Key Management for 3G MBMS Security

1
Key Management for 3G MBMS Security

• Wenyuan Xu
• February 26, 2004

2
Outline

• Security problem
• Existing scheme
• Our scheme
• Experiment result

3
Security goal

• Control access to multicast data
• Traditional method
• Control the distribution of session key (SK)
• SK is used to encrypt multicast data.
• All subscribers share a SK
• Only subscribers have the SK

4
Dilemmas in 3G Network

• User equipment
• Mobile Equipment (ME) cellular phone
• User Services Identity Module (USIM) SIM card
• Facts
• USIM is not powerful enough to decrypt bulk data
  so ME must decrypt. Decryption keys must be
  stored in the ME.
• ME is not secure storage.
• An attacker who is a subscribed user can
  distribute the decryption keys to others.
• In summary
• The need to store decryption keys in insecure
  memory makes it impossible to design a scheme
  where non-subscribed users CANNOT access the data

5
Solution

• The goal of the security
• Dissuade our potential market from using
  illegitimate method to access the multicast
  content
• What is the potential market?
• Users that desire cheap access to multicast
  services while being mobile.
• Attacks we should not be concerned about
• Attacks that are expensive to mount (per-user
  basis) and/or
• Attacks that assume the user is not mobile.

6
Solution (cont.)

• Basis
• There is a cost for the subscriber to send the
  session key out.
• How?
• Make the session key change so frequently that
  the cost of attacking is more expensive than the
  cost of subscribing to the service.
• Requirement
• The overhead of changing the SK should be modest.

7
MBMS Key Hierarchy
8
Existing scheme

• BM-SC (Broadcast Multicast - Service Center) send
  out the encrypted multicast data together with
  SK_RAND, BAK_ID, BAK_EXP
• cipherText ESK(content)

CipherText SK_RAND BAK_ID BAK_EXP
9
Existing scheme

• Once ME found a new SK is used.
• ME asks USIM to calculate the new SK

SK_RAND BAK_ID BAK_EXP
10
Existing scheme

• If USIM has BAK corresponding to BAK_ID
• USIM SK f (SK_RAND, BAK)
• USIM sends the new SK to ME
• Otherwise, USIM sends out a BAK request

BAK request USIM_ID
11
Existing scheme

• Once the request passes the legality check,
  BM-SC
• generates TK f (TK_RAND, RK)
• sends ETK(BAK) TK_RAND

ETK(BAK) TK_RAND
12
Drawbacks bandwidth

• A lot of network resources will be wasted on
  sending out SK_RAND.
• SK_RAND has to be appended to each package.
• For higher level of security, SK_RAND has to be
  large.

CipherText SK_RAND BAK_ID BAK_EXP
13
Improvement

• Original
• SK f (SK_RAND, BAK)
• Improvement
• Using one way function to generate SKs within
  USIM
• SK0 SK_SEED
• SK1 f (SK0,BAK)
• SKi1 f (SKi, BAK)

Cipher SK_ID BAK_ID
Cipher SK_RAND BAK_ID BAK_EXP
14
BAK update problem

• At the moment that a new BAK is used, every USIM
  will send out a BAK request to BMSC
• BAK implosion problem
• High peak bandwidth
• Improvement
• BAK distributor pushes the new BAK to USIM
  instead of pulling by USIM
• For higher efficiency, we can construct a key
  tree to manage the BAK Distribution

15
Experiment
16
Experiment
17
Conclusions

• Its a novel idea to use the consumers special
  psychology to achieve security.
• This mechanism can also be used outside 3G
  networks.
• The new security framework that BM-SC pushes the
  new BAK to groups of users based on a key-tree
  structure has a modest overhead and scales good.

18
Thank you!