Industrial Embedded Systems
home
articles
products
White Papers
newswire
vendors
E-letter
E-cast
articles > Networking: WiMAX
Browse Topics
Search Articles
Browse Articles
Magazine >
About the Magazine
Editorial Topics
Free Subscription
RSC Product Info Request
Search Articles
Search Products
Contact Information
Columns
'Foreword' Thinking
by Don Dingee
Industrial Europe
Market Pulse
The Final Word
Departments
Editor's Choice Products
Environmental Issues
Submissions
Submit a Press Release
Submit a New Product
Submit an Article for Review
Vendors/Sponsors
NEW! Sponsor an E-cast
Preferred Vendors
Upcoming Issue
Advertise
Editorial Calendar
Media Kits






WiMAX mobility through on-chip security

By

Security requirements are becoming increasingly important in all applications, especially new mobile communications standards such as WiMAX. The IEEE 802.16-2004 standard calls for powerful cryptographic algorithms and advocates hardware acceleration. A new System-on-Chip (SoC) architecture targets these algorithms with an optimized, secure implementation for WiMAX.

While traditional communications technologies were introduced with little regard for security, modern telecommunications standards include a wide range of cryptographic protocols. In particular, three aspects represent new additions in the context of modern wireless communication: broadband characteristics, computational effort, and adaptation of protocols to mobility.

The technology for secure applications demands regular adaptation. Public key cryptography, zero-knowledge procedures, stream ciphers, and hash functions remain reliable and relatively easy-to-adapt technologies.

Encrypted, authenticated communication is indispensable for “nomadic” and mobile communications standards such as the new WiMAX standard, IEEE 802.16-2004/16e. It is therefore unsurprising that the security algorithms have been implemented as special hardware blocks in the newest products for broadband communication.

Crypto at its simplest
Figure 1 shows one example of simple cryptosystem architecture. The example assumes that two people, Alice and Bob, want to process a secure communication via an insecure communications channel. To do this, both first must meet to exchange a secure encryption key – a random sequence of perhaps 128 bits marked as k. As these two people are meeting physically, the communications channel through which the encryption key is exchanged can be regarded as secure. The bit sequence of the encryption key can subsequently be used to convert the message text m into the encrypted text c.

one example of simple cryptosystem architecture
Figure 1

Extending this, a symmetrical cryptosystem is based on an exclusive-or (XOR) function. The shared encryption key and the message to be encrypted are applied to the inputs of an XOR gate. If Alice then sends Bob an encrypted message c via an insecure channel and would like to use the XOR gate as the encryption function, the scenario takes on the structure shown in Figure 2.

a symmetrical cryptosystem is based on an exclusive-or (XOR) function. The shared encryption key and the message to be encrypted are applied to the inputs of an XOR gate. If Alice then sends Bob an encrypted message c via an insecure channel and would like to use the XOR gate as the encryption function, the scenario takes on the structure shown
Figure 2

This highly simplified example is only for illustrative purposes; nevertheless, it clearly shows two fundamental characteristics of the symmetrical cryptography procedure:

  • The encryption key must be agreed using a secure channel.
  • The encryption and decryption function is the same for Bob and Alice.

Crypto in practice
The Data Encryption Standard (DES) set the first benchmark in symmetrical encryption procedures. With just 56 bits, the encryption key used in DES is relatively small. Current computer power and specialized hardware allow a 56-bit encryption key to be broken relatively easily by trying out every possible encryption key in a “brute force” attack. The DES procedure was therefore expanded to become a triple DES (3DES) procedure, which uses a 3 x 56-bit encryption key totaling 168 bits. The 3DES procedure uses the same encryption algorithms as DES but is applied three times and can still be regarded as trustworthy.

The Advanced Encryption Standard (AES) is also symmetrical and uses different length keys. According to U.S. government specifications, the security of this algorithm can be described as follows: “The design and strength of all key lengths of the AES algorithm (typically 128, 192, or 256) suffice for the protection of information up to security level 'secret.' Information of security level ‘top secret’ requires the use of keys with a length of 192 or 256 bits.”

