutual authentication, clone impersonation and to a partial extent, replays; however, other issues still remain to be taken care of. Attacks like suppress replay described in [5] and [13], session interleaving, DoS and attempts involving illegitimate flooding to exhaust remote network capabilities still could be performed using reasonable computational sources.
C. Proposed Counter-measures
The active research community has been analyzing the posed threats to these models in practice and developed some recommendations focusing different aspects. In [4], timestamps have been introduced which are embedded in each message along with nonce, set to expire a message after a pre-set amount of time, thus helping to prevent replays. In [5], this solution has been analyzed in terms of overhead needed to store timestamps at SS and BS for comparative verifications. The proposed solution is useful; however, it introduces significant memory complexity, implying constraints of application in low level devices. In [14], the introduction of timestamps in PKM vI instead of nonce is proposed. This issue significantly solves the replay issues but unfortunately, is unable to exclude the session interleaving and man-in-the-middle approaches.
Another approach involving third party mutual authentication is put forth in recent research regarding
166
attacks based on mutual authentication in [15]. This method is based on induction of an independent component in the architecture termed as 'Intrusion Detection System' or IDS. The major focus of this approach involves catering the DoS caused by SYN Flooding in the TCP/IP environment. An analogous approach to this has been proposed in [16] by use of EAPTLS/TTLS wrapped over the PKM version; thus, countering flooding and performance degradation attacks. However, these types of vulnerabilities are of later concerns and are termed under the class of secondary attacks. These attacks are possible once the attacker has acquired sufficient connectivity in the network, which can be prevented by improving the authentication phase of the control process.
Presence of a masquerading BS has been covered in the solution discussed in [17], termed under the class of attack as 'Rogue-Base station Threat'. However, in PKM v2, this issue has been taken care of by employing mutual authentication and digital signature suffixes. The solutions involving timestamps seem to be practical with one aspect; however, a major issue in the implementation of such solutions is the synchronization of the networks. In 802.16, DL-Bursts contain training sequences for regular adjustments of entity clocks, yet, the short duration of authentication cycle suggest that dependability on timestamps alone, is not a reliable measure. In [18], formal mathematical justifications suggest that even in presence of close time synchronization, the errors in system clocks can lead to break points in security. In 802.16e the synchronization facility is implemented using IEEE 1588 Precision Timing Protocol (PTP) which can cause decline of service to mobile users while handoffs because of timestamp invalidation as strict synchronization is not available between the BS's due to master-slave clock swings [19], [20]. Thus, comparing time stamps with their previous versions is not a very fruitful measure to counter replays as it needs timestamp table management and computing comparisons. Especially in wireless networks, multi path fading introduces random time delays depending upon the geographical placement of the deployment region. Thus this approach needs to be extended for a more practical usage.
D. Improved Secure Network Authentication Protocol:
Improved Secure Network Authentication Protocol (lSNAP) is a protocol which was proposed in [3] as a single solution to be installed in both fixed and mobile broadband wireless networks. This model rectifies several major classes of attacks with significantly low overheads and amendments required to the existing system.
1. S8--+BS:Tss-11 Nss-I I Mcerss 2. S8--+BS: TSS-21 Nss-21 Cerss I Capb I BCID I DSss 3. �SS: TBS-I I Nss-� NBS-II EPubliCss(AK, SSID)I
Seq. No. 1 Life time I SAIDL I AAID I CerBS I DSBS 4. S8--+BS: Tss-31 EAK(NBs-h MACss)
Fig. 3 Exchanged Message Structure in ISNAP
Operational model of ISNAP is presented in Fig 3. In this model, timestamps have been implemented in conjunction with nonce, but in a different operational aspect, which will follow in next section. Some reductions in step 4 have also been made instead of the components in PKM v2, which momentously decreases information leakage in case of intrusion attempt or message capture. This model claims to solve the issues regarding replays, suppress replays, identity thefts, impersonating BS threats, water torture class, DoS and session interleaving, considering the interpretation of these attack classes as described in [5], [10] and [13].
