Académique Documents
Professionnel Documents
Culture Documents
School of Telecommunication
National University of Science & Technology (NUST), PK
1
Dr.adnan111@gmail.com, 2Shoazib@yahoo.com, 3Ahmad-mcs@nust.edu.pk, 4 Hod-is@mcs.edu.pk
Abstract: This paper presents a survey of unaddressed security (BS) but they can enter the network at different locations.
vulnerabilities found in IEEE 802.16e networks. Especially the An extended version IEEE 802.16e was developed to
vulnerabilities leading to denial of service (DoS) attack on IEEE support mobility and is often called Mobile WiMAX
802.16e based network are discussed in detail. These [3].Mobile WiMAX introduces new features like different
vulnerabilities include unprotected network entry, unencrypted handover types, power saving methods and multi- and
management communication, unprotected management frames, broadcast support and eliminates most of the security
weak key sharing mechanism in Multi- and Broadcast operation.
vulnerabilities exposed in its predecessors [3]. It uses EAP-
Moreover, the paper suggest a new core point of attacks on
802.16e networks i.e. the list of twenty unauthenticated
based mutual authentication, a variety of strong encryption
management frames which are sent in clear. These algorithms, nonce’s and packet numbers to defend against
unauthenticated management frames will be the cause of replay attacks and reduced key lifetimes. Initially some
different kinds of serious threats in the coming near feature. A important parts of the functionality of Mobile WiMAX are
new practical scenario based attack regarding Reset command introduced. Afterwards different security vulnerabilities
(RES_CMD) message leading to DoS attack has also been are discussed & at the end the list of twenty
identified in this paper. unauthenticated management frames are shown which are
susceptible to different kinds of threats.
Keywords: WiMAX, IEEE 802.16e security, DoS Attacks,
multi- and broadcast service, shared key vulnerability, hash
chaining solution 1.1 Key management in 802.16e
. The MS sets up a security association (SA) for each data
1. General Introduction. communication it wants to establish in a 3-way TEK
When bandwidth requirement is combined with ease and Exchange processed at initial network. Security association
portability, the answer is Broadband wireless access manages the keys for data encryption (the TEKs), their
(BWA).BWA has been developed to meet fast growing lifetimes and other security associated parameters of this
bandwidth requirements for WLANS and has some connection. It also includes a TEK state machine which is
inherent security and design flaws that made it unsuitable used to periodically refresh keying material before the life
for city wide deployment. In 1999 the working group of span of a TEK expires. To request new keying material the
IEEE 802 was setup to develop a new standard of BWA for state machine sends a key request to the BS which
MAN namely IEEE 802.16 [1]. responds with a key response including a new TEK. This
IEEE 802.16 was approved by the IEEE in 2001. It was transferred TEK is encrypted by a key encryption key
revised several times and ended in the final standard (KEK) which is derived from AK and is globally used to
IEEE decrypt received keys of all SAs. To avoid communication
802.16-2004 which corresponds to revision D and is often interruption each SA simultaneously holds two TEKs.
called Fixed WiMAX [2]. It defines Wireless Metropolitan When one TEK expires the second one is used for traffic
Broadband access for stationary and nomadic use. This encryption and a new one is requested.
means end devices can not move between base stations
3.1.2. Mobile Neighbor Advertisement (MOB_NBR- 3.1.7. Mobile Association Reply (MOB_ASC-REP)
ADV) Message Message
The association result report (MOB_ASC-REP) is another
Neighbor advertisement message (MOB_NBR-ADV) is unauthenticated message with no integrity protection. An
also not authenticated used by the serving BS in order to active adversary can change arbitrary response data in the
announce the characteristics of neighbor BS to MSs message like time or power adjustments. Moreover the
seeking for handover possibilities. An opponent is able to message includes the service prediction of the BS which
keep back individual BSs by omitting information about advertises the services the BS can offer to the MS. Here an
their existence when he forges this message. This prevents opponent can forge the message in a way that it looks like
MSs to handover to BSs which might have better no services are being offered for the requesting MS.
characteristics as their serving BS and can also distribute
wrong data about neighbor BSs or announce non existing
BSs. 3.1.8.Ranging Request (RNG-REQ)Message
SS Basic Capability
27 SBC-RSP BS Basic None
Response
Config File TFTP Complete Primary
32 TFTP-RSP BS None
Response Management
ARQ-
33 Standalone ARQ Feedback BS or SS Basic None
Feedback
ARQ-
34 ARQ Discard message BS or SS Basic None
Discard
Channel measurement
36 REP-REQ BS Basic None
Report Request
Channel measurement
37 REP-RSP SS Basic None
Report Response
Varies (Reject
MSH- Mesh Network
39 BS or SS Broadcast message is not
NCFG Configuration
authenticated)
MSH-
41 Mesh Distributed Schedule SS Broadcast None
DSCH
MSH-
42 Mesh Centralized Schedule BS Broadcast None
CSCH
MSH- Mesh Centralized Schedule
43 BS Broadcast None
CSCF Configuration
AAS- None (uses
44 FBCK- AAS Feedback Response BS Basic Request serial
REQ numbers)