mbm s security 2004

7/30/2019 Mbm s Security 2004

1/26

Improving MBMSSecurity in 3G

Wenyuan [email protected]

Rutgers University


2/26

2

Outline

Motivation

The security problem

The existing MBMS scheme

Our improved scheme

Experimental results


3/26

3

Motivation The coming future: group-oriented applications on

wireless networks

Network basis: multicast

3G: Multimedia Broadcast/Multicast Service (MBMS)

Security problem: control access to multicast data

3G Networks

MB-SC

MB-SC: Broadcast Multicast

- Service Center


4/26

4

3G Networks

MB-SC

Session Key

Security Goal AccessControl

MB-SC: Broadcast Multicast

- Service Center


5/26

5

Security Goal AccessControl

3G Networks

MBSC

3G Networks

MB-SC

Session Key


6/26

6

Dilemmas in 3G Networks

Underlying Scenario: Mobile Equipment (ME)

Powerful

Not a secure device to store session key

An attacker who is a subscribed user can distributethe decryption keys to others.

User Services Identity Module (USIM): SIM card Not powerful enough to decrypt bulk data

Secure device to store session key


7/26

7

Dilemmas in 3G Networks

Attacks: An adversarial subscriber find out the Session Key

(SK) and send it out to non-paying users.

In summary: The need to store decryption keys in insecure memory

makes it impossible to design a scheme where non-subscribed users CANNOT access the data

What can we do?


8/26

8

What can we do?

DissuadeDissuade our potential market from usingillegitimate methods to access the multicastcontent

What is the potential market? Users that desire cheap access to multicast services

while being mobile.

Attacks we should not be concerned about: Attacks that are expensive to mount (per-user basis)

Attacks that assume the user is not mobile.


9/26

9

What can we do? (cont.) Assumption

It is not easy for an adversarial subscriber to send out theSession key (SK). Thus, we assume there is a underlyingcost associated with sharing the Session Key.

There is a Registration Key established once the user

subscribes to the service.

Strategy for protecting Keys Make the Session Key change so frequently that the cost of

attacking is more expensive than the cost of subscribing tothe service.

This strategy is used in Qualcomms S3-030040 proposal to3GPP.

Requirement The overhead of changing the SK should be modest.


10/26

10

3G Core Network

MB-SC

Radio Access Network

Qualcomms KeyHierarchy

BAK (Broadcast

access key)

SK (Session

key)

f

Random number

RK

(Registration

key)


11/26

11

QualcommsSK DistributionScheme

BM-SC send out the encrypted multicast datatogether with SK_RAND, BAK_ID, BAK_EXP CipherText = ESK(content)

3G Core Network

MB-SC


CipherText || SK_RAND || BAK_ID || BAK_EXP


12/26

12

SK Distribution (Cont.)

Once ME finds that a new SK is used: ME asks USIM to calculate the new SK

If USIM has BAK corresponding to BAK_ID USIM: SK = f (SK_RAND, BAK) USIM sends the new SK to ME

3G Core Network

MB-SC




13/26

13

Qualcomms BAK DistributionScheme

Each USIM sends out a BAK request toMB-SC from the ME

3G Core Network

MB-SC


BAK request || USIM_ID


14/26

14

BAK Distribution (Cont.)

3G Core Network

MB-SC

Session Key


Once the request passes the legality check, BM-SC: Generates temporary key: TK = f (TK_RAND, RK)

Sends: ETK(BAK) || TK_RAND


15/26

15

Drawbacks Bandwidth: network resources will be wasted on sending

out SK_RAND. SK_RAND has to be appended to each package. For higher level of security, SK_RAND has to be large.

BAK update problem: at the moment that a new BAK isused, every USIM will send out a BAK request to BMSC BAK implosion problem High peak bandwidth


16/26

16

Improvements: One WayFunction

Using one way function to generate SKs within USIM SK0 = SK_SEED

SK1 = f (SK0,BAK)

SKi+1 = f (SKi, BAK)

3G Core Network

MB-SC




17/26

17

Improvements: BAKDistribution

At the moment that a new BAK is used,every USIM will request BAK from BAKdistributor almost at the same time

BAK distributor pushes the new BAK toUSIM instead of pulling by USIM


18/26

18

Improvements: Key Tree Using additional set of keys (Key Encryption Keys KEK) to achieve

key hierarchy Join: Use old shared key (SEK) to encrypt and distribute new

session key Leave: Use lower level old key (KEK) to encrypt the higher level

key, and only change the keys known by the leaving user


19/26

19

Simulation Setup

NS-2 Simulation Topology

Use two nodes to represent the Network since we areprimarily concerned with capturing the bottleneck

effect in the Network.

B1 N1 N2

U1

U2

Ui

Wired link

Queue length (l)

Service rate (u)

Link 1 Link2

Bottleneck bandwidth

Loss rate

Delay

Users inter arrival time

Duration time

Network


20/26

20

Simulation Setup (cont.)

Movie session Multicast traffic: statistical data from Star

Wars IV

Group member join/leave behavior: Inter-arrival times and session durations are

modeled as exponential distributions

Inter-arrival time consists of two phases:

Beginning of movie (first 150 seconds): Users arrive

more frequently Remainder of movie: Users arrive less frequently

Session durations:

Mean duration = 46min

Simulation Results:


21/26

21

Simulation Results:Bandwidth Used for Group Size760

Qualcomms scheme Our improved scheme

Bandwidth (kb/s) Bandwidth (kb/s)


22/26

22

Peak bandwidth vs. Groupsize

...


23/26

23

Conclusions: An improved security framework was presented that

involves: The use of chained one-way functions for generating SKs

The BM-SC pushing new BAKs to the users based on a key-tree

These improvements: Reduce amount of bandwidth needed for updating keys Avoid potential BAK implosion problems associated with

rekeying 3G multicasts

Scales well as group size increases

The proposed mechanisms can be mapped to othernetwork scenarios.


24/26

24

Future work:

We plan to formulate the relationshipbetween the group join/leave behaviorand the amount of communicationoverhead associated with rekeying?

Our simulations only captured thebottleneck effect in 3G Core Networks

We plan to study different multicaststrategies at the Radio Access Network andhow key management affects RAN networkperformance.


25/26

25

Questions?


26/26

Thank you!

mbm s security 2004

Documents