III. OPERATIONAL EXTENSION OF ISNAP
As described p-eviously, ISNAP is based on a combinatorial placement of timestamps and nonce, but in a different operational aspect. Now we describe the p-oposed implementation structure of ISNAP in terms of minor modular details. From now onwards, we assign some p-imitives based on the messages shown in Fig 3.
a) SS-BS: Message I � INIT b) SS-BS: Message 2 � A UTH _ REQ c) BS-SS: Message 3 � A UTH _ REP
d) SS-BS: Message4�AUTH_ACK
These primitives are termed as initialization message (lNIT), authorization request (AUlH_REQ), authorization reply (AUlH_REP) and authorization acknowledgment (AUlH_ACK). The working of ISNAP is based on 3-way handshake: equipment certification followed by mutual authenticatioo of challenge-participating entities.
A. Timestamp validation:
In [3], it is described that timestamp validation in ISNAP is carried out by calculation of propagation delay of subsequent messages. Propagation time of lNIT and AUTH_ACK is calculated and is verified by molding into a post-procedural relationship as:
(1)
(2)
where (1) is in ideal circumstances and (2) follows for practical purposes. In (2), the random variable 1 denotes the window of acceptance and has units of time. y is the absolute mean delay which may occur between the two authentication signals because of geographic and physical channel characteristics.
B. The parameter 'r ':
The outcome of 1 can be determined experimentally based on the environment and surroundings of the BS. There is a tradeoff between security and failure of authentication for the legitimate users based on 1. If the value of 1 is set to large as compared to the maximum trip time, the probability of interleaving attacks will increase. However, as it approaches to zero, the probability of failure of trip time validation increases. Therefore, a
167
balance has to be maintained between the required accessgrant strictness and the relaxation of value of1.
The value ofr can be estimated by using the statistics from test data obtained experimentally by calculating the propagation delays which can be substituted for the true mean /1 associated with population of authentication attempts. Assuming that )'b )'2 •••. )'n - N{J1., cil), the error in using the estimated value r in place of /1 can generate the error which can be bounded by the following expression in (3)
( Y- fL ) P -E < (INn < E = 95% (3)
where /1 and 0' are known, on' is the total number of tests and confidence interval value is set to 95% [26]; hence, we have:
2ip(E) - 1 = 95% (4)
where qI-l(X) can be used as inverse probability function to extract the quantile of error estimate from (4). Thus we get the error bound for choosing y as the value of random variable y instead of the true mean /1, with a reliability of 95%. ModifYing (3) as below, we can also assume that the true value of lies in the interval (T" T2) having 95% reliance:
P (T1 < 11 < T2) = 95% (5)
T1 = Y - (Z(1+0.9Sh) (�)) (6)
T2 = Y + (Z(1+0.9Sh) (:n) ) (7)
where 6 and 7 provide the upper and lower bounds on the value estimation and Z denotes the quantiles of Standard Normal distribution [22]. It must be noted that in our case, E is two-sided ad the deviation can be positive or negative.
C. Window of Acceptance:
Conventional methods to timestamp validation involve maintenance of timestamp tables and verification of incoming timestamps by comparison with the existing table for duplication existence. This implementation only checks for forward replays and is also prone to synchronization errors as discussed in previous section and in [18], [19] and [20]. ISNAP wipes out the need of a time stamp table by altering the timestamp validation procedure where validation of a timestamp is based on the statistics calculated from the same authentication cycle to which it belongs. Thus reducing the need to store previous versions of time stamps and reduce memory complexity. Moreover, the computational complexity is also decreased as instead of performing the chain of comparisons on the table, the validation is carried out using the window of acceptance. Whenever a new message is received, the timestamp field is fetched and compared against the system clock's present time as:
(TpRESENT - 0'8) � TRCV � (TpRESENT + 0'8) (8)
where T Rev is the incoming timestamp, (J is the scaling factor which can be adjusted with a real domain of (0,2] and e is the minimum time required by a SS for line of sight communication standing at the edge of the BS footprint. The value of e is dependent on cell radius and transmitting tower height, and therefore, can vary based on network characteristics.
This enhancement not only removes the storage overhead involved in timestamp dependent systems but also greatly reduces the computational time required for timestamp validation, which makes it favorable for implementation in high speed mobile communication networks. Moreover, the dependence on the system clock instead of foreign entity clocks limits the synchronization errors to a very low likelihood of occurrence.
D. Re-synchronization &heme:
The BS, at all times, keeps broadcasting uplink map (UL-MAP) and downlink map (DL-MAP) messages for facilitation of the operating nodes. These messages are management messages which contain frame structures, synchronization parameters, channel descriptors and burst profiles [21]. These are readily available to any SS in the network which scans on the preset frequency bands [22].
