Authentication Algorithm Which Facilitates Mutual Authentication Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The objective of this study was to develop an authentication algorithm, which facilitates mutual authentication on the access network between base stations and the subscriber stations within the 802.16d framework.

The study reviewed literature on the wireless authentication algorithms, security theories and also observed the implemented networks, which revealed authentication problems in the fixed WiMAX framework. The one way authentication of the subscriber stations by the base station as a weakness was centered on in this study. The proposed 802.16d algorithm re-design incorporates pre-entered equipment identity and key identity, against which all devices mutually authenticate and traffic sessions encrypted.

Network emulations were used in testing and implementing the re-designed framework.

The study is based on existing security authentication modalities used in the fixed WiMAX Infrastructures and the results of the study are used in developing the new framework that facilitates mutual authentication.

Activities conducted during this project include;

Studying aspects of the existing system, identifying inefficiencies related to access security management - device identity and authentication.

Redesigning the 802.16d framework.

Validating the new framework.

This project presents an effort to develop a mutual authentication algorithm over the fixed WiMAX framework, which will alleviate the shortcomings of the current 802.16d security implementations in place.

List of Acronyms

CPE Client premises equipment

SS Subscriber Station

BS Base Station

BST Base Station

802.16d IEEE framework for WiMAX standards, release D

802.16e IEEE framework for WiMAX standards, release E

WiMAX Worldwide Interoperability for Microwave Access

GSM Global System for Mobile Communications, also Groupe Spécial Mobile

LAN Local Area Network

WAN Wide Area Network

WLAN Wireless Local Area Network

RF Radio Frequency

EAP Extensible authentication protocol

EAP-TLS EAP Transport Layer Security

EAP-PSK EAP Pre-shared key

EAP-TTLS EAP Tunneled Transport Layer Security

EAP-IKEv2 EAP Internet key exchange version two

EAP-FAST EAP Flexible Authentication via Secure Tunneling

EAP-SIM EAP Subscriber identity module

QoS Quality of Service

SLA Service Level Agreement

RADIUS Remote Authentication Dial In User Service

AAA Authentication, Authorization and Accounting Server

ASN Access Service Network

CSN Connectivity Service Network

GW Gateway

EIR Equipment Identity Register



List of Figures

Chapter 1


1.0 Background

Information assurance (IA) is about protecting information assets from destruction, degradation, manipulation and exploitation by an opponent. The difficulty with achieving this is that one day a party may be collaborating on a project and therefore needs access to confidential information, and the next day that party may be an opponent [3].

In 1996, the US Department of Defense defined IA as; Activities undertaken to protect and defend information systems and their contents by guaranteeing their availability, integrity, authentication, confidentiality and non repudiation. This also provides for restoration of information systems through incorporating protection, detection and reaction capabilities. Information security can also be defined as; protecting information from unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. International Standards organization in BS7799/ISO17799 defines information security as: "The preservation of confidentiality, integrity and availability of information." [3].

An infrastructure system is defined as a network of independent, mostly privately owned, automated systems and processes that function collaboratively and synergistically to produce and distribute a continuous flow of essential goods and services [6]. Securing ICT infrastructures and systems calls for a holistic approach, including humans and their operational environment among others. Technology alone can never protect sensitive global information, therefore security threats can never be countered with only a keyboard. [2]. It is therefore important to note from the above, that humans are continuously critical in securing the hardware and software systems.

Security architecture as a design artifact, describes how the security controls and countermeasures are positioned, and how they relate to the overall information technology architecture. These controls are used to maintain the system's quality attributes namely; confidentiality, integrity, availability, accountability and assurance. As a plan it shows where security measures need to be placed, describing specific solutions. The plan is based on a threat analysis when it describes a generic high level design also called the reference architecture [11].

The enormous growth and transitions in the industry have seen the introduction of many new technologies to continue delivering robust and better services. The high cost for these implementations, has forced service providers to find ways of bundling and delivering these services on more integrated infrastructure - in order to keep it cost effective [1]. In their quest for Industry dominance, many service providers have built converged wireless infrastructures with the primary focus on accelerated wide coverage and improved capacities; there has been little or sometimes no attention to the now critical network security [1, 4].

