WiMAX, AT&T Style
by Pirho
I recently was invited to a technology fair which was being hosted by AT&T.
The conference was about what new exciting things AT&T has got planned for its customers. You may have heard that AT&T is now introducing into a beta environment a new type of broadband communication called WiMAX.
WiMAX is AT&T's answer to the problem that exists in most companies with point-to-point connectivity which is commonly called the last mile. That is the connection that is owned and maintained by your local telco connecting your two locations together. Most ISPs only lease the circuits from the telcos. (For those of us in the New York region that telco would be Verizon.)
AT&T's WiMAX is identified by IEEE 802.16d and IEEE 802.16e. It is rumored to be using the licensed frequencies of 700 MHz and 66 GHz to carry your traffic through the air.
AT&T will give you equipment that you will install in your NOC. This will be known as a Base Station (BS). A Subscriber Station (SS) will be operated by AT&T.
The BS will take your data and encrypt it using DES (the AT&T security tech told me DES but they actually meant all types of DES encryption). Then it will transmit the data on a set frequency with a rotating encryption key about every 200 packets. The signal will be either relayed by an SS or to another BS where it will be decrypted and used by the other NOC.
How Does the System Work?
First, the SS authenticates to the BS using a one-way authentication (this is only temporary - they are planning on using a two-way when they finish the beta test).
Both the authentication and the traffic is encrypted and the encryption keys have a limited life span (they mentioned 200 packets) and thus is constantly being re-encrypted.
The handshake from the SS to the BS uses the standard X.509 certificates and DES. (Now the DES encryption is already known to be broken and this is only being used on the IEEE 802.16d. When they move to the IEEE 802.16e they will be using AES encryption instead.)
Each SS has a built-in manufacturer-issued certificate that is comprised of the SS's public key and the SS's MAC address. This combination allows a secure connection and will prevent a non-subscriber SS (or anyone sniffing for traffic) from pretending to be a valid SS by using MAC spoofing.
After the SS makes its connection to the BS, it will begin the authentication process.
First, an authentication info message is sent to the designated BS, which contains the manufacturer's certificate of the SS that sent it. This is followed up by an auth request which contains the SS's certificate, the DES or AES algorithm that the SS supports, and the Connection Identifier (CID). Next, the SS starts up an Authorization State Machine (ASM) to follow the authorization request, responses, keys, and any timeouts.
The BS will verify that the requester's MAC matches that in the certificate. Then the BS will send the SS an Authorization Key (AK) containing the SS's public key. (Remember, all this is still encrypted.) Once this is checked out and verified to be legit, the BS sends the SS an AK which is encrypted with a four bit sequence number, a key telling it how long it should live for, and an ID for every Security Association Identifier (SAID) that the SS is authorized to get.
Encrypting the AK with the SS's public key ensures that only the authorized SS will be able to distinguish one authorization response from the next.
The key lifetime is used by the ASM to determine when the SS will renew its key to prevent traffic interruption. The SAIDs identify various traffic flows the SS can access and may get key ring material for transmitting and receiving info on the traffic flow.
Once the SS receives the AK, it enters the authorized state in the SS's ASM that was initiated when the auth request was made. A grace period is defined during which the SS will send a reauthorize request to receive a new AK before the old one expires. The AK is used to create an encryption key. Both the SS and the BS share the auth key so they are both able to figure out the key encryption.
Long and Short
Although IEEE 802.16d provides strong security, IEE 802.16e will add enhancements to strengthen the data privacy and protection. IEEE 802.16e is still under development. As new technology becomes available, AT&T may utilize them within the WiMAX equipment itself.
IEEE 802.16e renames the security sub-layer to the privacy-layer even though the privacy sub-layer still includes and enhances the authentication process found in IEEE 802.16d.
IEEE 802.16d uses the RSA authentication as its way of communication. The SS will always authenticate for the BS but never the other way around.
Why not use a two-way authentication?
Although other methods can be used to address the concerns of the one-way authentication, AT&T feels it is better to have mutual authentication available within the WiMAX standard itself. IEEE 802.16e will add the option of EAP to the mix which will include the ability to perform mutual authentication between the SS and the BS. IEEE 802.16e will include EAP with the ability to have vendor selectable methods (EAP-TLS or EAP-SIM).
IEEE 802.16d will use triple DES for the encryption of the DES traffic. IEEE 802.16e will maintain a backwards compatibility but will also have AES for the encryption of the keys and the Traffic Encryption Keys (TEKs). Switching to AES from the older DES encryption will give AT&T the ability to enhance the privacy of the data carried over the WiMAX system.
What about spread spectrum? AT&T feels that using a spread spectrum will not increase the security of the transmission.
So now that you know how the guts work, what good is it going to do you? Well, think of it this way. You will no longer be at the mercy of the telco outages. The drawbacks are that you will be at the mercy of AT&T.
AT&T announced recently that it plans to launch its second WiMAX trial to further test the performance of the fixed wireless technology with business customers. AT&T plans to test in Atlanta with more customers and with more wireless technology than in its first trial back in May. Currently AT&T is testing WiMAX using one tower that supports two unidentified customers in Middletown, New Jersey. The Vice President of Access Product Management stated that the new trial will include "substantially more customers over several towers."
The carrier uses "early stage WiMAX equipment" in its New Jersey trial and "more standards-based WiMAX equipment" in the Atlanta trial. AT&T is working with multiple WiMAX vendors; AT&T has chosen Intel as its chip provider for the next round of tests.
The transmission speeds will range from 2M to 6M bit/sec to each site within a two mile cell radius. If there is line of sight between the tower and customer location, speeds can exceed 6M bit/sec.