Re: stds-80220-requirements: Network Access Requirements Sec. 4.1.16.1
Jim,
I don't think that authentication of the network by the mobile is
optional. In the voice world (using licensed bands) this has not
been so much of an issue but, in the data world, this exposes us
to man in the middle attacks. Given the "PR nightmare" that this could
cause, I think we need to be much more careful.
Also your proposal has changed "authentication of the user" to
"authentication of the mobile station". These are not necessarily the
same thing.
While user authentication is user challenge response based, mobile station
authentication could either follow a challenge-response shared secret paradigm
or a certificate based one quite easily. The latter has the advantage of
limiting the need for communication with higher layer entities in the
network. Also certificate based schemes could be viewed as
challenge response based, so, to avoid confusion, we should either
mention both as viable schemes or not mention the scheme at all.
Finally we need to be careful in scoping this within the PHY and
MAC.
So I suggest instead:
Proposal:
Replace section 4.1.16.1
The 802.20 PHY and MAC shall support a cryptographic mechanism
for the network to authenticate the mobile stations. Mechanisms
for the mobile station to authenticate the network shall also be
a requirement.
The 802.20 PHY and MAC shall support a cryptographic mechanism
for the network to authenticate the user.
Mike
On Sat, Sep 06, 2003 at 09:44:22PM -0700, Jim Tomcik wrote:
> I thought this comment was put in previously. Here it is...
>
>
> The current text states:
>
> A cryptographically generated challenge-response authentication mechanism
> for the user to authenticate the network and for the network to
> authenticate the user must be used.
>
> I suggest that we change this to read:
>
> A cryptographically generated challenge-response authentication mechanism
> for the network to authenticate the mobile station shall be
> used. Mechanisms for the mobile station to authenticate the network shall
> be optional.
>
> Rationale:
> In section 4.1.16.1, the text seems to read that both authentication
> directions are required. Since 802.20's scope is licensed operation, the
> likelihood and problems associated with rogue base stations (or rogue APs)
> is minimal. The required direction for authentication is from network to
> mobile station, so that network security is maintained and theft-of-service
> for the license holder is minimized.
>
> ..................................................................................
>
> James D. Tomcik
> QUALCOMM, Incorporated
> (858) 658-3231 (Voice)
> (619) 890-9537 (Cellular)
> From: San Diego, CA
> PGP: 5D0F 93A6 E99D 39D8 B024 0A9B 6361 ACE9 202C C780
> ..................................................................................