doc IEEE 802 22 080083 r 08 Month

doc. : IEEE 802. 22 -08/0083 r 08 Month Year Security and the Protocol Reference Model Enhancements in IEEE 802. 22 Authors: IEEE P 802. 22 Wireless RANs Date: 2008 -11 -13 Notice: This document has been prepared to assist IEEE 802. 22. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802. 22. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures http: //standards. ieee. org/guides/bylaws/sb-bylaws. pdf including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard. " Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair Carl R. Stevenson as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802. 22 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at patcom@iee. org. Submission 1 John Doe, Some Company

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Abstract • This presentation focuses on Protocol Reference Model (PRM) and Security enhancements in 802. 22 • PRM Enhancements – The Spectrum Manager in the current PRM (802. 22_Draftv 1. 0) resides in the MLME will eventually be replaced by the Management Information Base (MIB). – The current 802. 22 draft does not specify where the Security Sublayers reside and what their functions should be. No security mechanisms are provided for functions such as spectrum availability, authentication, authorization, identification, confidentiality and privacy. – IEEE 802. 22 based networks are susceptible to enhanced security threats since they are likely to operate in un-licensed bands with cognitive radio techniques. – Remote CPE management is not possible using the current PRM architecture. – Hence, in order to overcome the shortfalls mentioned above, we propose a Modification to the PRM which separates the Cognitive Plane from the Data, Control and Management planes, allowing functionality specific attributes to be defined for each plane. – The Data/ Control and Management Plane functionality remains unchanged. – The Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation function and the Spectrum Manager / Spectrum Automaton with its own security features. • Security Enhancements – Threat model is laid out for the data / control and management functions as well as the cognitive functions of 802. 22 – The threat analysis is carried out based on the criteria of likelihood, impact and risk – Various remediation measures for the identified threats will be proposed in the near future. Submission 2 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 The IEEE 802. 11 (1999) Protocol Reference Model (PRM) • The current 802. 22 PRM is based on the IEEE 802. 11 Standard • This figure shows the IEEE 802. 11 PRM. • This standard was published in 1999. Submission 3 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 The IEEE 802. 16 (2008) Protocol Reference Model (PRM) • This figure shows the IEEE 802. 16 PRM which is as shown • It makes sense that the IEEE 802. 22 PRM be similar to the IEEE 802. 16 PRM due to their closeness in functional attributes • IEEE 802. 16 g document defines the Management Information Base (MIB) and the Management Plane procedures for IEEE 802. 16. • Following the 802. 16 model will allow 802. 22 to borrow the functions, definitions, primitives and descriptions of the MIBs which are already defined in the 802. 16 g Document, thus accelerating the standard development process. Submission 4 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Shortfalls of the Current 802. 22 BS/ CPE Protocol Reference Model (PRM) 1. 2. 3. 4. In the current PRM, (802. 22_Draftv 1. 0) Spectrum Manager resides in the MLME would be eventually replaced by the MIB. Spectrum Manager is a live entity whereas MIB is not. Information from the SSF and Geolocation is not provided to the SM directly. Remote CPE Management is not possible – System interface to manage the MLME / PLME are not defined. No security functionalities are specified for data / control, management and cognitive functions • Security functions include availability, authentication, authorization, integrity, confidentiality and privacy, nonrepudiation Submission 5 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Proposed Cognitive Radio PRMs for 802. 22 (Outcome from the Security Ad-Hoc Meetings) PRM (CPE) PRM (BS) Submission 6 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Features of the Proposed Cognitive Radio PRM for 802. 