Re: [STDS-802-16] Fw: [STDS-802-16] [Security] Cleaning up 802.16e security
Maintenance of the PAR-required backwards compatibility is something
that we should all agree on I think.
Chulsik is making an additional point here: he mentions "maximizing the
reusability" of PKMv1, and he feels that concurrently supporting
distinctive v1 and v2 is "too much [of a] burden". And hence that v2
should ideally be a "superset" of v1.
Consequently, Chulsik says, he received a revised key hierarchy proposal
from DJ which includes HMAC and an "EAP-only mode" (though the
authorization policy bits in the current draft seem to support
"EAP-only" already). This makes "basic" PKMv2 closer to a superset of
v1. The other functions (eg. AES/OMAC-based derivation) would apparently
be negotiated options.
I agree with this approach, but have reservations about adding a lot of
optional functionality. I'd prefer to mandate the new features that we
must have (AES key wrap is probably one of them); and if there are
things that we can live without, then let's try to live without them
altogether.
Chulsik's point about a mode for AES other than CCM is interesting, and
I'll leave it for DJ to address. An advantage of CCM is that counter
mode requires neither random Initialization Vectors nor feedback steps.
- Jeff
Yigal wrote:
>[Àüüȸ½Å] [STDS-802-16] Cleaning up 802.16e securityHi Philip, Chulsik,
>
>I fully support Chulsik.
>I believe that what Chulsik is trying to say is that we expect a mobile
>subscriber to be able to communicate with a fixed BS, and we expect a fixed
>BS to handle mobile subscribers. It is a very simple concept, and very
>important from deployment point of view (this is also the main point that
>distinguishes our group from 802.20).
>
>BR,
>Yigal Leiba
>
>
> -----Original Message-----
> From: owner-stds-802-16@listserv.ieee.org
>[mailto:owner-stds-802-16@listserv.ieee.org]On Behalf Of Phillip Barber
> Sent: Thursday, July 22, 2004 7:08 AM
> To: STDS-802-16@listserv.ieee.org
> Subject: [STDS-802-16] Fw: [STDS-802-16] [Security] Cleaning up 802.16e
>security
>
>
> Chulsook,
>
> I must disagree with your definition of 'backwards compatability'. Maybe
>it is an issue of language.
>
> It is not necessary that all features adopted in 16e be backwards
>compatable to fixed, only that functions and features that replace or add-on
>to existing fixed methods maintain a mode of operation that is completely
>backwards campatable. New features or functions need not be represented in
>fixed mode at all--after all, that is the function of an Amendment PAR TG,
>to add new material and/or amend existing material in an existing standards
>document. New features like mobility, sleep, and idle mode are examples of
>new features that are not previously represented in the fixed document and
>have no basis for compatability. Security is an example of a
>function/feature that is existant in the fixed document, so in 16e we are
>required to maintain a mode of operation exactly the same as in the fixed
>document, and we cannot alter the existing security messaging structure in
>such a way that it is not compatable with the fixed document. Other than
>that, we are certainly free to add any new security feature, be it PKMv2 or
>UltimateSecurityMethodvN.
>
> After due deliberation, we find it necessary and prudent to provide
>methods of higher security operation for mobile environment with its higher
>requirements. We are fortunate that the state-of-the-art in security
>continues to evolve and provide us tools to enhance, and continue to enhance
>in the future, our security methods. The new security methods were
>considered by a dedicated group over substantial time prior to arriving at
>the agreed solutions. Keying size, key components, keying method, all of
>these were considered and appropriate decisions made based on that available
>state-of-the-art. You make no compelling new argument as to why employing
>the previous key structure into PKMv2 would decrease complexity while
>supporting similar security assurance.
>
> The previous method for RSA-DES is completely unchanged. That is all the
>backwards compatability we need.
>
> Thanks,
> Phil
>
> ----- Original Message -----
> From: À±Ã¶½Ä
> To: STDS-802-16@listserv.ieee.org
> Sent: Wednesday, July 21, 2004 9:12 PM
> Subject: [STDS-802-16] [Àüüȸ½Å] [STDS-802-16] Cleaning up 802.16e
>security
>
>
> Hi, DJ and all.
>
>
>
> I would like to comment on the approaches of PKMv2 to upgrade the
>current PKMv1.
>
> In my opinion, when we upgrade or revise the currently fixed
>specifications, we shall provide the backward compatibility to the older
>one. Even in the case of backward compatibility cannot be fully supported,
>we should clearly resolve the known problems in the current specification by
>maximizing the reusability of the current one. But, the PKMv2 overlooked
>these issues.
>
> Currently proposed PKMv2 is a new and separate PKM protocol with PKMv1.
>The Key hierarchy (C802.16e-188r2) is different with that of PKMv1 (It is
>more systematically designed and conceptually better than the older one, but
>it is not compatible with that). The Key lengths are different and the input
>parameters are different, even if to the same algorithms:
>
> - PKMv1 AK = 160 bits, PKMv2 AK = 128 bits;
> - PKMv1 & PKMv2 HMAC Key Derivation Function is different, even
>though the SHA-1 algorithm is used to both, and its key length (160 vs. 128)
>and input parameters too.
>
> And the PKMv2 uses the newly defined AES_Key_Wrap for transferring keys
>as mandatory feature for PKMv2 (In session #32, the AES_Key_Wrap was
>accepted already. But, I hope it will to be modified to include the older
>key transferring mechanisms).