As a term, "convergence" has been coined by both the telecoms and data communication industries. From a telecoms perspective, it is the expansion of the public switched telephone network (PSTN) to offer many services on the one network infrastructure [1]. For Internet advocates, it is the death of the PSTN as its role is largely replaced by technologies such as voice over IP (VOIP). In reality, the truth lies somewhere in the middle, and it is here that the cellular industry takes the best of both worlds to create an evolved network, where the goal is the delivery of effective services and applications to the end user, rather than focusing on a particular technology to drive them. Besides, the economies of scale and widespread acceptance of IP as a means of service delivery sees it playing a central role in this process" [1],[4].

Security is a very critical aspect in telecommunications, especially when wireless systems are used, because it is generally perceived that they are easier and more prone to attacks than wire-line networks. [4], [16].

As late as 1993 In the United states of America, unauthorized manipulation and or breaching of the Telecommunication and cellular infrastructures was considered a misdemeanor, a small non-chargeable offence [2]. However with the growth and popularity of the mobile phone, market success has been informally paged on how secure the system is. User concerns in the assurance of wireless network services have been directly influenced by the continued security awareness [5].

The growth in cellular networks has inspired the developments in wireless data infrastructures. Many of the features, especially weaknesses are as such shared across the technologies [4]. These vulnerabilities and resulting risks have continued to influence user's confidence in the infrastructures. The converged services in Data, Video, VoIP and eTV, have a strong security requirement for their assured usage across the networks. Without which, it is going to be very difficult to popularly develop and use [1, 4]. The GSM forum has been able to centrally coordinate and enshrine security concerns for the cellular industry using the A5/1 and A5/2 series encryption among others. The wireless Data Technologies have yet to formulate such an umbrella framework that would foster infrastructure security among the different vendors [4, 17].

In information and communication technology, a network is defined as a series of points or nodes (computers, routers, switches, access points, printers etc) interconnected by communication paths. Networks can interconnect with other networks and contain sub networks. In this study text, this is used in reference to fixed or cable networks as well as wireless networks [5]. Some of the common fixed network configurations include the bus or linear, star, token ring, and mesh topologies. Networks can also be characterized in terms of spatial distance as local area networks (LANs), metropolitan area networks (MAN), and wide area networks (WANs). A given network can be further characterized by the type of data transmission technology or protocol it uses - transport control protocol (TCP/IP) or Systems Network Architecture (SNA), sequential packet exchange /internet exchange (SPX/IPX) etc; whether it carries voice, data, video or all of these kinds of signals; by who can use the network (public or private); by the nature of its connectivity - switched or non-switched, or virtual connections); and by the types of physical links - optical fiber, coaxial, unshielded twisted pair or wireless based media [10].

Wireless networks use radio frequency beacons transmitted over the air from an access point or a base station to the client end devices or subscriber stations. The connectivity media is over the air, as long as it is within the coverage and frequency of the transmitted signal [10].

1.1 Industry Background

The Telecom Industry in Uganda is comprised of product portfolios like Internet, e-mail, other converging and data networking related services, from single-user residential and corporate leased lines to wireless broadband Internet connectivity. It includes client VPN (virtual private network) implementation to office networking, campus LAN / WAN design and installation including various network maintenance schemes.

The Industry rolled out the first commercial wireless network in 2000, which was based on the 2.4 GHz unlicensed free public frequency in the ISM band. In 2005, 3.5 GHz based WiMAX and Canopy network technologies were rolled out, running in parallel to the earlier 2.4 GHz platforms. Around the same time, EVO, 3G and CDMA2000 were introduced in the market. While this has enabled the Industry to deliver business solutions in core data, voice over IP and video services, cost effectively, converging these services on the same wireless infrastructures has introduced varying security risks [4].

WiMAX (Worldwide Interoperability for Microwave Access) was designed to deliver next-generation, high-speed voice and data services and wireless last-mile connections that could potentially serve future growth [15].

Figure.1 Fixed WiMAX network architecture.