22 • Separates the Cognitive Plane from the Data, Control and Management planes, allowing functionality specific attributes to be defined for each plane. • The Data/ Control and Management Plane functionality remains unchanged. • The Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation function and the Spectrum Manager / Spectrum Automaton. • Spectrum Manager resides in the Cognitive Plane at the same layer as the MAC in the Data/ Control Plane. • Spectrum manager interfaces directly with the Spectrum Sensing and the Geolocation functions. • Modular security features may be added to incorporate availability, authentication, authorization, identification, confidentiality and privacy. • Remote CPE management is possible through the Network Control and Management System (NCMS). • The proposed PRM defines the Management Information Base (MIB) which makes 802. 22 a more complete and comprehensive standard. • M-SAP (Management SAP) and C-SAP (Control-SAP) are the formal interfaces between NCMS and 802. 22 entity. The functions, definitions, primitives and descriptions of these SAPs can be directly obtained from the IEEE 802. 16 g Standard (Some modifications may be needed for 802. 22) Submission 7 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Proposed Cognitive Radio PRMs for 802. 22 – PRM for the BS (Outcome from the Security Ad-Hoc Meetings) Additional Features of the proposed PRM - BS • Connection B 2 is used for configuration of the Spectrum Manager at the BS as well as to convey and report the environment monitoring information via the MIBs • Connection B 1 is used to - Configure the Spectrum Automaton at the CPE (e. g. candidate and back-up channel sets, channels to be sensed etc. ) - Receive information from various CPEs (e. g. local sensing information. ) Submission 8 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Proposed Cognitive Radio PRMs for 802. 22 (Outcome from the Security Ad-Hoc Meetings) Additional Features of the proposed PRM – CPE • Connection C 2 is used to convey the environment monitoring information via the MIBs to the user. • C 2 can not be used for configuration of the Spectrum Automaton (SA). SA can only be configured by a BS command using the Connection C 1. • C 1 is also used to transmit the local environment information such as sensing and geolocation to the BS. • MIB at the CPE will be a subset of MIB at the BS Submission 9 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Management Reference Model – The Concept of Managed CPEs Once MIBs have been Defined Submission 10 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 802. 22 Network Reference Model • Multiple CPEs may be attached to a BS. CPEs communicate to the BS over the U interface using a Primary Management Connection, a Basic Connection or a Secondary Management Connection • Network Control and Management System (NCMS) is defined at the BS as well as the CPE. • The NCMS at the CPE is the sub-set of the NCMS at the BS. Submission 11 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Converting Primitives in Section 9 to MIBs 1. SME-MLME-DB-QUERY. request (EXISTING PRIMITIVE) The SME-MLME-DB-QUERY. request primitive allows the SM to request the SME to access an incumbent database in order to obtain channel availability information. Table 280 specifies the parameters for the SME-MLME-QUERYBD. request primitive. Table 280 — SME-MLME-DB-QUERY. request parameters Name Type Valid Range Database_type Integer 0 -8 Latitude Char NMEA string Longitude Char NMEA string Description The value identifies the type of database for which the query is directed. 0 = TV Incumbent Database 1 = Part 74 Incumbent Database 1. When generated The SME-MLME-DB-QUERY. request primitive shall be generated by the SM of a BS and issued to its SME to request the SME to query an external incumbent database. 1. Effect on receipt When the SME of a BS receives the SME-MLME-DB-QUERY. request primitive, SM generates a query to the external database available corresponding to the type indicated in the Database_type attribute. On receipt of a the SME-MLME-DB-QUERY. request with the Database_type corresponding to a type of database which is not available or which is not accessible through the SME, the SME of the BS shall issue a SME-MLME-DBQUERY. confirm primitive to the MLME with status value of INVALID_REQUEST. Submission 12 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Converting Primitives in Section 9 to MIBs 1. M-DB-QUERY. req (MIB Primitive) The M-DB-QUERY. req primitive allows the SM to request the NCMS to access an incumbent database in order to obtain channel availability information. Table 280 specifies the parameters for the M-QUERY-BD. request primitive. Table 280 — M-DB-QUERY. req parameters Function Valid M-DB-QUERY. req Name Type Description Range ( Database_type Integer 0 -8 The value identifies the type of Operation_Type: Get, database for which the query is Destination: BS, directed. 