doc IEEE 802 22 080083 r 0 Month

doc. : IEEE 802. 22 -08/0083 r 0 Month Year Security and the Protocol Reference Model Enhancements in IEEE 802. 22 IEEE P 802. 22 Wireless RANs Date: 2008 -03 -05 Authors: Name Company Apurva N. Mody BAE Systems Address Phone email 404 -819 -0314 apurva. mody@baesystems. com, apurva_mody@yahoo. com 973 -6344 Ranga Reddy US Army P. O. Box 868, MER 15 -2350, Nashua, NH 03061 CERDEC, NJ Matthew J. Sherman D. J. Shyy BAE Systems Wayne , NJ MITRE Corp. Mc. Lean, VA ranga. reddy@us. army. mil matthew. sherman@baesys tems. com djshyy@mitre. org Notice: This document has been prepared to assist IEEE 802. 22. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802. 22. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures http: //standards. ieee. org/guides/bylaws/sb-bylaws. pdf including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard. " Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair Carl R. Stevenson as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802. 22 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at patcom@iee. org. > Submission 1 John Doe, Some Company

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Abstract • • This presentation focuses on the security feature enhancements for the 802. 22 Standard. Inadequate security features may expose wireless networks to be misused by antisocial elements and terrorists, resulting in Denial of Service attacks and Information Operations. IEEE 802. 22 based networks are even more susceptible since they are likely to operate in un-licensed bands with cognitive radio techniques. In order to make security features modular and upgradeable, we present a slight modification to the current BS and CPE Protocol Reference Model (PRM) The Modified PRM separates the Cognitive Plane from the Data, Control and Management planes, allowing for separate and modular security features. The current security features for 802. 22 are essentially taken from 802. 16 e Standard document. However, the concept of operation and operational scenarios for the two are substantially different We suggest security feature enhancements for the Cognitive Plane, as well as some additional features which are based on the new 802. 16 m SDD call for proposals Submission 2 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Current 802. 22 BS/ CPE Protocol Reference Model (PRM) • Current 802. 22 Protocol Reference Model (PRM) does not allow security enhancements and modularization. • It does not distinguish between the Cognitive Plane and the Data / Control and Management Planes. • Cognitive Plane consisting of the Spectrum Sensing Function, Geolocation and the Spectrum Manager requires additional security, privacy and authentication features. Submission 3 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Proposed Cognitive Radio PRM with Security Sub-Layers and Modularization • In order to make security features modular and upgradeable, we present a slight modification to the current BS and CPE PRM • The Modified PRM separates the Cognitive Plane from the Data, Control and Management planes, allowing for separate and modular security features to be incorporated. Submission 4 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Cognitive Radio Interface Diagram with Security Sub-Layer Modularization • A cognitive communications device must include security and authentication features for the Cognitive Plane, in addition to the Data and Control / Management Planes • A Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation Function and the Spectrum Manager Submission 5 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Suggested Security and Authentication Features for Spectrum Sensing – Authenticating the PPDs • Signals originating from the Primary Protected Devices (PPDs) such as ATSC DTV and DVB-T must be authenticated to avoid unwanted Denial of Service (Do. S) attacks • Authentication of the PPDs such as ATSC DTV and DVB-T signals may be carried out using • Multiple sources for confirmation such as sensing and the incumbent database, and / or • Sensing using multiple cognitive devices and / or • Sensing for a long continuous period of time to ensure that the signal is indeed originating from a valid source. Submission 6 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Suggested Security and Authentication Features for Spectrum Sensing – Authenticating SPDs • Signals originating from the Secondary Protected Devices (SPDs) must be authenticated to avoid unwanted Denial of Service (Do. S) attacks • Authentication of the SPDs such as wireless microphone signals may be carried out using • Multiple sources such as beacon sensing and the incumbent database, and / or • Beacon sensing using multiple cognitive devices and / or • Control handshake between the cognitive device and the SPD. Submission 7 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Suggested Security and Authentication Features for Spectrum Sensing – Authenticating WRAN Discovery • WRAN discovery must be authenticated using • Capture of a valid Superframe Control Header (SCH) • Three-way confirmation handshake with the WRAN that is currently occupying the current channel • Periodic updates and refresh to ensure continued usage • Local (country dependent) database Submission 8 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Suggested Security and Authentication Features for Geolocation – Authenticating Geolocation Info. • The