MBMS Security Framework QUALCOMM’s proposal and our
Download
Report
Transcript MBMS Security Framework QUALCOMM’s proposal and our
Improving MBMS Security
in 3G
Wenyuan Xu
[email protected]
Rutgers University
Outline
Motivation
The security problem
The existing MBMS scheme
Our improved scheme
Experimental results
2
Motivation
The coming future: group-oriented applications on
wireless networks
Network basis: multicast
3G: Multimedia Broadcast/Multicast Service (MBMS)
Security problem: control access to multicast data
MB-SC
MB-SC: Broadcast Multicast
- Service Center
3G Networks
3
Security Goal – Access Control
Session Key
MB-SC: Broadcast Multicast
- Service Center
MB-SC
3G Networks
4
Security Goal – Access Control
Session Key
MB-SC
MBSC
3G Networks
5
Dilemmas in 3G Networks
Underlying Scenario:
– Mobile Equipment (ME)
Powerful
Not a secure device to store session key
An attacker who is a subscribed user can
distribute the decryption keys to others.
– User Services Identity Module (USIM): SIM card
Not powerful enough to decrypt bulk data
Secure device to store session key
6
Dilemmas in 3G Networks
Attacks:
– An adversarial subscriber find out the Session Key (SK)
and send it out to non-paying users.
In summary:
– The need to store decryption keys in insecure memory
makes it impossible to design a scheme where nonsubscribed users CANNOT access the data
What can we do?
7
What can we do?
Dissuade our potential market from using
illegitimate methods to access the multicast
content
What is the potential market?
– Users that desire cheap access to multicast services
while being mobile.
Attacks we should not be concerned about:
– Attacks that are expensive to mount (per-user basis)
– Attacks that assume the user is not mobile.
8
What can we do? (cont.)
Assumption
– It is not easy for an adversarial subscriber to send out the
Session key (SK). Thus, we assume there is a underlying
cost associated with sharing the Session Key.
– There is a Registration Key established once the user
subscribes to the service.
Strategy for protecting Keys
– Make the Session Key change so frequently that the cost of
attacking is more expensive than the cost of subscribing to
the service.
– This strategy is used in Qualcomm’s S3-030040 proposal to
3GPP.
Requirement
– The overhead of changing the SK should be modest.
9
Qualcomm’s Key Hierarchy
Radio Access Network
3G Core Network
MB-SC
Random number
RK
(Registration
key)
f
BAK (Broadcast
access key)
SK (Session
key)
10
Qualcomm’s SK Distribution Scheme
Radio Access Network
3G Core Network
MB-SC
CipherText || SK_RAND || BAK_ID || BAK_EXP
BM-SC send out the encrypted multicast data
together with SK_RAND, BAK_ID, BAK_EXP
– CipherText = ESK(content)
11
SK Distribution (Cont.)
Radio Access Network
3G Core Network
MB-SC
CipherText || SK_RAND || BAK_ID || BAK_EXP
Once ME finds that a new SK is used:
If USIM has BAK corresponding to BAK_ID
– ME asks USIM to calculate the new SK
– USIM: SK = f (SK_RAND, BAK)
– USIM sends the new SK to ME
12
Qualcomm’s BAK Distribution Scheme
Radio Access Network
3G Core Network
MB-SC
BAK request || USIM_ID
Each USIM sends out a BAK request to
MB-SC from the ME
13
BAK Distribution (Cont.)
Radio Access Network
3G Core Network
MB-SC
Once the request passes the legality check, BM-SC:
– Generates temporary key: TK = f (TK_RAND, RK)
– Sends: ETK(BAK) || TK_RAND
14
Session Key
Drawbacks
Bandwidth: network resources will be wasted on sending
out SK_RAND.
SK_RAND has to be appended to each package.
For higher level of security, SK_RAND has to be large.
BAK update problem: at the moment that a new BAK is
used, every USIM will send out a BAK request to BMSC
BAK implosion problem
High peak bandwidth
15
Improvements: One Way Function
Radio Access Network
3G Core Network
MB-SC
CipherText || SK_RAND || BAK_ID || BAK_EXP
Using one way function to generate SKs within USIM
–
–
–
–
SK0 = SK_SEED
SK1 = f (SK0,BAK)
…
SKi+1 = f (SKi, BAK)
16
Improvements: BAK Distribution
At the moment that a new BAK is used,
every USIM will request BAK from BAK
distributor almost at the same time
BAK distributor pushes the new BAK to
USIM instead of pulling by USIM
17
Improvements: Key Tree
Using additional set of keys (Key Encryption Keys KEK) to achieve
key hierarchy
Join: Use old shared key (SEK) to encrypt and distribute new
session key
Leave: Use lower level old key (KEK) to encrypt the higher level
key, and only change the keys known by the leaving user
18
Simulation Setup
NS-2
Simulation Topology
– Use two nodes to represent the Network since we are
primarily concerned with capturing the bottleneck
effect in the Network.
U1
Network
B1
Link 1
N1
U2
Link2
N2
Queue length (l)
Service rate (u)
Bottleneck bandwidth
Loss rate
Delay
Wired link
Ui
Users’ inter arrival time
Duration time
19
Simulation Setup (cont.)
Movie session
– Multicast traffic: statistical data from Star
Wars IV
– Group member join/leave behavior:
Inter-arrival times and session durations are
modeled as exponential distributions
Inter-arrival time consists of two phases:
– Beginning of movie (first 150 seconds): Users arrive
more frequently
– Remainder of movie: Users arrive less frequently
Session durations:
– Mean duration = 46min
20
Simulation Results:
Bandwidth Used for Group Size 760
Bandwidth (kb/s)
Qualcomm’s scheme
Bandwidth (kb/s)
Our improved scheme
21
Simulation Results:
Peak bandwidth vs. Group size
..
.
22
Conclusions:
An improved security framework was presented that
involves:
– The use of chained one-way functions for generating SKs
– The BM-SC pushing new BAKs to the users based on a keytree
These improvements:
– Reduce amount of bandwidth needed for updating keys
– Avoid potential BAK implosion problems associated with
rekeying 3G multicasts
– Scales well as group size increases
The proposed mechanisms can be mapped to other
network scenarios.
23
Future work:
We plan to formulate the relationship
between the group join/leave behavior
and the amount of communication
overhead associated with rekeying?
Our simulations only captured the
bottleneck effect in 3G Core Networks
– We plan to study different multicast
strategies at the Radio Access Network and
how key management affects RAN network
performance.
24
Questions?
25
Thank you!