4. Also known Low Rate Wireless PAN
Properties:
• Data Rate Maximum 250 Kbps
• Range 10 to 100 Meters
• Low Cost
• Low power consumption
• Frequency 2.4 GHz
• ZigBee Next Generation Of Bluetooth
4
Wireless PAN
5. Also known WLAN or WiFi
Properties:
• 802.11 Protocol kind : a,b,g,n,ac,ad,af,ah
• Data Rate Maximum 6.75 Gbps in 802.11ad
• Range indoor from 20 to 60 meters
• Range outdoor from 100 to 1000 meters
• High Cost
• Frequency 2.4 , 3.6 , 5 ,60 GHz
5
Wireless LAN
6. Wimax Standard History
IEEE 802.16 (2001)
Frequency 10 – 66 GHZ (Line-of-Sight)
Base Wimax
IEEE 802.16d (July 2004)
Fixed Wimax
Data Rate 70 Mbps
IEEE 802.16e (2005)
Mobile Wimax
Data Rate 15 Mbps
IEEE 802.16m (2011 )
Also known as Wimax Release 2 or WirelessMAN-Advanced
Mobile & Fix Wimax
Data Rate 100 Mbps for Mobile and 1 Gbps for Fix
6
7. Providing portable mobile broadband connectivity
across cities and countries through a variety of devices.
Providing a wireless alternative to cable and Digital
Subscriber Line (DSL) for far broadband access.
Providing data, telecommunications (VoIP) and
IPTV services Providing
a source of Internet connectivity as part of a business
continuity plan.
7
Wimax Uses
وايمکس بردهايرکا
8. Wimax Architecture
WiMax can provide two forms of wireless service: none-line-of-sight
and line-of-sight.
WiMax system includes two main parts WiMax receiver and WiMax
tower.
Wimax Receiver : Subscriber Station (SS) // مشترکايستگاه
Wimax Tower : Base Station (BS) // پايه ايستگاه8
9. Two main layers: Medium Access Control (MAC) layer and Physical
layer (PHY).
SAPs (Service Access Point) are interfacing points.
Mac layer have three Sub Layer : Convergence , Common Part ,
Security ( Privacy )
Wimax Architecture
پروتکل يمعمار در موجوداليه دوبهابطهر درتوضيحاتWiMAX
9
10. Convergence Sub-layer (CS) maps higher level data services to MAC
layer service flows and connections.
There are two type of CS :
ATM CS which is designed for ATM network and service.
Packet CS which supports Ethernet, point-to-point protocol (PPP), both IPv4 and
IPv6 internet protocols, and virtual local area network (VLAN).
Common Part Sub-layer (CPS) defines the rules and mechanisms for
system access, bandwidth allocation and connection management,
uplink scheduling, bandwidth request and grant, connection control and
automatic repeat request (ARQ)
Security Sub-layer lies between MAC CPS and PHY layer. This sub-layer is
responsible for encryption and decryption of data traveling to and from
the PHY layer, and it is also used for authentication and secure key
exchange.
Wimax Architecture
اليه در موجوديراليهز سهبهابطهر درتوضيحاتMACپروتکل يمعمارWiMAX
10
11. BS : Base Station
SS : Sub Scriber Station
X.509 : Digital certificate serving
AK : Authorization Key
SAID : Security Association ID
TEK : Transport Encryption Key
KEK : Key Encryption Keys
HMAC : Hashed Message Authentication
Code
AAA : Authentication , Authorization ,
Accounting
Terms
X.509
Certificate
11
12. Three main features of security are:
Authentication
Authorization
Traffic Encryption
Authentication Technique:
Privacy & Key Management Protocols (PKM)
Rivest-Shamir-Adleman (RSA)
Extensible Authentication Protocol (EAP)
Authorization Technique:
Security Associations (SA’s) are used to authorize user.
Authorization include request for Authentication Key and SA-
Identity in exchange for subscriber’s certificate, encryption
algorithm and cryptographic ID.
Traffic Encryption Technique:
All the traffic between Subscriber Station (SS) and Base Station
(BS) is encrypted with Traffic Encryption Key.