C:\Users\Nkangi1\Pictures\802.16d Architecture1.jpg

Typically WiMAX can be deployed in two variants as illustrated above; as a point to multipoint access provision as well as a point to point backhaul provision. In this study, focus is placed on the point to multipoint configuration that involves base stations and subscriber stations.

1.2 Problem Statement

Mutual authentication between the base station (BST) and client premises equipment (CPE) is not possible under the 802.16d framework [4], [15]. There are no means of pre-determining genuine base stations by the subscriber stations [19]. This creates security vulnerability over the access network air interface, where rogue BST can be connected to by the genuine CPE's [15].

The research project is investigating avenues of attaining mutual authentication across the fixed WiMAX network air interface.

1.3 Objectives

1.3.1 Main Objectives

To secure the air interface in fixed wireless networks through mutual authentication between client devices and base stations, and session encryption at the access network level.

1.3.2 Specific Objectives

To investigate the current state of the art in use.

To identify weaknesses within the 802.16d algorithm.

To re-design the algorithm to address the identified weaknesses in the 802.16d.

To validate the re-designed algorithm through emulation.

1.3.3 Research Questions

How are devices authenticated on the current WiMAX infrastructure?

What variables are involved during the device authentication process on the network?

How is the traffic session(s) secured over the network air interface?

1.3.4 Scope of the Study

The study focuses on mutual authentication for both subscriber stations and the base stations within the (IEEE 802.16d) framework.

1.5 Justification of the Study

The study will enable modifying the 802.16d fixed wireless algorithm, to enhance air interface security through mutual authentication of base stations and subscriber stations.

There is also a large installed base of 802.16d infrastructures within the telecom industry worldwide.

This is expected to yield the following secondary benefits to the industry;

Mutual authentication will enhance over the air interface security within the fixed wireless networks.

Inculcate better client confidence in the service provider's network security.

A secure network will result into more robust performance for the converged services.

Threats and prospects of legal actions to the industry will be substantially mitigated.

1.6 Proposed Knowledge Contribution of the Study

Mutual authentication as another means of securing the air interface in fixed wireless networks will be explored.

Chapter 2


2.0 Introduction

Assurance is a single concept that embodies a trinity of Information and Communication Technology (ICT) security requirements: confidentiality, integrity and availability. Confidentiality represents protection from disclosure to unauthorized parties or the disclosure to nominally authorized parties at the wrong time. Integrity means that data are free from corruption, changes, or deletions both intentional and accidental. Availability refers to data or systems being up and running as required /anticipated, and also the property of delivering information at necessary speeds and in the correct sequence. Together, these properties represent the sensitivity requirements of a given system, application, process, or data set. Assurance is the degree of confidence an entity has, that the properties of confidentiality; integrity and availability are being supported [4].

Without assurance over the air interface, convergence of telecommunications onto a single IP carrier is a technical possibility but a business fantasy [1]. Convergence will not be achieved without a comprehensive ability to apply and maintain assurance in the components, applications and data resident and connected to the converged network [4], [1].

This study focuses on confidentiality and privacy elements by way of ensuring mutual authentication and session encryption between 802.16d WiMAX infrastructure entities. According to the oxford English dictionary [20], authentic refers to something that is not fake one that is of undisputed origin.

In the medieval days, emperors and kings sent messages which were authenticated by the imperial seal. Once authenticated, the message bearer didn't matter, rather the contents [21]. Today's digital world necessitates authenticity of the source and content as a critical security requirement for the instant transmissions to destinations [19].

2.1 Fixed WiMAX Networks

WiMAX like all wireless networks uses radio frequency beacons to transmit and receive traffic over the air. The broadcast nature of the signal means that it can reach and be received by any node within that frequency and range [10, 15]. Unlike fixed or cable networks that require physical connectivity to access the resources, wireless networks by nature of their signal propagation, can be accessed by anyone within range regardless of authenticity [11].

It is therefore imperative that a comprehensive security mechanism is used to authenticate network devices and or users [2], [15], [19].

Figure 2 Fixed WiMAX 802.16d Conceptual framework [16].


Authenticator Agent




Authenticator Relay





Access Service Network

Connectivity Service Network

IP Cloud

Air Interface



From the above illustration, the 802.16d framework is configured into two major networks; the connectivity service network (CSN) and the access service network (ASN).

