ZyXEL MAX208M2W User Guide - Page 209
Authentication, EAP-TTLS Tunneled Transport Layer Service
View all ZyXEL MAX208M2W manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 209 highlights
Appendix A WiMAX Security • Authorization request and reply The MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS. • Key request and reply The MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key. • Encrypted traffic The MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow. CCMP All traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm. 'Counter mode' refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting. 'Cipher Block Chaining Message Authentication' (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of 'chained' blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with. Authentication The WiMAX Device supports EAP-TTLS authentication. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the serverside authentications to establish a secure connection (with EAP-TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. WiMAX Device Configuration User's Guide 209