Wimax Security Architecture
12
13. Wimax Security Steps
Step 1: Authentication And Authorization
Base Station (BS)
SubScriber Station (SS)
Message1: ( X.509 Manufacturer Certificate)
Message2: ( X.509 Certificate , Security Capabilities , SAID)
Message3: (Authorization SA ,AK )
تباطرا لاو گام:پايهايستگاهبهمشترکايستگاهاز تباطرا خواسترد
13
14. Wimax Security Steps
Step 2: Key Exchange
Base Station (BS)
SubScriber Station (SS)
Message1: (SAID, HMAC (1))
Message2: (SAID, HMAC (2))
Message3: (SAID, OldTEK, NewTEK, HMAC (3))
تباطرا دوم گام:پايهايستگاه ومشترکايستگاهمابينکليد تبادل
AAA Server
14
15. Wimax Security Steps
Step 3: Traffic Encryption
Base Station (BS) SubScriber Station (SS)
Data Encrypted With TEK
Data Encrypted With TEK
Data stream is encrypted with the TEK when travelling to or from BS.
The data stream can be encrypted using:
DES
AES
TEK is shared during Key Exchange process and is encrypted using KEK. It can be encrypted using:
3 DES
RSA
AES
تباطرا سوم گام:يمزگذارراز استفادهباايستگاه دو بين داده تبادلTEK
15
16. WiMax/802.16 is vulnerable to physical layer attacks
such as jamming and scrambling.
Jamming is reducing the channel capacity.
Scrambling is a sort of jamming, but for short
intervals of time and targeted to specific frames or
parts of frames.
Intercept the radio signals in air.
Wimax Security Issue
In PHY Layer
وايمکس امنيتي مشکالت:فيزيکي اليه در
(1دائمييتزارپا سالرا
(2موقتيتزارپا سالرا
(3سيگنال قطع
16
17. The attacker will be attack the link during authentication or
key exchange process.
Wimax Security Issue
In MAC Layer
Base Station (BS) SubScriber Station (SS)
MAN-IN-Middle
Original Connection
New Connection
17
18. Authentication of the SS (Man-in-the-Middle and Forgery)
SS authenticates itself through its certificate, however, the BS does
not .
Rogue BS could place himself between SS and real BS and try to force
SS to authenticate itself and initiate a session by transferring an AK
(forgery attack).
The attacker can generate his own Authorization Reply Message
containing a self-generated AK and thus gain control over the
communication of the attacked SS.
Wimax Security Issue
In MAC Layer
هويتازراح هنگام دروايمکس درامنيتيمشکالت
18
19. Key Exchange Phase-Attacks
Attacker can act as a false BS for subscriber and issue self
generated keys to take over communication
Attacker can act as false subscriber to request to renew the keys
again.
Wimax Security Issue
In MAC Layer
کليد تبادل هنگام دروايمکس درامنيتيمشکالت
19
20. Replay and DoS Attack against SS
The SS send Authentication Information Messages to transmit all
relevant information to the BS.
The BS responds to the last message with an Authorization Reply
Message.
The BS can fall victim to a replay attack by which the attacker
intercepts an Authorization Request Message from an authorized SS
and stores it.
He will not be able to derive the AK from the Authorization Response
Message (since he does not possess the associated private key), he can
repeatedly send the message to the BS, burdening the BS with the
effect that this declines the real/authentic SS. This is a Denial-of-
Service-Attack against the SS.
Wimax Security Issue
سرويسانکار حمالت نوع دروايمکس درامنيتيمشکالت20
21. Tao Han, Ning Zhang, Kaiming Liu, Bihua Tang, and Yuan'an Liu. Analysis of mobile wimax security:
Vulnerabilities and solutions. 5th IEEE International Conference on Mobile Adhoc and Sensor Systems, Sep
2008.
Evren Eren, "WiMAX Security Architecture - Analysis and Assessment" IEEE International Workshop on
Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications Dortmund,
Germany 6-8 September 2007.
Mahmoud Nasreldin, Heba Aslan, Magdy El-Hennawy, Adel El-Hennaey, "WiMAX Security", Proceedings of
the 22nd International Conference on Advanced Information Networking and Applications, pp. 1335-1340,
2008.
Reference
21