mbm s security 2004
TRANSCRIPT
-
7/30/2019 Mbm s Security 2004
1/26
Improving MBMSSecurity in 3G
Wenyuan [email protected]
Rutgers University
-
7/30/2019 Mbm s Security 2004
2/26
2
Outline
Motivation
The security problem
The existing MBMS scheme
Our improved scheme
Experimental results
-
7/30/2019 Mbm s Security 2004
3/26
3
Motivation The coming future: group-oriented applications on
wireless networks
Network basis: multicast
3G: Multimedia Broadcast/Multicast Service (MBMS)
Security problem: control access to multicast data
3G Networks
MB-SC
MB-SC: Broadcast Multicast
- Service Center
-
7/30/2019 Mbm s Security 2004
4/26
4
3G Networks
MB-SC
Session Key
Security Goal AccessControl
MB-SC: Broadcast Multicast
- Service Center
-
7/30/2019 Mbm s Security 2004
5/26
5
Security Goal AccessControl
3G Networks
MBSC
3G Networks
MB-SC
Session Key
-
7/30/2019 Mbm s Security 2004
6/26
6
Dilemmas in 3G Networks
Underlying Scenario: Mobile Equipment (ME)
Powerful
Not a secure device to store session key
An attacker who is a subscribed user can distributethe decryption keys to others.
User Services Identity Module (USIM): SIM card Not powerful enough to decrypt bulk data
Secure device to store session key
-
7/30/2019 Mbm s Security 2004
7/26
7
Dilemmas in 3G Networks
Attacks: An adversarial subscriber find out the Session Key
(SK) and send it out to non-paying users.
In summary: The need to store decryption keys in insecure memory
makes it impossible to design a scheme where non-subscribed users CANNOT access the data
What can we do?
-
7/30/2019 Mbm s Security 2004
8/26
8
What can we do?
DissuadeDissuade our potential market from usingillegitimate methods to access the multicastcontent
What is the potential market? Users that desire cheap access to multicast services
while being mobile.
Attacks we should not be concerned about: Attacks that are expensive to mount (per-user basis)
Attacks that assume the user is not mobile.
-
7/30/2019 Mbm s Security 2004
9/26
9
What can we do? (cont.) Assumption
It is not easy for an adversarial subscriber to send out theSession key (SK). Thus, we assume there is a underlyingcost associated with sharing the Session Key.
There is a Registration Key established once the user
subscribes to the service.
Strategy for protecting Keys Make the Session Key change so frequently that the cost of
attacking is more expensive than the cost of subscribing tothe service.
This strategy is used in Qualcomms S3-030040 proposal to3GPP.
Requirement The overhead of changing the SK should be modest.
-
7/30/2019 Mbm s Security 2004
10/26
10
3G Core Network
MB-SC
Radio Access Network
Qualcomms KeyHierarchy
BAK (Broadcast
access key)
SK (Session
key)
f
Random number
RK
(Registration
key)
-
7/30/2019 Mbm s Security 2004
11/26
11
QualcommsSK DistributionScheme
BM-SC send out the encrypted multicast datatogether with SK_RAND, BAK_ID, BAK_EXP CipherText = ESK(content)
3G Core Network
MB-SC
Radio Access Network
CipherText || SK_RAND || BAK_ID || BAK_EXP
-
7/30/2019 Mbm s Security 2004
12/26
12
SK Distribution (Cont.)
Once ME finds that a new SK is used: ME asks USIM to calculate the new SK
If USIM has BAK corresponding to BAK_ID USIM: SK = f (SK_RAND, BAK) USIM sends the new SK to ME
3G Core Network
MB-SC
Radio Access Network
CipherText || SK_RAND || BAK_ID || BAK_EXP
-
7/30/2019 Mbm s Security 2004
13/26
13
Qualcomms BAK DistributionScheme
Each USIM sends out a BAK request toMB-SC from the ME
3G Core Network
MB-SC
Radio Access Network
BAK request || USIM_ID
-
7/30/2019 Mbm s Security 2004
14/26
14
BAK Distribution (Cont.)