geolocation information must be authenticated for its validity. • The geolocation authentication may be device and / or algorithm dependent • The underlying signals used as a reference for geolocation must be authenticated. • Authentication features for both the Global Positioning System (GPS) based geolocation as well as other soft algorithms should be clearly defined in the standard. Submission 9 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Suggested Security and Authentication Features between the Spectrum Manager – MAC Common Part Sublayer Interface • The interface diagram shows a modular format with the data / control plane and the cognitive plane. • The information provided by the spectrum manager to the MAC Common Part Sublayer must be authenticated and protected through various security and privacy features. • The sensing and geolocation information transmitted to various other devices in the network must be encrypted. Submission 10 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Other Security, Authentication and Privacy Features Recommended for 802. 22 • Management message protection (encryption and integrity protection) • MAC header protection (encryption and integrity protection) • Key management enhancement with secure and efficient key establishments and distribution • Certificate revocation enhancement • Mitigations of network attacks including authentication attacks (BS and SS impersonations and passive eaves dropping attack), replay attacks (key reuse attack), denial of service (packet forgery), weak key attack, and man-in-themiddle-attack Submission 11 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Security at Various Stages of the Network Entry in 802. 22 • Authentication, security association, enabling the MAC management message transmission, and establishment of traffic encryption keys (PKM-REQ/PKM-RSP) • The SS searches the preamble; once found, it decodes the Frame Control Header (FCH) • Once the DL is synchronized, the SS decodes MAP/DCD and MAP/UCD to learn the timing of the UL initial ranging (contention) slot and the DL/UL transmission parameters. DL/UL-MAP goes in every frame to inform and schedule SSs. (REG-REQ/REG-RSP) • The SS acquires an IP address. The establishment of IP connectivity shall be performed on the SS's Secondary Management Connection (SMC). • Ranging (RNG-REQ/RNG-RSP) is to obtain correct frequency offset, timing and power adjustments • The SS negotiates the following capabilities (SBC-REQ/SBC-RSP) with the BS: Max. transmit power, modulation/coding schemes, H-ARQ using management connections. • Set up transport connections that will carry e. g. IP traffic (DSA-REQ/DSARSP/DSA-RVD) • MAP contains allocation for both initial ranging and periodic ranging. • SBC: SS Basic Capability • DCD: DL channel descriptor • UCD: UL channel descriptor Submission 12 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Security at Various Stages of the Network Entry in 802. 22 • MAP and FCH can be protected • This is optional • Use the pre-shared key (via vendor or user certificate) • Once the pre-shared key is installed, the user is able to scan the DL • If you do not do this step initially, follow 802. 16 e default. • No need to protect RNG-REQ - Signatures may be used to protect malicious flooding attack • Need to protect RNG-RSP since the basic CID and primary management uniquely identify the station • No need to protect SBC-REQ - Signatures may be used to protect malicious flooding attack • Need to protect SBC-RSP since it carries basic CID • No change for authentication since the contents of PKM are protected • No change for registration since the contents of REG are protected • DSA messages are required for path set up and admission control • DSA messages can be protected • This is optional • The 802. 22 MAC header has only CRC – MAC headers need to be protected • Periodic ranging needs to be protected in the same manner as the initial ranging Submission 13 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 Conclusions • In order to make security features modular and upgradeable, we presented a modification to the current BS and CPE Protocol Reference Model (PRM) • The Modified PRM separates the Cognitive Plane from the Data, Control and Management planes, allowing for separate and modular security features to be incorporated. • Cognitive Communications devices require security and authentication features for the cognitive plane, in addition to the data and control planes. • Security / authentication features must be added at the interface of the Spectrum Sensing Function, the Geolocation Function and the Spectrum Manager • Security / authentication features must also be added at the interface of the Spectrum Manager and the MAC Common Part Sublayer. • Besides the new security enhancements specifically for the cognitive domain, we introduce added security features based on recent 802. 16 m SDD call for contribution. • This presentation discussed preliminary requirements to add security and authentication into the cognitive communications devices used for the IEEE 802. 22 Standard. Submission 14 Apurva N. Mody, BAE Systems

March 2008 doc. : IEEE 802. 22 -08/0083 r 0 References • WRAN Protocol Reference Model – Contribution 22 -07 -0523 -030000_WRAN_PRM. ppt • Security Enhancement for 802. 16 e - A SDD Proposal for 802. 16 m www. wirelessman. org/tgm/contrib/C 80216 m-08_046. doc Submission 15 Apurva N. Mody, BAE Systems