PKM (Privacy Key Management) Protocol in WiMAX Technology

WiMAX CPE (Customer Premise Equipment) make use of the Privacy Key Management (PKM) Protocol to gain authorization and traffic keying material from the WiMAX Base Station (BS), and to maintain periodic reauthorization and key refresh. The Privacy Key Management (PKM) protocol uses X.509 digital certificates, and two-key triple Data Encryption Standard (DES) to secure key exchanges between a given WiMAX CPE (Customer Premise Equipment) and WiMAX Base Station (BS), following the client-server model. Here, the WiMAX CPE (Customer Premise Equipment) as the client requests keying material while the WiMAX Base Station (BS) as the server act in response to those requests, ensuring individual WiMAX CPE (Customer Premise Equipment) clients receive only the keying material for which they are authorized. The Privacy Key Management (PKM) Protocol first creates an Authorization Key (AK), which is a secret symmetric key shared between the WiMAX CPE (Customer Premise Equipment) and BS. The AK is then used to protect subsequent Privacy Key Management (PKM) Protocol exchanges of Traffic Encryption Keys (TEK). The use of the AK and a symmetric key cryptosystem reduces the overhead due to the computationally expensive public key functions. (Sen Xu, Chin-Tser Huang)

WiMAX Base Station (BS) authenticates a WiMAX CPE (Customer Premise Equipment) during the primary authorization exchange. The WiMAX CPE (Customer Premise Equipment) device certificate would enclose the RSA public key and other device specific information, such as its MAC address, serial number, and manufacturer ID. Within the authorization exchange, the WiMAX CPE (Customer Premise Equipment) would then send a copy of this device certificate to the WiMAX Base Station (BS). The WiMAX Base Station (BS) must then authenticate the syntax and information in the WiMAX CPE (Customer Premise Equipment) certificate, and possibly carry out certificate path validation checks. If properly verified, the WiMAX Base Station (BS) as part of its replies to the WiMAX CPE (Customer Premise Equipment) would encrypt the Authorization Key (AK) using the public key of the WiMAX CPE (Customer Premise Equipment) that could be found within the received certificate from the Subscriber station. Since only the WiMAX CPE (Customer Premise Equipment) device contains the matching private key, only the WiMAX CPE (Customer Premise Equipment) device can de-crypt the message and obtain the AK assigned to it. (Sen Xu, Chin-Tser Huang)

It is important to note that the WiMAX CPE (Customer Premise Equipment) device certificate is open to the public or attacker to read; only the WiMAX CPE (Customer Premise Equipment) device has access to the similar private key of the public key in the certificate. As such, to protect a device and its certificate from being duplicated, it is important that the private key be embedded within the device hardware. That is, the cost of an attacker removing the private key from the device must be far higher than the possible value gained from the attacker using the cracked device. (Sen Xu, Chin-Tser Huang)

Leave a Reply

Your email address will not be published. Required fields are marked *