15.4 Message Authentication with HMAC

The standard states that basic and primary MAC management messages are sent in the clear in order to facilitate registration, ranging and normal operation of the MAC. Thus, authentication and integrity protection of MAC messages is very important. The MAC (Message Authentication Code) sequences, known as keyed hash or MAC-Digest, are used to sign management messages in order to validate their authenticity (see Figure 15.13). The MAC tags are generated and then verified using the same secret key (which is a basic difference with error-detecting codes such as the parity bits). This means that the sender and the receiver of the message must agree on the secret key before starting communications. Evidently, this key is probably different from the encryption key.

image from book
Figure 15.13: Illustration of HMAC or CMAC generation. The MAC is also called keyed hash or MAC Digest

The 802.16 standard security includes the use of a Hashed Message Authentication Code (HMAC) for some message authentication and integrity control. 802.16e added the possibility of using CMAC as an alternative to HMAC. The HMAC keyed hash (or HMAC-Digest) is in:

The HMAC-Digest attribute, which is present in some PKM messages such as Key Request, Key Reply, Key Reject, etc.
The HMAC Tuple is a TLV parameter used for some MAC management message authentications. The messages that can be authenticated with HMAC include DSx-REQ, DSx-ACK, REG-REQ, etc. The HMAC Tuple is made of HMAC-Digest HMAC with SHA-1, on 160 bits, HMAC Key Sequence Number, on 4 bits, and a reserved field. The HMAC Sequence Number in the HMAC Tuple is equal to the AK Sequence Number of the AK from which the HMAC_KEY_x was derived.

Calculation of the keyed hash in the HMAC-Digest attribute and the HMAC Tuple uses the HMAC ^[44]^,^[45] with the cryptographic secure hash algorithm, SHA-1 (FIPS 180–1 ^[49]). This authentication method is often known as HMAC-SHA1. The digest must be calculated over the entire MAC management message with the exception of the HMAC-Digest and HMAC Tuple attributes.

802.16e added the possibility of using a Cipher-based Message Authentication Code (CMAC) (RFC 4493 ^[46]) as an alternative to the HMAC. For the CMAC, AES block ciphering is used for MAC calculations (AES-CMAC).

The digest is calculated over an entire MAC management message with the exception of the HMAC-Digest or HMAC Tuple attributes.

15.4.1 Message Authentication Keys

The authentication keys used for the calculation of HMAC keyed hash included in some MAC management messages (see above) are:

the downlink authentication key HMAC_KEY_D used for authenticating messages in the downlink direction;
the uplink authentication key HMAC_KEY_U used for authenticating messages in the uplink direction.

As for PKMv1, the PKMv2 MAC message for the uplink is C/HMAC_KEY_U and the MAC message for the downlink is C/HMAC_KEY_D. HMAC_KEY_D and HMAC_KEY_U are derived from the AK, as mentioned in Section 15.3 above. The HMAC/CMAC/KEK derivation from the AK is illustrated in Figure 15.14.

image from book
Figure 15.14: HMAC/CMAC/KEK derivation from the AK. (Based on Reference ^[2].)

The BS uses HMAC_KEY_D and HMAC_KEY_U for the following:

Verify the HMAC-Digest attributes in Key Request MAC management messages received from that SS, using HMAC_KEY_U.
Calculate, using HMAC_KEY_D, the HMAC-Digest attributes it writes into Key Reply, Key Reject and TEK Invalid MAC management messages sent to that SS.
When receiving MAC messages containing the HMAC Tuple attribute, the BS uses the HMAC_KEY_U indicated by the HMAC Key Sequence Number to authenticate the messages.

HMAC_KEY_S is used in the Mesh mode HMAC-Digest calculation.