3G Core Network
MB-SC
Session Key
Radio Access Network
Once the request passes the legality check, BM-SC: Generates temporary key: TK = f (TK_RAND, RK)
Sends: ETK(BAK) || TK_RAND
-
7/30/2019 Mbm s Security 2004
15/26
15
Drawbacks Bandwidth: network resources will be wasted on sending
out SK_RAND. SK_RAND has to be appended to each package. For higher level of security, SK_RAND has to be large.
BAK update problem: at the moment that a new BAK isused, every USIM will send out a BAK request to BMSC BAK implosion problem High peak bandwidth
-
7/30/2019 Mbm s Security 2004
16/26
16
Improvements: One WayFunction
Using one way function to generate SKs within USIM SK0 = SK_SEED
SK1 = f (SK0,BAK)
SKi+1 = f (SKi, BAK)
3G Core Network
MB-SC
Radio Access Network
CipherText || SK_RAND || BAK_ID || BAK_EXP
-
7/30/2019 Mbm s Security 2004
17/26
17
Improvements: BAKDistribution
At the moment that a new BAK is used,every USIM will request BAK from BAKdistributor almost at the same time
BAK distributor pushes the new BAK toUSIM instead of pulling by USIM
-
7/30/2019 Mbm s Security 2004
18/26
18
Improvements: Key Tree Using additional set of keys (Key Encryption Keys KEK) to achieve
key hierarchy Join: Use old shared key (SEK) to encrypt and distribute new
session key Leave: Use lower level old key (KEK) to encrypt the higher level
key, and only change the keys known by the leaving user
-
7/30/2019 Mbm s Security 2004
19/26
19
Simulation Setup
NS-2 Simulation Topology
Use two nodes to represent the Network since we areprimarily concerned with capturing the bottleneck
effect in the Network.
B1 N1 N2
U1
U2
Ui
Wired link
Queue length (l)
Service rate (u)
Link 1 Link2
Bottleneck bandwidth
Loss rate
Delay
Users inter arrival time
Duration time
Network
-
7/30/2019 Mbm s Security 2004
20/26
20
Simulation Setup (cont.)
Movie session Multicast traffic: statistical data from Star
Wars IV
Group member join/leave behavior: Inter-arrival times and session durations are
modeled as exponential distributions
Inter-arrival time consists of two phases:
Beginning of movie (first 150 seconds): Users arrive
more frequently Remainder of movie: Users arrive less frequently
Session durations:
Mean duration = 46min
Simulation Results:
-
7/30/2019 Mbm s Security 2004
21/26
21
Simulation Results:Bandwidth Used for Group Size760
Qualcomms scheme Our improved scheme
Bandwidth (kb/s) Bandwidth (kb/s)
-
7/30/2019 Mbm s Security 2004
22/26
22
Peak bandwidth vs. Groupsize
...
-
7/30/2019 Mbm s Security 2004
23/26
23
Conclusions: An improved security framework was presented that
involves: The use of chained one-way functions for generating SKs
The BM-SC pushing new BAKs to the users based on a key-tree
These improvements: Reduce amount of bandwidth needed for updating keys Avoid potential BAK implosion problems associated with
rekeying 3G multicasts
Scales well as group size increases
The proposed mechanisms can be mapped to othernetwork scenarios.
-
7/30/2019 Mbm s Security 2004
24/26
24
Future work:
We plan to formulate the relationshipbetween the group join/leave behaviorand the amount of communicationoverhead associated with rekeying?
Our simulations only captured thebottleneck effect in 3G Core Networks
We plan to study different multicaststrategies at the Radio Access Network andhow key management affects RAN networkperformance.
-
7/30/2019 Mbm s Security 2004
25/26
25
Questions?
-
7/30/2019 Mbm s Security 2004
26/26
Thank you!