The CSN is concerned with core infrastructure connectivity of the network backbone. It includes backend functions such as routing, switching, and billing and authentication. The CSN also controls the ASN part of the network, managing the constituent base stations and the resident subscriber devices. The ASN includes base stations (BST), gateways, routers and switches among others. Core function here is to provide connectivity to subscriber stations (SS) also called client premises equipment (CPE). The ASN and CSN are interconnected via the IP cloud [15] [16].

2.1.1 Fixed WiMAX - 802.16d Architecture: (Features and Application)

Can be configured for Wireless Metropolitan Area Network (WMAN)

Easily used for standard Broadband Wireless Access (BWA)

Last mile connectivity on the access network.

Range up to 50 km.

Provides high speed connectivity that supports multi streams of data, voice and video

Fast deployment and cost saving

Variably can be configured either:

As a point to point link or

Point to multi-point as a last mile solution, Ref. Figure 1.

Both Point to Point connections as well as point to multipoint configurations are used for access service provisioning.

2.1.2 Fixed WiMAX - 802.16d Security Architecture

Figure 3 Fixed WiMAX 802.16d Architecture: (Air Interface)

C:\Users\Nkangi1\Pictures\Air Interface.jpg

2.1.2a The 802.16d Authentication Process

Security Association (SA) is composed of an encryption algorithm, Security Information (keys, certificates and versions, etc) Identified by SA I.D

The security process involves three aspects;

1 Authentication

2 Data Key Exchange

3 Data Privacy

2.1.2b Analyzing the 802.16d Authentication Process

The subscriber station is authenticated using its X.509 certificate.

There is No Base station authentication to the subscriber stations.

There are Negotiated security capabilities between BST and CPE, which establishes the security association identity (SAID).

The authentication Key (AK) is exchanged

The AK serves as an authorization token for further infrastructure access

The AK is encrypted using public key cryptography

Authentication is completed when both CPE and BST possess AK

2.1.2c Weaknesses of the 802.16d Authentication Process

There is No mutual authentication between the BST and the CPE - possibility of Rogue BST (Man-in-the-middle attack).

Client premises equipment X-509 certification offers a limited authentication method in the process.

A new authentication method requires adding a new type of authentication message

Figure 4 Fixed WiMAX 802.16d Conceptual Security Architecture

C:\Users\Nkangi1\Pictures\Fixed WiMAX 802.16d Security Architecture.jpg

2.1.3 Other 802.16d Authentication Methods and Algorithms

2.1.3a PPP Authentication Protocol

The Point-to-Point Protocol (PPP) is defined with two authentication systems; password authentication protocol (PAP) and the challenge handshake authentication protocol (CHAP) [4], [1]. According to Macaulay, PPP as a suite involves a number of other protocols. The PPP Encapsulation Method is used for the packet structure; the Link Control Protocol (LCP) and the Internet Protocol Control Protocol (IPCP) that negotiates session parameters. The Challenge-Handshake Authentication Protocol (CHAP), the Password Authentication Protocol (PAP) and the Extensible Authentication Protocol (EAP) are used for authentication [4].

Password Authentication:

Under PAP, the customer premises equipment (CPE) sends an authentication request that includes a username and password. The server validates them and either sends back an authentication "ACK" to proceed or "NAK" if authentication failed [4].

Challenge Handshake:

CHAP authentication is initiated by the authenticator agent that sends a challenge text to the client. The client then encrypts this text with an algorithm based on the password. The result of the encryption is sent to the server as a response. The server also encrypts the challenge text with the password it is holding for the client. The result of this encryption is compared to the response sent by the client, before a success message is sent. Else a failure message is sent [4].


A major weakness of the PAP approach is that both the user name and password are sent unencrypted to the server. This bears a risk of intercepting and reading the message easily [4], [1]. The CHAP system does not transmit the user password, according to Bannister

2.1.3b Extensible Authentication Protocol (EAP)

Cole concurs that extensible authentication protocol (EAP) defined in RFC 3748, is an authentication framework used in wireless networks and point to point connections [2]. It provides for transport and safe usage of keying data and parameters that are generated by the EAP methods. EAP is not a protocol, rather defines ways of encapsulating messages within the EAP protocols.