In ISNAP, after INIT and AU1H_ACK, when the BS calculates the trip time, the SS goes in waiting mode and is idle until a reply from BS arrives. This interval is used to scan for the DL-MAP messages from the BS to resynchronize the SS's system clock with the network. This resynchronization is incorporated to remove the apprehension of losing the system clock's synchronization, thus rendering the trip time validation to fail. This must be taken care of as it is clearly stated in [18] that the fault may occur in the system clocks and security cannot be independently based on timestamps due to the probability of loss of synchronization. This step removes this limitation and timestamps are incorporated for security confidently.
IV. SIMULATION STRUCTURE & SCENARIOS
The existing authentication protocols PKM vi, PKM v2 and the one under consideration, "ISNAP", have been simulated using C++ class based modules. As a patching interface, UNIX Sockets API has been utilized for communicating over the system transport layer. The simulation environment for creating this abstraction of protocols is Linux. The system design involves one or more hosts executing in the network as SS whereas one node acts as BS. The system design involves the use of extended object libraries which needed to be integrated into Linux. These libraries provide services for RSA key generation and encryption, Triple DES payload encryption, generation of variable-lifetime keys like AK and TEKs, and service APIs to provide a medium over which the system can articulate to the lower layers and fetch useful information from them like MAC address, Transport header fields etc. The primitives to call the services are available in OpenSSL library and can be
168
invoked using the shell. In this scrupulous experiment, RSA encryption is not particularly used which reduces the computational complexity and system realization in view.
Fig 4 shows the system diagram of the software modules which are used for simulating system behavior. The design has been laid down in close similarity with the defined protocols discussed in Section II. Along with the trivial modules, there are interface classes 1RX Object and Application which help to put together the functionalities of other objects. Also, as shown in Fig 4, there is a logging object which logs the results of the evaluations in terms of attack success of failures.
The BS and SS modules instantiate the required objects from a central resource allocator file, whose structure is presented in Fig 4. Authentication attempts executed are processed and recorded for statistical processing and evaluation to generate results. The implementation of the trip time validation phase is made in parallel which clearly suggests that concurrent execution of this part in context to the regular one will not cause additional delays in the cycle.
The two step resynchronization does not pose the overhead of any additional computational time or equipment. As the SS goes in wait-mode after sending INIT and AUTH_ACK to the BS until a reply has been received, this waiting interval can be utilized for synchronization of the SS system clock by using the downlink map messages which are continuously broadcasted by the serving BS. However, relative to the high number of cycles executing in the authentication engine, the wait-mode is very minute compared to the round trip time (RTT) of SS's communication with the BS.
A. Evaluation Scheme:
As discussed in Section IV, the SS, both with legitimate and intrusion cycles, along with BS modules, are independently set to execute on different hosts. The SS's generate authentication requests which are processed by the BS resulting in access grant or denial. As the BS processes these requests, the logging object records the evaluations of threats which are later on analyzed based on mathematical terms defined below.
In order to evaluate the strength of the protocols under test, we define some Bayesian measures that can provide an insight about the resilience of intrusion activity. These terms are:
a) False Positive Rate (a): The level of intrusion requests against which access to system is granted
b) False Negative Rate (fl): The level of legitimate requests with denied access to the system.
Considering a pessimistic model, we intend to study the system aspects (l and /3 which are intended to be minimized in real-time environments. Mathematically, these terms are defined as:
a = LiP(Xi=:rue/I) ; N * 0 (9) where X is a random variable governing the grant of access against a request, I is the event when the request is from an illegitimate SS and N is the total number of initiated requests during the simulation course. In a similar way, /3 is defined as:
p = LIP(XI=faLse/-/) ; N * 0 (10) N From the relationship of /3, it may be noticed that in an
optimistic environment, with absence of intrusion activity, a result even may be achieved as optimistic as:
•• �IP(XI=faLse/-I) ) _ 0 ImN .... oo \- N - (11)
which is intended to be achieved, but is constrained due the existence of packet drops and lost authentication requests, which remain unprocessed due to peak loads or physical limitations, resulting in QoS transients. We must consider this important factor while establishing our figures of merit. Dropped throughput or X can be defined as:
(L�l LsS(1) RGEN)- a:1=1 RpRO) X =
(L�lLSS(I)RGEN) (12)
where RoEN is the request generated by a particular SS and RpRO is the request processed by the serving BS.