0 = TV Incumbent Database Attribute_List: 1 = Part 74 Incumbent Database 1. Database Type Latitude Char NMEA 2. Latitude string 3. Longitude Char NMEA 4. ) string 1. When generated The M-DB-QUERY. req primitive shall be generated by the SM of a BS and issued to its NCMS to request the NCMS to query an external incumbent database. 1. Effect on receipt When the NCMS of a BS receives the M-DB-QUERY. req primitive, NCMS generates a query to the external database available corresponding to the type indicated in the Database_type attribute. On receipt of the M-DB-QUERY. req with the Database_type corresponding to a type of database which is not available or which is not accessible through the NCMS, the NCMS of the BS shall issue an M-DB-QUERY. confirm primitive to the M-SAP with status value of INVALID_REQUEST. Submission 13 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Cognitive Radio PRM with Security Sub-Layer Modularization • A cognitive communications device must include security and authentication features for the Cognitive Plane, in addition to the Data and Control / Management Planes • A Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation Function and the Spectrum Manager • The proposed PRM creates Two Security Sub-layers with dedicated and modular security functionality. The detailed functionality of each of the layers needs to be defined (Security Ad-Hoc) Submission 14 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Functions of the Security Sublayers for Data / Control and the Management Planes The security sublayers for the Data / Control and the Management Planes provide • Data integrity • Ensures integrity of the data • Identification • Association of a valid identity to the user / device • Authentication • Assurance that the communicating entity is who it claims to be • Authorization • Who can use the network resources • Confidentiality / Privacy • Protection of data from eavesdropping • Non-repudiation • Prevention of sender / receiver from denying that the message was transmitted. Submission 15 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 802. 22 – Data. Control and Management Plane Threat Definition Attack Likelihood, Impact and Risk M. Barbeau, “Wi. MAX Threat Analysis, ” Q 2 SWinet, 2005 Submission 16 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 802. 22 – Data. Control and Management Plane Threat Definition M. Barbeau, “Wi. MAX Threat Analysis, ” Q 2 SWinet, 2005 Submission 17 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 802. 22 – Data. Control and Management Threat Remediation CPE M. Barbeau, “Wi. MAX Threat Analysis, ” Q 2 SWinet, 2005 Submission 18 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Functions of the Security Sublayers for Cognitive Plane and the Co. Existence Information The security sublayers for the Cognitive Plane provide • Authentication and Availability • Ensures availability of the spectrum for the primary (incumbents) and the secondary (WRAN) users – detects and avoids Do. S • Assurance that the communicating entity is who it claims to be • Authentication of the incumbent signals and the TG 1 beacons • Authentication of the geolocation information • Authentication of the co-existence information • Authentication of a WRAN system • Detection and reporting of spurious transmissions from other CPEs • Authorization • Only the authorized parties are allowed to configure the spectrum manager / spectrum automaton • Configuration information is identified with a valid user. • Confidentiality / Privacy • Protection of competitive spectrum availability information from eavesdropping Qusay H. Mahmoud, Cognitive Networks, Towards Self Aware Networks, Wiley, Sept. 2007 – Chapter 11, Security Issues in Cognitive Radio Networks Submission 19 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 802. 22 – Cognitive Plane and Co-Existence Threat Definition Submission 20 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security Sublayer 3 - Suggested Security and Authentication Features for Spectrum Sensing – Authenticating the TV Signals • NTSC, ATSC DTV and DVB-T signals must be authenticated to avoid unwanted Denial of Service (Do. S) attacks • Authentication of the NTSC, ATSC DTV and DVB-T signals may be carried out using • Multiple sources for confirmation such as sensing and the incumbent database, and / or • Sensing using multiple cognitive devices and / or • Sensing for a long continuous period of time to ensure that the signal is indeed originating from a valid source. Submission 21 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security Sublayer 1, 3 - Suggested Security and Authentication Features for Spectrum Sensing – Authenticating Wireless Microphones and TG 1 Beacons • Signals originating Wireless Microphones and TG 1 Beacons must be authenticated to avoid unwanted Denial of Service (Do. S) attacks • Authentication of the SPDs such as