EAP as a standard is used to conform and secure network access between a singular connection and the rest of the network. An EAP infrastructure has multiple parts and runs based on pre-defined security settings [2], [4].

EAP was developed by the Internet Engineering Task Force (IETF). Its purpose is to validate and determine users or programs that are trying to access the network that is utilizing it. This is done by a series of requests and responses between the two entities for authentication. The EAP infrastructure includes a single node or device trying to access the network, known as an EAP peer; a BST that requires EAP authentication to allow the client node to access the network, called an EAP authenticator; and an authentication server that negotiates based on the EAP settings and grants or denies network access [2].

Macaulay, argues that there are various protocol types under the EAP spectrum that facilitate different settings and methods. Based on particular settings customized for the needs of the network, the EAP will determine if the node trying to access the network is able to do so. The network is secured trough the exchange of these parameters.[4].

Each of these EAP variations addresses a particular concern within the 802.16x framework.

The table below summarizes the EAP protocol methods and their roles;



Details /Features



EAP Transport Layer Security



EAP Pre-shared key



EAP Tunneled Transport Layer Security



EAP Internet key exchange



EAP Flexible Authentication via Secure Tunneling



EAP Subscriber identity module

Some of the advantages EAP has; are related to flexibility and extensibility which adopts it to various Infrastructure designs.

However, EAP has also been identified with weaknesses; the use of "lock step" flow control directly impacts on the performance of the protocol framework, especially when the infrastructure keeps expanding. This becomes a bottleneck to increasingly voluminous traffic flow [4].

2.1.3c Mac Address based Authentication

Media Access control Address is a unique identifier assigned to network interfaces to communicate on the physical network segment. Mac Addresses are used in the media access control protocol sub layer of the OSI reference model. Device manufacturers assign their allocated MAC addresses to NIC and are stored in the hardware ROM [18].

The standard format for printing MAC 48 addresses in a human friendly form is six groups of two Hexadecimal digits. These are separated by hyphens (-) or colons (:). E.g - 00-06-5A-01-0A-AD or 00:06:5A:01:0A: AD or in three groups of four Hexadecimal digits separated by dots 0006.5A01.0AAD, all in transmission order. An individual address block - IAB is a 24bit OUI managed by the IEEE registration authority. This is followed by 12 Bits provided by the IEEE, identifying the organization and another 12 Bits identifying the owner's devices [18].

Under this authentication method devices or nodes are authenticated against their Mac addresses, which are verified against the stored Mac addresses in the Infrastructure database [5]. This authentication approach provides strong security as devices provide unique Mac addresses for authenticity, according to Stallings.

However one of the weaknesses underlined here is that Mac addresses are transmitted in clear text, raising the risk of sniffing these addresses. Besides, the valid universally administered addresses can be over written and spoofed with the locally administered addresses. This looses the uniqueness element of Mac address based authentication [5], [2].

Figure 5 Illustration of a MAC address format [18].

MAC-48 Address.svg

2.2 Security by Design

Computer security technologies are based on logic. Security is extraneous to the function of a computer application, rather than ancillary to it, therefore security necessarily imposes restrictions on the application's behavior [12].

There are several approaches to security in computing, sometimes used in combination for validity:

Trust all the system to abide by a security policy but the system is not trustworthy.

Trust all the system to abide by a security policy and the system is validated as trustworthy.

Trust no system but enforce a security policy with mechanisms that are not trustworthy.

Trust no system but enforce a security policy with trustworthy mechanisms.

Many systems have unintentionally resulted in the first possibility. Since approach two is expensive and non-deterministic, its use is very limited. Approaches one and three, lead to failure. Because approach number four is often based on hardware mechanisms and avoids abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four [12].

There are various strategies and techniques used in designing security systems. There are few, if any, effective strategies to enhance security after design.

One technique enforces the "principle of least privilege" to a great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest [8], [10].

