WiMax Security Authentication Aspects

Having received the second message, the base station checks whether the terminal has the right to use the network, using certificate X.509 for this purpose, presented in the Authorization Request message. If the terminal is authorized, then the base station determines what algorithms it will use for encoding movement along with the terminal, it activated the AK key for it and sends these data to the terminal in the Authorization Request message. After receiving this message, the terminal is authorized. However, authorization is not constant and it has to be renewed from time to time. The reauthorization process is similar to the authorization process but for the fact that the terminal does not send the Authentication Information message. The above-described processes do not allow the terminal to use the net. After the terminal goes into authorization state, that is it has a valid AK key, it must request the base station for activation of the key encoding TEK movement for it. It does it through sending a Key Request to the base station. Having received it, the base station obviously first checks whether the terminal is authorized and if it is, it activates the TEK key for it, encodes it with KEK key derivate of the AK key and sends the TEK key to the terminal in a Key Reply message. Only after receiving this message and obtaining a TEK key, the terminal has the right to use net resources. Just like in case of AK key, TEK also has to be renewed, only that there are many renewals within one authorization cycle.

STAGE 1: The terminal requests authorization within the network, meaning with assignment of AK key. It therefore sends two messages to the base station, the first of which is of purely informative character.

STAGE 2: having received the message from the terminal, the station should authenticate it on basis of X.509 certificate, sent in the Authorization Request message. After the authentication, the station activates the AK key, encodes it with the public key of the terminal and sends the AK key back to the terminal in the Authorization Reply message.

STAGE 3: the authorized terminal must then request the base station for the TEK key, necessary for encoding data. It therefore sends the Key Request message and waits for the answer.

STAGE 4: having received the Key Request message, the base station check whether the terminal is authorized. If it is, then it activates the TEK key for it, encodes it with KEK key and sends it back to the terminal in Key Reply message.

STAGE 5: on this stage the terminal renews the TEK key periodically, that is it sends the Key Request message to the base station which answers it with the Key Reply messages in which it sends the current TEK key it will use along with the terminal to encode data.

STAGE 6: The AK key has a limited lifetime and therefore the terminal must renew it, which is called reauthorization. Here the whole process returns to stage one, only that the Authentication Information is not sent anymore.

The above mechanism was presented in a simplified way, which just confirms complexity of the whole procedure. I should also mention the methods the system uses to encode data. As I have already mentioned TEK key is used for encoding, whereas the encoding algorithm in the basic version of the system is the DES algorithm in CBC mode. Moreover, AES algorithm can also be used in CCM mode, but it is not obligatorily implemented in the devices. Only data that are located in an MAC PDU (Eng. Packet Data Unit) are encoded, while their titles are not encoded.

All in all, attention must be paid first of all to the fact that the whole mechanism is extremely complicated. What is interesting is the fact that X.509, the digital certificate itself supposedly guarantees the users protection from having their terminals impersonated. Frequent refreshing of the keys seems to be an interesting mechanism discouraging potential hackers. Time will tell whether all of these solutions really guarantee safety in the network. I recommend studying standard 802.16-2004 to all of you who wish to improve your knowledge in this subject

See also: WiMAX Security