Improving MBMS Security in 3G

1
Improving MBMS Security in 3G

• Wenyuan Xu
• wenyuan_at_winlab.rutgers.edu
• Rutgers University

2
Outline

• Motivation
• The security problem
• The existing MBMS scheme
• Our improved scheme
• Experimental results

3
Motivation

• The coming future group-oriented applications on
  wireless networks
• Network basis multicast
• 3G Multimedia Broadcast/Multicast Service (MBMS)
• Security problem control access to multicast data

MB-SC Broadcast Multicast - Service Center
4
Security Goal Access Control
MB-SC Broadcast Multicast - Service Center
5
Security Goal Access Control
?
6
Dilemmas in 3G Networks

• Underlying Scenario
• Mobile Equipment (ME)
• Powerful
• Not a secure device to store session key
• An attacker who is a subscribed user can
  distribute the decryption keys to others.
• User Services Identity Module (USIM) SIM card
• Not powerful enough to decrypt bulk data
• Secure device to store session key

7
Dilemmas in 3G Networks

• Attacks
• An adversarial subscriber find out the Session
  Key (SK) and send it out to non-paying users.
• In summary
• The need to store decryption keys in insecure
  memory makes it impossible to design a scheme
  where non-subscribed users CANNOT access the data
• What can we do?

8
What can we do?

• Dissuade our potential market from using
  illegitimate methods to access the multicast
  content
• What is the potential market?
• Users that desire cheap access to multicast
  services while being mobile.
• Attacks we should not be concerned about
• Attacks that are expensive to mount (per-user
  basis)
• Attacks that assume the user is not mobile.

9
What can we do? (cont.)

• Assumption
• It is not easy for an adversarial subscriber to
  send out the Session key (SK). Thus, we assume
  there is a underlying cost associated with
  sharing the Session Key.
• There is a Registration Key established once the
  user subscribes to the service.
• Strategy for protecting Keys
• Make the Session Key change so frequently that
  the cost of attacking is more expensive than the
  cost of subscribing to the service.
• This strategy is used in Qualcomms S3-030040
  proposal to 3GPP.
• Requirement
• The overhead of changing the SK should be modest.

10
Qualcomms Key Hierarchy
Radio Access Network
3G Core Network
MB-SC
Random number
RK (Registration key)
f
BAK (Broadcast access key)
SK (Session key)
11
Qualcomms SK Distribution Scheme
Radio Access Network
CipherText SK_RAND BAK_ID BAK_EXP

• BM-SC send out the encrypted multicast data
  together with SK_RAND, BAK_ID, BAK_EXP
• CipherText ESK(content)

12
SK Distribution (Cont.)

• Once ME finds that a new SK is used
• ME asks USIM to calculate the new SK
• If USIM has BAK corresponding to BAK_ID
• USIM SK f (SK_RAND, BAK)
• USIM sends the new SK to ME

13
Qualcomms BAK Distribution Scheme
Radio Access Network
BAK request USIM_ID

• Each USIM sends out a BAK request to MB-SC from
  the ME

14
BAK Distribution (Cont.)
Radio Access Network

• Once the request passes the legality check,
  BM-SC
• Generates temporary key TK f (TK_RAND, RK)
• Sends ETK(BAK) TK_RAND

Session Key
15
Drawbacks

• Bandwidth network resources will be wasted on
  sending out SK_RAND.
• SK_RAND has to be appended to each package.
• For higher level of security, SK_RAND has to be
  large.
• BAK update problem at the moment that a new BAK
  is used, every USIM will send out a BAK request
  to BMSC
• BAK implosion problem
• High peak bandwidth

16
Improvements One Way Function

• Using one way function to generate SKs within
  USIM
• SK0 SK_SEED
• SK1 f (SK0,BAK)
• SKi1 f (SKi, BAK)

17
Improvements BAK Distribution

• At the moment that a new BAK is used, every USIM
  will request BAK from BAK distributor almost at
  the same time
• BAK distributor pushes the new BAK to USIM
  instead of pulling by USIM

18
Improvements Key Tree

• Using additional set of keys (Key Encryption Keys
  KEK) to achieve key hierarchy
• Join Use old shared key (SEK) to encrypt and
  distribute new session key
• Leave Use lower level old key (KEK) to encrypt
  the higher level key, and only change the keys
  known by the leaving user

19
Simulation Setup

• NS-2
• Simulation Topology
• Use two nodes to represent the Network since we
  are primarily concerned with capturing the
  bottleneck effect in the Network.

20
Simulation Setup (cont.)

• Movie session
• Multicast traffic statistical data from Star
  Wars IV
• Group member join/leave behavior
• Inter-arrival times and session durations are
  modeled as exponential distributions
• Inter-arrival time consists of two phases
• Beginning of movie (first 150 seconds) Users
  arrive more frequently
• Remainder of movie Users arrive less frequently
• Session durations
• Mean duration 46min

21
Simulation ResultsBandwidth Used for Group Size
760
Bandwidth (kb/s)
Bandwidth (kb/s)
Our improved scheme
Qualcomms scheme
22
Simulation Results Peak bandwidth vs. Group size
. . .
23
Conclusions

• An improved security framework was presented that
  involves
• The use of chained one-way functions for
  generating SKs
• The BM-SC pushing new BAKs to the users based on
  a key-tree
• These improvements
• Reduce amount of bandwidth needed for updating
  keys
• Avoid potential BAK implosion problems associated
  with rekeying 3G multicasts
• Scales well as group size increases
• The proposed mechanisms can be mapped to other
  network scenarios.

24
Future work

• We plan to formulate the relationship between the
  group join/leave behavior and the amount of
  communication overhead associated with rekeying?
• Our simulations only captured the bottleneck
  effect in 3G Core Networks
• We plan to study different multicast strategies
  at the Radio Access Network and how key
  management affects RAN network performance.

25
Questions?
26
Thank you!