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem to prove the correctness of crucial subsystems. This enables a "closed form solution" to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. It is impractical for generalized correctness, which probably can never be defined or proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing, represent a best-effort approach to make modules secure [7].

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works well when the breaching of one security measure does not provide a platform to subvert another, argues Tudor [7]. Also, the cascading principle acknowledges that several low hurdles do not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism [8].

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure". Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure [7].

The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept for system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, may keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible [11].

Unfortunately, the bulk of installed fixed WiMAX infrastructure base has one way CPE authentication for the access network security [15] and also the air interface traffic is unencrypted. Therefore this security framework cannot be substantially applied here.

2.3 Security Architecture

Security provided by IT Systems refers to the system's ability to protect confidentiality and integrity of processed data, as well as being able to provide availability of the system and data, as discussed by Willet in Information Assurance architecture 2008.

IT Architecture is defined as a set of design artifacts, relevant for describing objects such that it can be produced to requirements as well as maintained over the period of its useful life. The design artifact describes the structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time [11].

IT Security Architecture is therefore defined as; the design artifacts that describe how the security controls or countermeasures are positioned and how they relate to the overall IT Architecture. These controls serve the purpose to maintain the system's quality attributes, among them confidentiality, integrity and availability.

Security qualities are often considered as "non-functional" requirements when systems are designed. In other words they are not required for the system to meet its functional goals such as processing financial transactions, but are needed for a given level of assurance that the system will perform to meet the functional requirements that have been defined [12].

The architecture of 802.16d is well modularized. The physical layer, Mac layer, plus Data, security and convergence sub-layers are all individually integrated together for their functional roles. However, the security pane still bears a major weakness, where there is no mutual authentication between subscriber stations and the base stations and besides, the air interface transport is vulnerable to man in the middle attacks.

2.4 Information Security Managed Services

This involves outsourcing parts or all of the system security functions of the organization to a third party service provider, to manage it. Information security managed services (ISMS) is an example of applying the management system conceptual model to the discipline of Information Security. Unique attributes to this instance of a management system include:

Risk management applied to information and based upon metrics of confidentiality, integrity, and availability

Total quality management (TQM) applied to information security processes and based upon metrics of efficiency and effectiveness.

A monitoring and reporting model based upon abstraction layers that filter and aggregate operational details for management presentation.

A structured approach towards integrating people, process, and technology to furnish enterprise information security services.

An extensible framework from which to manage information security compliance.

An ISMS brings structure to the information security program. With clear direction and authorization, roles are understood. Defined functions or services allow derivation of tasks that can be delegated. Metrics can be collected and analyzed, producing feedback for "continuous process improvement" [11].

In many situations, creation of an information security management system inspires and spawns complementary management systems in other disciplines such as human resources, physical security, business continuity, and more. The framework and management system principles transcend disciplines, and tend to enhance multi-disciplinary interoperation [7].

Benefits of Managed Security Services:

Enables utilizing of the highly skilled labour from the service provider, for effective solutions.

Cost effective service provision, initially negotiated fixed cost, minus operational over heads.

Problems of Managed Security Services:

Uncertainty of confidentiality, especially when entrusting ICT assets with third parties.

It has been argued by many I.S security scholars that the strongest element in information security framework lies within the users. This is very problematic to manage and implement under the managed approach, with third party users.

Besides, managed services can only be useful within fixed WiMAX frameworks where the in-built security features of the 802.16d algorithm can be utilized to address the identified concerns. These would therefore have to exist in order to be activated by the managed service provider.

Other Related Mutual Authentication Security Works

2.4.1 Biometric Entity based Mutual Authentication in 3G GSM Networks

Authentication of both the subscriber units and base stations is a continuous concern in the telecommunication industry. Security threats are increasing in number and complicity, especially with the growing wireless coverage and number of users.

According to Bhattacharjee et…al, based on the TIA TR45.5 committee, the 3G infrastructure uses two switching techniques. Circuit switching is used in voice and low speed data transmissions while packet switching is utilized for high speed data - which also facilitates VoIP [19].

However, with packet switching, one way authentication is still the only mechanism employed to secure the infrastructure between subscriber stations and the base stations [19].