V. PERFORMANCE ANAL YSIS & RESULTS
In this section, results have been presented to demonstrate the comparison of PKM vI and PKM v2
with ISNAP on the basis of their resilience against the vulnerabilities to which they are exposed.
A. Elimination of Water-torture & DoS:
The occurrence of attempts to drain out the system's computational resources and thus, leading to DoS attack, is removed by the sentinel timestamp placed in the INIT message. This also removes the likelihood of presence of any half-opened security associations.
169
� ...... ,----- ,----- -Lin ux RSA Obje ct • INIT. TRX Object , «Patch Library. - MCerSS ....
- TSS1 + AssernbleULFrameO
+ generateRSAO - NSS1
� + AssernbleDLFrameO 1 -
+ fetchExpO -TimestampO + SendULFrameO
+ fetchModO -NonceGenerateO p
+ SendDLFrameO
+ EncryptO + InitializeCERTO + RecvULFrameO
+ DecryptO + GetParamO + RecvDLFrameO
+ KeyLookupO
C I 0 N
7- «AUTH_REQ. l- N T - CAPB
- BCID Transient Detect Object N E
- DSss - GammaFactor E R - CERss - DegreeOfFreedom C M
,II - TSS2 + InitParam() - NSS2 + UpdateParamO T E S
«CERT. - Ti mestamp 0 + ValidateTSO I D T
-Version - - NonceGenerateO + ResetO
-SerialNo + InitializeCERTO + SetGammaO 0 I D -SignType + InfLoadO + SetDOFO N A -lssuerAU -
+ SigGenerateO
-ValidF !\ T T -ValidT S E R - Subject 0 X -AlgoPKI
- ModulusPU ....
«AUTH_REPL Y. \ C L ---ExponentPU - SeqNo Application
I� K E H -x509Constraint - SAlOL -Signature -MID E G A
- CERbs + StartO , + SigGenerateO
- DSbs + StopO T A R + KeyG en erateO
- TBS1 + ResetSheliO S C D + GetParamO - - NSS2 + OverloadSheliO + SetParam()
- NBS1 Y W
- Lifetime 11\ 11\ I A - AK N S R - SSID
.... T E E --
-----f 1'-7 - Ti mestamp 0 Log File Object E R - NonceUpdateO
- SigGenerateO R V + AKUpdateO F I + CredentialSSO A C DES3 Crytography Object + InitializeCERTO
«Patch Library. + GetParamO C E + SetParam()
Linux Transport Interface E S + generateAKO
+ SS_ADDR: sock_addUn + EncryptStream()
+ ConSocket: streamllF J NET + DecryptStream()
«AUTH_ACK. + DataSocket: streamllF _INET + SeedModeO ...- - MACss + ConnectREQ()
I -TSS3 + SocklnitO .... -NBS1 + StartADDRO ,
- Ti mestamp 0 + SockBindO
- NonceGenerateO + TransMSGO
-GetMACO + RecvMSGO
+ GetParamO + DSConnectREQO '--- '----
Fig. 4 UML diagram demonstrating the design of the system and linkages between modular objects. The BS and SS nodes use these objects for their concrete implementation and operation.
170
100%
90%
� 80% VI
70% OJ ::l .,.
60% OJ a: c 0 'il 40% OJ c
30% c 0 u 20%
10%
0%
a � X
• PKM v1 • PKM v2 .ISNAP
Fig. 5 Results of water-torture attack
Fig 5 shows the results of water-torture on the three protocols. In Fig 5, the value of (l for ISNAP is negligible as compared to PKM vI and PKM v2. Theoretically, it should be equivalent to zero, however, because of the tolerance variable like (j and 'Y, the effect of intrusion is present, which is quite practical. Nevertheless, this effect is insignificant and can be countered by tuning the tolerance parameters of the system to their optimum values.
100%
90%
80% r--� 70% ., r--:J tT 60% ., r--a:
50% c F-0 fi 40% I::--., c 30% 0 F-u
20%
10%
0%
I:-- hi F- -
.J • 'J ---
a x
• PKM v1 • PKM v2 .ISNAP
Fig. 6 Result of Denial of Service (DoS) caused by flooding of nodes
In Fig 6, the DoS risk for ISNAP is present due to existence of cause and effect relationship between watertorture attack and the DoS attack. Thus tuning the system to counteract against water-torture, eventually, resolves the DoS threat automatically. If the timestamp validation is kept strictly sensitive to possible signal deviations, the effect of DoS can be countered. But this is not recommended as it will constrict the window of acceptance causing service degradation with increase in values of�.