wireless microphone signals may be carried out • At the Security Sub-layer in the Cognitive Plane using the security features embedded in the TG 1 beaconing signal • Multiple sources such as beacon sensing and the incumbent database, and / or • Beacon sensing using multiple cognitive devices and / or • Control information handshake between the cognitive device and the PPD / SPD / NPD. Submission 22 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security Sublayer 3 - Suggested Security and Authentication Features for Spectrum Sensing – Authenticating WRAN Discovery • WRAN discovery must be authenticated using • Capture of a valid Superframe Control Header (SCH) • Three-way confirmation handshake with the WRAN that is currently occupying the current channel • Authentication of a CBP • Periodic updates and refresh to ensure continued usage • Local (country dependent) database Submission 23 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security Sublayer 3 - Suggested Security and Authentication Features for Geolocation – Authenticating Geolocation Info. • The geolocation information must be authenticated for its validity. • The geolocation authentication may be device and / or algorithm dependent • The underlying signals used as a reference for geolocation must be authenticated. • Authentication features for both the Global Positioning System (GPS) based geolocation as well as other terrestrial based geolocation should be clearly defined in the standard. An example of a GPS jammer powered using a car charger – available on the market http: //www. navigadget. com/index. php/2007/01/29/gps-and-gsm-jammer/ Submission 24 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security Sublayer 4 - Suggested Security and Authentication Features between the Spectrum Manager – MAC Common Part Sublayer Interface • The interface diagram shows a modular format with the data / control plane and the cognitive plane. • The Spectrum Manager is susceptible to mis-configuration though the SME, if no security mechanisms (Security Sublayer 4) are provided. • Hence, the SM configuration information coming through the SME needs to be authenticated. • The information provided to the SM from the incumbent database must be authenticated • The information provided by the spectrum manager to the MAC Common Part Sublayer must be authenticated and protected through various security and privacy features. • The sensing and geolocation information transmitted to various other devices in the network must be encrypted. Submission 25 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security Sublayers 1, 2 - Other Security, Authentication and Privacy Features Recommended for 802. 22 • Management message protection (encryption and integrity protection) • MAC header protection (encryption and integrity protection) • Key management enhancement with secure and efficient key establishments and distribution • Certificate revocation enhancement • Mitigations of network attacks including authentication attacks (BS and SS impersonations and passive eaves dropping attack), replay attacks (key reuse attack), denial of service (packet forgery), weak key attack, and manin-the-middle-attack Submission 26 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Additional Security at Various Stages of the Network Entry in 802. 22 • Authentication, security association, enabling the MAC management message transmission, and establishment of traffic encryption keys (PKM-REQ/PKM-RSP) • The SS searches the preamble; once found, it decodes the Frame Control Header (FCH) • Once the DL is synchronized, the SS decodes MAP/DCD and MAP/UCD to learn the timing of the UL initial ranging (contention) slot and the DL/UL transmission parameters. DL/UL-MAP goes in every frame to inform and schedule SSs. (REG-REQ/REG-RSP) • The SS acquires an IP address. The establishment of IP connectivity shall be performed on the SS's Secondary Management Connection (SMC). • Ranging (RNG-REQ/RNG-RSP) is to obtain correct frequency offset, timing and power adjustments • The SS negotiates the following capabilities (SBC-REQ/SBC-RSP) with the BS: Max. transmit power, modulation/coding schemes, H-ARQ using management connections. • Set up transport connections that will carry e. g. IP traffic (DSA-REQ/DSARSP/DSA-RVD) • MAP contains allocation for both initial ranging and periodic ranging. • SBC: SS Basic Capability • DCD: DL channel descriptor • UCD: UL channel descriptor Submission 27 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Security at Various Stages of the Network Entry in 802. 22 • MAP and FCH can be protected • This is optional • Use the pre-shared key (via vendor or user certificate) • Once the pre-shared key is installed, the user is able to scan the DL • If you do not do this step initially, follow 802. 