>
> Anyway, we can say the current PKMv2 (and its key hierarchy (188r2)) is
>not backward compatible with PKMv1. And it is not fully supported one of the
>most important goals and requirements of the PKMv2 - "It should be backward
>compatible with the existing PKMv1." (See Ad Hoc documents: Jeff Mandin,
>"PKMv2 - Goals and Requirements"; David Johnston, "A New PKM for 802.16")
>
>
> As you know, TGe PAR (IEEE 802.16-02/48r4, approved in 2002-12-11, and
>the only valid one) state that the following two types of interoperability
>(or backward compatibility) should be supported: "Subscriber stations
>specified herein, within stationary, shall interoperate with base stations
>in IEEE Std 802.16a. Base stations specified herein shall interoperate with
>stationary subscriber stations specified in IEEE Std 802.16a." The exact
>meaning of IEEE Std 802.16a should be interpreted as IEEE Std 802.16-2004.
>
> On the basis of that PAR statement, the TGe-based MSS, when stationary,
>shall be interoperable with the TGd-based BSs (supporting PKMv1 only), but
>the PKMv2 is not backward compatible with PKMv1 so that the requirements are
>not fulfilled. And the TGd-based BS shall interoperate with the TGd-based SS
>(supporting PKMv1 only), but when the TGe-based BS cannot provide the PKMv1
>capability, the requirements are not satisfied, too.
>
> Therefore, in order to provide the backward compatibility (and/or
>interoperability) with TGd, the TGe-based MSSs and BSs shall provide both of
>the PKMv1 and PKMv2 capabilities. It is a too much burden and the duplicated
>functionality to the MSSs.
>
> Generally speaking, I hope that the PKMv2 should support the various
>possibilities of authorization and encryption modes as a superset of
>including PKMv1 concepts.
>
> Fortunately, DJ proposed and showed me the modified Key hierarchy
>mechanism (188r3) to mitigate our uneasiness by introducing the HMAC SHA-1
>key generation, and modified to change the proposal to allow EAP-only mode.
>We have been reviewing the proposal and we would like to propose an
>alternative by slightly change the DJ's proposal to maximize the backward
>compatible and reusable features with PKMv1. By doing that, we can reduce
>the overhead of implementing the two completely different mechanisms in each
>Mobile subscriber station, and will get a soft-landing from PKMv1 to PKMv2.
>
>
>
> Sincerely,
>
> Chulsik Yoon,
> Senior Engineer, ETRI
>
>
>
> P.S.
>
> I would like to mention the data encryption issue of PKMv2, not relating
>to the Key hierarchy issue.
>
> In PKMv2, we have generally agreed on using the AES algorithm for key
>management and data encryption. So, in my thought, if we select the PKMv2
>based key management methodology, then we will also use the AES algorithm
>(not the DES algorithm) for data encryption. In the current specification,
>only the AES-CCM mode can be provided to data encryption using AES
>algorithm. Even thought, the AES-CCM can provide the high security
>capabilities by using the Counter and Message Integrity Check with AES, it
>needs a large amount of overhead (total 12 bytes of overhead per PDU; 4
>bytes PN and 8 bytes of Cypertext ICV). In my opinion, most of the user
>service needs not this type of highly secure mechanisms, except the monetary
>transactions such as internet banking, mobile commerce, etc. Therefore, the
>another AES mode (not CCM), not having too much overhead for data encryption
>transaction, need to be added to the current security mechanisms in IEEE
>802.16 specifications.
>
> Thank You.
>
> ¿øº» ³»¿ë:
>
> º¸³½»ç¶÷: owner-stds-802-16@listserv.ieee.org[dj.johnston@INTEL.COM]
> ¹Þ´Â»ç¶÷: STDS-802-16@listserv.ieee.org
> Á¦¸ñ: [STDS-802-16] Cleaning up 802.16e security
> ¹ÞÀº³¯Â¥: 2004/07/17 Åä 12:15
>
>
>
> All,
> I think the input to the security work went rather well. We got most of
>the underlying mechanisms in the spec. Compare this with the time it took
>802.11i to get to this stage. Of course we had the benefit of their
>hindsight.
>
> As some of us discussed in the meeting, there are a few things to be
>done with the security work but also there seems to be agreement that we
>need to identify and limit the list of things we need to do, in order to
>bring the work to a close.
>
> My list of things to be done is as follows:
> EAP Key agreement
> Generic Management Frame Protection
> PKMv2 Key Hierarchy
> PKMv2 Security State Machines
> Test Vectors (for the crypto algorithms operating over packets)
> Vulnerability analysis/corrections
> General clean up of the contributions that were accepted (we have
>LB14c for that)
> I have vague memories of Jeff having another item for this list but its
>leaked from my head.
> I will try to coordinate a consensus position on what the key heirarchy
>should be. So I'd appreciate comment on it. Particularly from anyone who
>disliked the current proposal enough to vote against it. I don't think the
>discussion in the meeting shed much light on what the concerns were, since I
>still don't know.
>
> EAP Key agreement is in a similar situation. Jeff provided text, but it
>didn't pass. Therefore any input on what is needed to make it pass is
>welcome.
>
> Anyone who can commit to filling in other parts of the framework should
>declare their interest, so people interested in contributing to the same
>areas can compare notes.
>
> Hopefully we can reach some sort of consensus before the next meeting.
> Regards,
> DJ
>
>
>
>