B. Exclusion of Replays & Suppress Replays:
The hybrid approach averts the replay of messages and the resynchronizations manage the suppress replay attacks.
171
In Fig 7 and Fig 8, respectively, the performance of protocols against replay and suppress replay attacks has been shown.
100%
90%
� 80%
., 70% :J .,. 60% OJ
a: c 50% 0 'il 40% OJ c
30% c 0 u 20%
10%
0%
• PKM v1 • PKM v2 .ISNAP
Fig. 7 Results of forward replay attacks employing TS tampering
The resynchronization prevents the system clocks to accommodate any attempts of suppressed replay and the individual timestamps set the message to expire rendering it unusable. In comparison to replay attacks, suppress replay attacks are difficult to prevent. The reason is that strong synchronization support must be embedded in the systems to cover the delayed message reuse. In PKM v2,
the resilience to replay is due to addition of nonce linkages, which partially cover the class of replay attacks. However, ISNAP manages to counter suppress replay better as seen in Fig 8 below.
C. Prevention of Interleaving Attack on PKM v2:
Interleaving attack is contained due to the presence of timestamps in case the nonce is predicted; timestamps set the message to expire. Furthermore, the step of trip time validation counters any interleaving activity which is intended to occur during the authentication cycle.
100%
90%
VI 80% 1;;
70% OJ :J .,.
60% OJ a: c 50% 0 tl 40% OJ c
30% c 0 u 20%
10%
0%
• PKM v1 • PKM v2 .ISNAP
Fig. 8 Results of suppresslbackward replay attack
60%
50% '" 0. E 40% � ;:c
30% OJ :> IV OJ
;: 20% � c
10%
0%
a � X
• PKMv2 .ISNAP
Fig. 9 Results of session interleaving success levels
In Fig 9, the level of interleaving threat in PKM v2 is decreased due to the nonce linking available. However, in ISNAP, the timing window significantly decreases the success rate for an interleaver to inject itself between the entities without rendering the connection process delayed enough to be detected. The possibility of the attack has been covered up by using the hybrid approach and the trip time validation scenario in ISNAP significantly.
D. Scale Factor & Acceptance Window:
In eq. (8), the tuning variable C1 governs the level of (l
based on its scaling value and is useful to be analyzed by plotting (l as a function of C1 over the whole range (0,2]. Fig 10 shows the plot.
It can be noted that the lesser the deviation of TRev is from the product ae in (8), the superior is the performance and lesser chances of intrusion successes. Therefore, choosing the mean-value for trip-time delay and tuning C1
can result in significantly accurate evaluations.
� OJ "' cr: OJ
� is Q. OJ '"
I'ii LL.
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
1= f-'� '�I-R-F'-I- t-F �1= 1= f-'l-i-'-F!= I=:�F-1= 1=1= I-I-F 1- 1== - F l-1,,- j::.:1-i-
I=b,,-1=1'-'--l= 1= 1-1-F' I-F f=: 1= 1= I=-1= �
f-1-1-' I- j- j- t- j-I- I--:-f- � f--- 1-::·+--
_ _ 1=1-1= l-
J::t- +-- --F 1- 1= -
I-t::-: I-t-c i:- != I- 1= ---l-1=1= I=r== F- - F-t-:- l= F-t- .1-:
� �� I-
,� i1'N-1 � 1 111=1 � m � � � � m � � � o 0 ci ci ci � � � � �
Window Scale Factor (0)
Fig. 10 FPR as a function of Window Scaling Factor (0)
E. Inrusion Activity & RTT:
In Fig 11 below, a plot is presented for the achieved upper bound of (l based on the chosen distance of operation of a SS from the BS. The level of (l is monitored against the values of Round Trip Time (RTT) which is highly concentric around the cell radius in use by the BS.
