improving mbms security in 3g wenyuan xu [email protected] rutgers university
TRANSCRIPT
2
Outline Motivation
The security problem
The existing MBMS scheme
Our improved scheme
Experimental results
3
Motivation The coming future: group-oriented applications on
wireless networks
Network basis: multicast
3G: Multimedia Broadcast/Multicast Service (MBMS)
Security problem: control access to multicast data
3G Networks
MB-SCMB-SC: Broadcast Multicast - Service Center
4
3G Networks
MB-SC
Session Key
Security Goal – Access Control
MB-SC: Broadcast Multicast - Service Center
5
Security Goal – Access Control
3G Networks
MBSC
3G Networks
MB-SC
Session Key
6
Dilemmas in 3G Networks Underlying Scenario:
– Mobile Equipment (ME) Powerful Not a secure device to store session key An attacker who is a subscribed user can
distribute the decryption keys to others.
– User Services Identity Module (USIM): SIM card Not powerful enough to decrypt bulk data Secure device to store session key
7
Dilemmas in 3G Networks Attacks:
– An adversarial subscriber find out the Session Key (SK) and send it out to non-paying users.
In summary:– The need to store decryption keys in insecure memory
makes it impossible to design a scheme where non-subscribed users CANNOT access the data
What can we do?
8
What can we do? DissuadeDissuade our potential market from using
illegitimate methods to access the multicast content
What is the potential market? – Users that desire cheap access to multicast services
while being mobile.
Attacks we should not be concerned about:– Attacks that are expensive to mount (per-user basis)– Attacks that assume the user is not mobile.
9
What can we do? (cont.) Assumption
– It is not easy for an adversarial subscriber to send out the Session key (SK). Thus, we assume there is a underlying cost associated with sharing the Session Key.
– There is a Registration Key established once the user subscribes to the service.
Strategy for protecting Keys– Make the Session Key change so frequently that the cost of
attacking is more expensive than the cost of subscribing to the service.
– This strategy is used in Qualcomm’s S3-030040 proposal to 3GPP.
Requirement– The overhead of changing the SK should be modest.
10
3G Core Network
MB-SC
Radio Access Network
Qualcomm’s Key Hierarchy
BAK (Broadcast access key)
SK (Session key)
f
Random number
RK (Registration key)
11
Qualcomm’s SK Distribution Scheme
BM-SC send out the encrypted multicast data together with SK_RAND, BAK_ID, BAK_EXP– CipherText = ESK(content)
3G Core Network
MB-SC
Radio Access Network
CipherText || SK_RAND || BAK_ID || BAK_EXP
12
SK Distribution (Cont.)
Once ME finds that a new SK is used:– ME asks USIM to calculate the new SK
If USIM has BAK corresponding to BAK_ID– USIM: SK = f (SK_RAND, BAK) – USIM sends the new SK to ME
3G Core Network
MB-SC
Radio Access Network
CipherText || SK_RAND || BAK_ID || BAK_EXP
13
Qualcomm’s BAK Distribution Scheme
Each USIM sends out a BAK request to MB-SC from the ME
3G Core Network
MB-SC
Radio Access Network
BAK request || USIM_ID
14
BAK Distribution (Cont.)
3G Core Network
MB-SC
Session Key
Radio Access Network
Once the request passes the legality check, BM-SC:– Generates temporary key: TK = f (TK_RAND, RK)– Sends: ETK(BAK) || TK_RAND
15
Drawbacks Bandwidth: network resources will be wasted on sending
out SK_RAND. SK_RAND has to be appended to each package. For higher level of security, SK_RAND has to be large.
BAK update problem: at the moment that a new BAK is used, every USIM will send out a BAK request to BMSC
BAK implosion problem High peak bandwidth
16
Improvements: One Way Function
Using one way function to generate SKs within USIM– SK0 = SK_SEED– SK1 = f (SK0,BAK)– …– SKi+1 = f (SKi, BAK)
3G Core Network
MB-SC
Radio Access Network
CipherText || SK_RAND || BAK_ID || BAK_EXP
17
Improvements: BAK Distribution At the moment that a new BAK is used,
every USIM will request BAK from BAK distributor almost at the same time
BAK distributor pushes the new BAK to USIM instead of pulling by USIM
18
Improvements: Key Tree Using additional set of keys (Key Encryption Keys KEK) to achieve
key hierarchy Join: Use old shared key (SEK) to encrypt and distribute new session
key Leave: Use lower level old key (KEK) to encrypt the higher level key,
and only change the keys known by the leaving user
19
Simulation Setup NS-2 Simulation Topology
– Use two nodes to represent the Network since we are primarily concerned with capturing the bottleneck effect in the Network.
B1 N1 N2
U1
U2
Ui
Wired link
Queue length (l)Service rate (u)
Link 1 Link2
Bottleneck bandwidthLoss rateDelay
Users’ inter arrival timeDuration time
Network
20
Simulation Setup (cont.) Movie session
– Multicast traffic: statistical data from Star Wars IV
– Group member join/leave behavior: Inter-arrival times and session durations are
modeled as exponential distributions Inter-arrival time consists of two phases:
– Beginning of movie (first 150 seconds): Users arrive more frequently
– Remainder of movie: Users arrive less frequently Session durations:
– Mean duration = 46min
21
Simulation Results:Bandwidth Used for Group Size 760
Qualcomm’s scheme Our improved scheme
Bandwidth (kb/s) Bandwidth (kb/s)
22
Simulation Results: Peak bandwidth vs. Group size
...
23
Conclusions: An improved security framework was presented that
involves:– The use of chained one-way functions for generating SKs– The BM-SC pushing new BAKs to the users based on a key-
tree These improvements:
– Reduce amount of bandwidth needed for updating keys– Avoid potential BAK implosion problems associated with
rekeying 3G multicasts– Scales well as group size increases
The proposed mechanisms can be mapped to other network scenarios.
24
Future work: We plan to formulate the relationship
between the group join/leave behavior and the amount of communication overhead associated with rekeying?
Our simulations only captured the bottleneck effect in 3G Core Networks– We plan to study different multicast
strategies at the Radio Access Network and how key management affects RAN network performance.
25
Questions?
Thank you!