Bhattacharjee, proposed mutual authentication using sim-card, password and two biometric properties of the subscriber station. One of the biometric parameters is stored in the sim-card and the other, based on the subscriber entity is kept on the server side.

An algorithm was proposed that aggregates biometric entities of the element nodes involved on the infrastructure. The algorithm works with what the entity has (Sim card), what the entity knows (Password), what the entity is (Biometric entity) and also what the entity posses (Certified Document).

Mutual authenticity is verified by using the subscriber identifier, password and biometric entities stored on the sim-card as well as on the server side. They are called the certified document.

The proposed algorithm works within four different phases; Subscriber enrollment - where CPE details are captured, subscriber authentication - this is executed whenever a subscriber tries to connect to the network, Network authentication - the server side is verified to the subscriber, but only after the subscriber has been verified. The last phase is subscriber password change phase.

2.5 Existing System Security Authentication Operations

The vastly deployed 802.16d framework has a one way authentication mechanism for its access infrastructure security [18]. While the client premises equipment (CPE) also called subscriber stations (SS) are authenticated by the base stations (BST) on accessing the network, the BST's are not authenticated by the connecting CPE's [15], [18]. This opens up possibility of various attacks; Man in the middle attacks, where Rogue BST's could be sniffed into position and connected to by unsuspecting CPE's, exposing the security algorithms used within the infrastructure.

Therefore the existing 802.16d authentication algorithm as used in the fixed wireless (WiMAX) networks cannot meet mutual authenticity security requirement.

Chapter 3


3.0 Introduction

This chapter describes the research methods and tools employed in conducting this study. The research explored the underlying access network air interface security authentication methods used within the fixed WiMAX infrastructures, to describe what has been happening and what should be happening. It accords the researcher relevant tools to thoroughly understand and explore the prevailing situation, and facilitate formulating an appropriate solution to the earlier identified research problem.

3.1 Targeted Population

Population refers to the totality of an aspect in whole, as intended for use in conducting this study. This study was conducted within the Telecom Industry, with focus on the fixed WiMAX infrastructure systems, implemented within the 802.16d framework.

3.2 Methods used

3.2.1 Observation

First hand data was collected during the study. Routine functions and their operational procedures, system policies were examined. This method is chosen because of below factors;

Easily ascertained whether any security framework existed within the access network air interface.

To ascertain how effective the existing security features and practices are.

Helped gain first hand understanding of how the security framework was handled within the access network infrastructure.

Using this method enabled the researcher attain the required information, first hand, truthfully and quickly.

3.2.2 Document Review and Evaluation

The written down procedures, practices and Network design diagrams, including manufacturers' product literature were reviewed.

Using this method facilitated the following;

Gained better understanding of the existing fixed WiMAX infrastructure designs and precise functions of core components.

How the client service provisioning processes flow.

Ascertained the intended objectives from the existing infrastructure designs.

3.2.3 Network Simulators

These were suggested for use as they present a cost effective way to test the proposed mutual authentication security mechanisms without risking the live production networks.

Besides, the cost requirements for the appropriate equipment to present acceptable test environment are prohibitively high.

3.3 Tools Used

Network Simulators - OmNet++

3.4 Algorithm Re-Design - 802.16d Fixed WiMAX.

During this stage, the existing 802.16d system framework elements that need to be changed (Authentication process) is appropriately modified.

3.5 Implementation

3.5.1 Technology Considerations

In realizing the study objectives, below technologies are used;

i. Perimeter - Access network.

• Mutual device authentication - CPE's and Base Stations.

• Session encryption

ii. Network - Core Connectivity.

• Equipment identity register

• Network access control framework

• Mandatory access control /device authentication - AAA /Radius

Chapter 4


4.1 Weaknesses of 802.16d Authentication Methods and Algorithms

4.1.1 PPP Authentication Protocol

As earlier discussed under section 2.1.3a, within the PPP protocol, a major weakness of the PAP approach is that both the user name and password are sent unencrypted to the server. This bears a risk of intercepting and reading the message easily [4], [1]. Furthermore, the CHAP system also does not transmit the user password rather a challenge token which does not concretely establish true identity on either party, according to Bannister

4.1.2 The Extensible Authentication Protocol (EAP)

The EAP has also been identified with weaknesses; the use of "lock step" flow control directly impacts on the performance of the protocol framework, especially when the infrastructure keeps expanding. This becomes a bottleneck to the increasingly busty traffic flow [4].

