Handshake agreement between the 4G WiMAX Client and the AAA Server at the SP network

1. Demystifying WiMAX Public Key Infrastructure (PKI) for
Operators and Device Vendors
http://w w w .goingw imax.com/demystifying-w imax-public-key-infrastructure-pki-for-operators-and-device-vendors-10395/ December 1, 2011
Sanjiv Gupta on May 3, 2010 | 2 comments
Since the first historical
mobile WiMAX network
deployment by Clear over a
year ago, there have been
more than 600 WiMAX
networks worldwide which
have either commercially
launched or have entered into a
planning/pre-deployment stage.
For new devices (WiMAX
Forum Certified or other
devices) entering a Greenfield
network, or for new devices
entering an existing live mobile
WiMAX network, the network
operator, the device
manufacturer or both need to
comply with the WiMAX Forum
defined Public Key
Infrastructure (PKI)
requirements. The same
mandate applies to existing
fixed WiMAX (IEEE802.16-
2004 or 802.16d) network
deployments worldwide that
plan on upgrading to a mobile
WiMAX (IEEE802.16e-2005 or
802.16e) network infrastructure.
PKI utilizes X.509 digital
certificates and their respective
keys to correctly identify the
devices and servers [AAA
(Authentication, Authorization,
and Accounting)], as well as to
mutually authenticate within the
mobile WiMAX network. The proper format and use of the X.509 certificates are described in the
IETF RFC3280 document with the cryptographic algorithms located in the PKCS#1-PKCS#13
specifications (http://grouper.ieee.org/groups/1363/) devised and published at RSA Security.
Verisign is the leading source for the Secure Sockets Layer (SSL) Certificate Authority (CA) as well
as the sole entity for the processing of WiMAX Forum PKI certificate orders made by WiMAX
operators.
Essentially, the operator and the device manufacturer are each tasked with configuring their
respective AAA servers or devices with the proper WiMAX Forum® server certificates and device
certificates, respectively – to ensure a successful EAP-TLS mutual certificate exchange between
the server and the device. The certificate requirements summarized below are specific for the case
of client devices (netbooks, notebooks, etc.) containing the Intel® Centrino® Advanced-N + WiMAX
6250 PCI Express Mini Card that will be conversing with the server. The AAA server should contain

2. six added files: the AAA Server Certificate bundled together with the WiMAX Forum Server
Subordinate CA Certificate, the AAA specific Private Key, and the WiMAX Forum Device Root
(CA) Certificates inside the “Trusted Store” (WiMAX Device Root (for Intel IT Flex), the WiMAX
Device Root CA1 (for Verisign), and the WiMAX Device Root CA2 (for Motorola). The operator has
to generate the AAA Private Key as part of the Certificate Signing Request Form (CSR), and the
CSR (containing the AAA Private Key) has to be submitted to VeriSign. Upon processing the
submission, VeriSign will provide the Scuba and the AAA Server Certificate to the operator. On the
client side, the device has seven files added (burned into the Non-Volatile Memory (NVM)
contained on Intel’s WiMAX PCI Express Mini Card solution): the Server Root Certificates (WiMAX
Server Root (for Intel IT Flex), WiMAX Server Root CA1 (for VeriSign), WiMAX Server Root CA2
(for VeriSign), and the WiMAX Server Root CA3 (for VeriSign)), the Device specific Certificate
bundled together with the WiMAX Forum Device Subordinate CA certificate, and the Device
specific Private Key. Please keep in mind that the four distinct Server Root Certificates are used to
accommodate most of the commonly used AAA servers used today.
What is free and what needs to be purchased? The WiMAX Forum Server Root (CA) Certificate
and the WiMAX Forum Device Root (CA) Certificate are free, whereas, the WiMAX Forum Server
Subordinate CA Certificate, the Server Certificate, the Device Subordinate CA Certificate, and the
Device Certificate all need to be purchased. Finally, with the PKI house-keeping completed, a
mobile WiMAX device can now be deployed inside a mobile WiMAX network and begin the
certificate exchange process with the AAA server. To put it simply, the process begins with the
client device sending the Device Certificate and Device Subordinate CA Certificate (certificate
chain) to the AAA server. The server then validates the Device Certificate using the Device
Subordinate CA Certificate and the Device Root CA Certificate. Next, the AAA server sends the
Server Certificate and Server Subordinate CA Certificate (Certificate chain) to the client device. It is
now the client’s turn to validate the Server Certificate by using the Server Subordinate CA
Certificate and the Server Root CA Certificate.
Article by Sanjiv Gupta
has written 10 articles for GoingWimax.
Sanjiv S. Gupta is a Senior Technical Marketing Engineer at Intel Corp with focus
on WiMAX enablement world wide – primarily in U.S., Latin America, India and the
EU. He has been with Intel Corporation for twelve years and has been directly
responsible for the marketing/integration of Intel’s graphics and wireless
components into OEM PCs worldwide.