The so-called public key encryption system was developed as part of the next step in encryption – asymmetrical methods. The main feature of asymmetrical methods is that the encryption and decryption functions are not the same. The encryption function (with the key d in Figure 3) is public, while the key e used for decryption in Figure 3 is only known to the recipient of the encrypted message. The operational and computational effort of the encryption process can be different depending on the cryptography procedure used.

The main feature of asymmetrical methods is that the encryption and decryption functions are not the same. The encryption function (with the key d in Figure 3) is public, while the key e used for decryption
Figure 3

Ron Rivest, Adi Shamir, and Leonard Adleman introduced the RSA procedure for asymmetric cryptography in 1978. (The procedure was named for the first letters of their surnames.) RSA is based on a large number n of the required bit length, which can be fractionized into the prime factors p and q, so that pq = n. The key d is chosen relatively prime to t = (p-1)(q-1). The extended Euclidian algorithm is suitable as an easy method for calculating e, the reciprocal value of d mod t. A proven result of the number theory produces the relation mt ≡ 1 mod n. The encryption and decryption procedure can be described by:

(md)e med m(ed)modt m1 m (modn)

A message m is encrypted by the modular potentialization c=md mod n, while the decryption is carried out with the operation m=ce. The pair (d, n) is thereby public, while (e, n) is private.

WiMAX security
Like many other modern standards, the WiMAX specification also includes a security sublayer in which the public key infrastructure and the protocol for authentication and encryption are defined (IEEE 802.16-2004, Chapter 7). The RSA-based asymmetrical cryptography protocols use keys from 1,024 to 2,048 bits. With regard to the necessary symmetrical procedures, DES, 3DES, and AES algorithms are used. In addition, a subscriber station is equipped with a digital certificate according to the X.509 standard, generated by the manufacturer and serving as the private key only for that subscriber station. The WiMAX standard provides a multitude of further cryptography protocols and features such as key durability, transition period checks, and dynamic and service-specific protocol management.

To support these protocols, IEEE 802.16-2004 advocates using a hardware DES/AES unit to efficiently and cost effectively meet the requirements for secure WiMAX applications. The Fujitsu MB87M3400 WiMAX SoC was designed with access to two special hardware blocks for DES and AES as shown in Figure 4.

WiMAX SoC block diagram
Figure 4

The integrated ARM926 processor offers adequate performance reserves for processing the key exchange algorithms. As an option, an external processor such as a 600 MHz Power Architecture device can provide even greater capacity. Furthermore, the external memory system supports flash memory for independent booting and saves configuration and encryption information.

WiMAX SoC benefits
The benefits of implementing WiMAX cryptography functions directly on-chip are clear. Consider the following uses for a small, secure mobile device enabled with a WiMAX SoC:

  • Authenticated, secure data transfer without transfer performance impairment
  • Videoconferences with encrypted and authenticated participants
  • Shared-use digital signatures that enable secure transactions, such as contracts to be processed and signed by partners anywhere in the world

The WiMAX SoC supports not only basic WiMAX security protocols for mobile devices, but is also suitable for implementing a multitude of additional security applications, including increased wiretapping security, expertise protection, and considerable fraud risk reduction without restricting movement in increasingly international markets. This secure mobility aspect is sure to propel WiMAX to widespread success.

Armin Nückel works in the Networking and Communication business unit of Fujitsu Microelectronics Europe GmbH in Langen, Germany where he is responsible for technical customer support in Europe. Throughout his professional career, Armin has worked primarily on the development and programming of highly integrated SoC architectures. Armin has a doctorate in designing VLSI chips for image processing, signal processing, and cryptography applications from the University of Karlsruhe in Germany.

To learn more, contact Armin at:

Fujitsu Microelectronics Europe GmbH
Pittlerstrasse 47
D-63225 Langen
Germany
+49 (0) 61 03 69 00
armin.nueckel@fme.fujitsu.com
http://emea.fujitsu.com/microelectronics

©MMVIII Industrial Embedded Systems. An OpenSystems Publishing, LLC publication.

About this Magazine and Website | Contact Us | Industrial Embedded Systems Media Kits