4.1.3 Mac Address based Authentication

One of the weaknesses underlined here is that Mac addresses are transmitted in clear text, raising the risk of sniffing these addresses. Besides, the valid and universally administered addresses can be over written and spoofed with the locally modified and administered addresses. This looses the uniqueness element of Mac address based authentication [5], [2].

4.2 Modification of the 802.16d Authentication Algorithm

4.2.1 Identified variables currently used in the 802.16d Algorithm




Device serial number


One way

Device Mac address


Two way

IP address attached


Two way

X-509 Certificate


One way

4.2.2 The modified 802.16d algorithm - Authentication flow:

Step .1 The Client premises equipment (CPE) probe scans for SSID signal /RF beacon, requests to establish a link.

Step .2 The available Base station (BST) using an authentication agent forwards the request to the AAA server, which in turn requests the CPE for identification.

Step .3a The CPE responds to the identification request with an encrypted predefined key from the CPE based smartcard.

Step .3b The CPE in the same encrypted session, requests the AAA server for the access BST identification /key.

Step .4 The AAA server compares the received CPE predefined key with the stored key in the equipment identity register database.

Step .5 The AAA server responds with the access BST key from the equipment identity register (EIR)

Step .6 The AAA server relays /responds with an encrypted authorization token to the CPE. This token embodies a session identification which includes:

BST key, Mac Address and IP address

CPE key, Mac Address and IP address

Figure 6 Illustration of the modified 802.16d algorithm - Authentication flow.

RF Beacon Scan, Request Link - 1

Identification request - 2

Encrypted I.D response - 3 Yes /No and request BST I.D

Authenticated SS I.D and - 4 Encrypted BS I.D Response - 5.a

Authorization Token - 6

Encrypted acknowledgement 5.b



4.2.3 The modified 802.16 algorithm - Pseudo code


CPE scans for SSID beacon to establish RF Link.

If SSID is got, request RF Link…., Else continue scanning

BST in vicinity forwards the session to AAA server for identification.

CPE responds to identification challenge from AAA server, with an encrypted and predefined key.

CPE requests the AAA server for the BST identity key.

AAA compares the received CPE key with the stored key in the EIR.

If CPE key is similar to key stored in EIR, proceed…., Else terminate RF connection.

AAA server responds with the BST key from the EIR.

AAA relays via the BST, the encrypted Access token to the CPE and the BST:

BST key, Mac address and Network IP Address

CPE key, Mac address and Network IP Address

4.3 Limitations of the Study

There is no human interaction in the entire CPE-BST mutual authentication process. The users will have no way of determining where problems lie - if any, especially when the authentication process fails.

The added security level may introduce some latency, as devices are authenticated and counter authenticated. Though, during this study, precise latency duration has not been adduced to reflect on the overall performance delays. This forms another ground to further research in this area.

Security key management aspect is another area for further research work in the 802.16d framework.

Chapter 5


5.1 The Conclusion

Since wireless network signals overflow the physical boundary security, it is imperative that true identity of client premises equipment (CPE), base stations (BST) and any other devices, is established at the time of access. In this study, the 802.16d algorithm framework was modified to allow mutual authentication and encryption. This security algorithm as used in fixed wireless infrastructures, assures security through use of two way identity proof of both the CPE and BST. This helps eliminate spoofing and imposing of genuine network devices.

The algorithm was implemented using OmNet++ as it was the most cost effective simulation method available to the researcher.

5.2 Recommendations

It is important to note that security authentication mechanisms sometimes impact on the performance of the network Infrastructures. This is fertile grounds for further research, to examine the impact of authentication mechanisms on the network performance or the reverse.

This study focused on the mutual authentication aspects of security within fixed wireless infrastructures only. Other security aspects of the 802.16d framework were not examined, and as such more work still lies therein in order to attain comprehensive security.