22 default. • No need to protect RNG-REQ - Signatures may be used to protect malicious flooding attack • Need to protect RNG-RSP since the basic CID and primary management uniquely identify the station • No need to protect SBC-REQ - Signatures may be used to protect malicious flooding attack • Need to protect SBC-RSP since it carries basic CID • No change for authentication since the contents of PKM are protected • No change for registration since the contents of REG are protected • DSA messages are required for path set up and admission control • DSA messages can be protected • This is optional • The 802. 22 MAC header has only CRC – MAC headers need to be protected • Periodic ranging needs to be protected in the same manner as the initial ranging Submission 28 Apurva N. Mody, BAE Systems

November 2008 doc. : IEEE 802. 22 -08/0083 r 08 Conclusions • This presentation focused on Protocol Reference Model (PRM) and Security enhancements in 802. 22 • The new proposed PRM – Separates the Cognitive Plane from the Data, Control and Management planes, allowing functionality specific attributes to be defined for each plane. – The Data/ Control and Management Plane functionality remains unchanged. – The Cognitive Plane consists of the Spectrum Sensing Function, the Geolocation function and the Spectrum Manager / Spectrum Automaton. – Spectrum Manager resides in the Cognitive Plane at the same layer as the MAC in the Data/ Control Plane. – Spectrum manager interfaces directly with the Spectrum Sensing and the Geolocation functions. – Modular security features may be added to incorporate availability, authentication, authorization, identification, confidentiality and privacy. – Remote CPE management is possible through the Network Control and Management System (NCMS) – Management Information Base (MIB) is added to make 802. 22 a more complete and comprehensive standard. • Security Enhancements – Threat model is laid out for the data / control and management functions as well as the cognitive functions of 802. 22 – The threat analysis is carried out based on the criteria of likelihood, impact and risk – Various remediation measures for the identified threats will be proposed in the near future. Submission 29 Apurva N. Mody, BAE Systems

November 2008 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11) 12) 13) 14) 15) References doc. : IEEE 802. 22 -08/0083 r 08 WRAN Protocol Reference Model – Contribution 22 -07 -0523 -03 -0000_WRAN_PRM. ppt A. Mody, R. Reddy, T. Kiernan, M. Sherman, “Protocol Reference Model Enhancements in 802. 22”. https: //mentor. ieee. org/802. 22/file/08/22 -08 -0121 -07 -0000 -text-on-protocol-reference-model-enhancements-in 802 -22. doc Security Enhancement for 802. 16 e - A SDD Proposal for 802. 16 m A. Mody, R. Reddy, T. Kiernan and M. Sherman - Recommended Text for Section 7 on Security in 802. 22 https: //mentor. ieee. org/802. 22/file/08/22 -08 -0174 -07 -0000 -recommended-text-for-section-7 -on-security-in-80222. doc A. Mody, R. Reddy, T. Kiernan and M. Sherman - Table of Contents for Section 7. https: //mentor. ieee. org/802. 22/file/08/22 -08 -0165 -00 -0000 -table-of-content-for-the-security-section-in-80222. doc A. Mody, R. Reddy, T. Kiernan and M. Sherman - Scope and the Workplan for the Security Ad-Hoc Group – https: //mentor. ieee. org/802. 22/file/08/22 -08 -0159 -00 -0000 -scope-agenda-workplan-and-timeline-for-the-securityad-hoc-in-802 -22. doc A. Mody, R. Reddy, T. Kiernan and M. Sherman - PRM and Security Enhancements in 802. 22 – 802. 22 Threat Analysis https: //mentor. ieee. org/802. 22/file/08/22 -08 -0083 -07 -0000 -security-and-prm-enhancements-in-80222 -v 3. ppt www. wirelessman. org/tgm/contrib/C 80216 m-08_046. doc http: //www. navigadget. com/index. php/2007/01/29/gps-and-gsm-jammer/ M. Barbeau, “Wi. MAX Threat Analysis”, Proceedings of the ACM, Q 2 SWinet’ 05, October 13, 2005, Montreal, Quebec, Canada. S. Xu, M. Matthews, “Security Issues in Privacy and Key Management Protocols of 802. 16, ” Proceedings of the ACM SE’ 06, March 10 -12, 2006, Melbourne, Florida, USA D. Johnston and J. Walker, “Overview of IEEE 802. 16 Security, ” IEEE Security and Privacy, Magazine Published by the IEEE Computer Society, 2004 Y. Xiao, X. Shen and D. Du, Wireless Network Security, Springer Series on Signals and Communications Technology, 2006 Qusay H. Mahmoud, Cognitive Networks, Towards Self Aware Networks, Wiley, Sept. 2007 – Chapter 11, Security Issues in Cognitive Radio Networks Amita Sethi, Potential Denial of Service Threat Assessment for Cognitive Radios, MS Thesis, University of Colorado at Boulder, 2008. Submission 30 Apurva N. Mody, BAE Systems