18%
16%
OJ 14% 10
cr: 12% �
OJ u 10% u :J III
8% � OJ "'"
6% u l!l
4% ;:c
= 1= .,., I=::=--== I==- � �
1-= I--I� .... �- �
l- -V 1;= - I-- =
Jf!'- j-- ! -'::::: I-- -c-- - � -l--�� � � l-I-- =
�� b= == =
I=- = =
2%
0% -= -
15 17 19 21 23 25 27 29 30
(min) (max) RTI(mSec)
Fig. II Attacker Success as a function of Round Trip Time (RTT)
The plot suggests that the level of ease to launch an attack and gain success for an attacker is directly proportional to the SS's distance from the BS. The worst case can be taken as a SS operating on the outer edge of the BS footprint. However, as seen in the plot, even in the worst case, the upper bound is approximately 16% and is not very favorable in practical situations based on two reasons. Firstly, in case of a mobile user, the RTT keeps changing unpredictably and results against the attacker's success. Secondly, even considering the fixed user, in real environments, the cell radius is not as wide as 5 KMs in high density regions, which has been used to generate the result in the plot.
F Counteraction of MAC ID Theft:
It can be noted that the AUTH_ACK message has been modified and only the encrypted components are included in ISNAP as shown in the protocol model in this paper. The unencrypted counterparts, as in PKM v2, have been removed to ensure increased privacy and reduction of transmission overhead. In case of any step evaluating to be negati ve, the whol e process is aborted and the corresponding messages are discarded. Therefore, the process has to be reinitialized and carried out again. In case of any ambiguity in the authentication process, ISNAP favors the benefit of doubt to the network's security.
The counteraction of the MAC identity theft has been done by excluding the unencrypted MAC ID of the SSs in the handshake process. Whenever, if required, the MAC identity is to be transmitted, it is transmitted by encrypting it using the authorization key.
G. Computation and Temporal Complexity:
In [5], the complexity analysis has been presented for ISNAP against PKMvI, PKM v2 and some major proposed models. Significant reductions in temporal and spatial complexity have been observed in ISNAP as the computational model has been modified in temlS of conditional verification rather than comparative storage tables, as explained in Section III. It is worthy to note in the results of [5] that considering the usual tradeoff in temporal and computational power, which has an inverse relationship, both of the merits have been improved and the overall load has been reduced. The reason for this,
172
seemingly eccentric result, is that the way to approach the problem has been modified instead of modifying the existing solutions. Removing the timestamp tables and comparative significance testing technique and replacing it with conditional hypothesis statistics improves the overall process and reduces the associated costs [5].
VI. CONCLUSIONS
The results obtained after the simulation clearly suggests that the performance of ISNAP justifies the claims put forth in its proposal. The experimental setup used in our analysis has been kept as close to practical implementations as possible to achieve most realistic statistics. We come across the fact that major classes of threats in PKM protocols have been neutralized by use of ISNAP.
The increase in deployments of broadband networks across the globe, suggests that security issues in the existing architecture, sooner or later, will cause obstacle in service provisioning and should be catered as soon as possible. ISNAP could serve as a possible move towards this vision. Like always, a cost and benefit relationship is maintained in various cycles of ISNAP and they should be managed according to the level of secure access needed. As it is worth revising, that security means making it difficult to overrun penmssIOns, not impossible; because perfect security is nonexistent.
REFERENCES
[1] IEEE Computer Society and the IEEE Microwave Theory and Techniques Society, S02.16TM IEEE Standard for local and metropolitan area networks," Part 16: Air Interface for Fixed Broadband Wireless Access Systems", June 2004.
[2] IEEE Std. S02.16eIDI2, "IEEE Standard for Local and Metropolitan Area Networks, part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems", IEEE Press, 2005.
[3] Raheel M. Hashmi, Arooj M. Siddiqui, M. Jabeen, K. Shehzad, A Zubair, K. S. Alimgeer, "Improved Secure Network Authentication Protocol (ISNAP) for IEEE S02.16", Proceedings of IEEE 3rd International Conference on Information and Communication Technologies, pp. , August 2009.
[4] Ayesha Altar, M. Younus Javed, Attiq Aluned, "Security Enhancements for Privacy and Key Management Protocol in IEEE S02.16e-2005", Proceedings of the 9th ACIS International Conference on software Engineering, Artificial Intelligence, Networldng and ParallellDistributed Computing, pp. 335-339,200S.
[5] Raheel M. Hashmi, Arooj M. Siddiqui, M. Jabeen, K. S. Alimgeer, S. A Khan, "Computational Complexities and Breaches in Authentication Frameworks of Broadband Wireless Access (BW A)", International Journal of Computer Science and Information Security (IJCSIS), Vol. 4 -1, pp. 126 - 130, USA, September 2009.
[6] Sen Xu, Chin-Tser Huang, "Attacks on PKM Protocols of IEEE S02.16 and Its Later Versions", Computer Science and Engineering Department, University of South Carolina, Columbia, September, 2006.
[7] Mary R. Thompson, Abdelilah Essiari, Srilekba Mudumbai, " Certificate based Authorization Policy in a PKI based Environment", ACM Transactions on Information and System
173
Security, Vol 6 - 4, pp. 566 - 5SS, Berkley, CA, USA, November 2003.
[S] International Telecommunication Union, "Series X: Data Communication Networks: Directory - X 509", CCITT Recommendation X509, Blue Book, Fascicle VIII.S, 19S5.
[9] Michel Barbeau, "WiMax/S02.16 Threat Analysis", School of Computer Science Carleton University, Ontario, Canada, October, 2005
[10] Gavin Lowe, "A family of Attacks upon Authentication Protocols", Department of Mathematics and Computer Science, University of Leicester, January, 1997.
[11] A Altaf, M. Younas Javed, S. Naseer, Aisha Latif, "Performance Analysis of Secured Privacy and Key Management Protocol in IEEE S02.16e-2005", International Journal of Digital Content Technology and its Applications (JDCTA), Vol 3 - 1, Korea, March, 2009.
[12] Mahmoud Nasreldin, Heba AsIan, Magdy El-Hennawy, Adel ElHennaey, "WiMAX Security", Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, pp. 1335-1340,200S.
[13] William Stalling, "Cryptography and Network Security: Principles and Practices", 3rd Edition, Pearson Education Prentice Hall PTR, 2003.
[14] S. Xu, M. Matthews, and C.-T. Huang, "Security Issues in Privacy and Key Management Protocols of IEEE S02.16", Proceedings of the 44th ACM Southeast Conference (ACMSE 2006), March 2006.
[15] Abdelrahman Elleithy, Alaa Abuzaghleh, Abdelshakour Abuzneid, "A new mechanism to solve IEEE S02.16 Authentication vulnerabilities", Computer Science and Engineering Department, University of Bridgeport, Bridgeport, USA, 200S.
[16] M. A Catur Bhakti, A Abdullah, L. T. Jung, "EAP-based Authentication with EAP Method Selection Mechanism: Simulation Design", The 5th Student Conference on Research and Development, Malaysia, December, 2007.
[17] Michel Barbeau, "Rogue-Base Station Detection in WiMAX/S02.16 Wireless Access Networks", School of Computer Science, Carleton University, Ottawa, Canada, 2005.
[IS] Li Gong, "A Security Risk of depending on Synchronized Clocks", ORA Corporation and Cornell University, USA, September, 1991.
[19] Application Brief, "Timings and Synchronization in WiMAX Networks", NGN Series, Symmetricon Inc., California, USA, October 2006.
[20] Hao Zhou, Arnaresh V. Malipati� Yih-Fang Huang, "Synchronization issues in OFDM Systems", IEEE Circuits & Systems, APCCAS, pp. 9SS - 991, Singapore, December 2006.
[21] Yhang Xiao, "WiMAXIMobile-Fi: Advanced Research and Technology", Auerbach Publications, USA, 200S.
[22] Sanida Omerovic, "A Journal on WiMAX Overview", Faculty of Electrical Engineering, University of Ljubljana, 2005.
[23] Frank Chee-Da Tsai, Jenhui Chen, Chiang-Wei Chang, Wei-Jen Lien, Chih-Hsin Hung, Jui-Hsiang Swn, "The Design and Implementation of Wi MAX Module for ns-2 Simulator", Network and Multimedia Institute, Institute of Information Industry, Department of Computer Science and Information Engineering, Cbang Gung University, Kweishan, Taoyuan, Taiwan, R.O.C
[24] Juliana Freitag, Nelson L. S. da Fonseca, "Wimax Module for the NS-2 Simulator", Proceedings of 18th Annual IEEE International Symposiwn on Personal, Indoor and Mobile Radio Communications, PIMRC'07, 2007.
[25] Laurent Paquereau , Bjarne E. Helvik, "A module-based wireless node for NS-2", Proceeding of the 2006 ACM Workshop on NS-2: the IP network simulator, Pisa, Italy, 2006.
[26] Sheldon M. Ross, "Introduction to Probability & Statistics for Engineers & Scientists", Chapter 7: Parameter Estimation, University of California, Berkley, USA, 2004