Hereinafter, an IEEE 802.16e (Institute of Electrical and Electronics Engineers 802.16e) system based protocol layer will be described in brief.
FIG. 1 is a diagram illustrating a protocol layer model defined in a wireless telecommunication system based on an IEEE 802.16e system which is generally used.
Referring to FIG. 1, a medium access control (MAC) layer belonging to a link layer includes three sublayers. First of all, a service-specific convergence sublayer converts or maps data of an external network, which are received through a service access point, into medium access control service data units (MAC SDUs) of a MAC common part sublayer (CPS). The service-specific convergence sublayer can include a function for associating a corresponding MAC service flow identifier (SFID) with a connection identifier (CID) after dividing SDUs of the external network.
Next, the MAC CPS layer provides main functions of MAC such as system access, bandwidth allocation, and connection setup and management, and receives data classified by specific MAC connection from various CSs through MAC SAP. At this time, quality of service (QoS) can be applied to data transmission and scheduling through a physical layer.
Also, a security sublayer can provide authentication, security key exchange, and encryption function. Hereinafter, a security service and a security sublayer will be described in brief.
The security service provides confidentiality and integrity for network data. Integrity means that the first message is transferred to counterpart without any change. Namely, integrity assures that the message is not changed randomly by the third party. Confidentiality means that information is only disclosed to those who are authorized. Namely, confidentiality perfectly protects data which are transmitted, so as to prevent those who are not authorized from accessing the data.
The security sublayer provides security, authentication, and confidentiality in a broadband wireless access network. The security sublayer can apply an encryption function to a medium access control protocol data unit (MAC PDU) transferred between a mobile station and a base station. Accordingly, the base station and the mobile station can provide robust protection capability against a service stealing attack of an illegal user. The base station prevents a data transmission service from being accessed without any authority by performing encryption of a service flow over the whole of a network.
The security sublayer controls distribution of key information from a base station to a mobile station by using a key management protocol of an authenticated client/server structure. At this time, it is possible to enhance a function of a basic security mechanism by adding digital certificate based mobile station authentication to the key management protocol.
If a mobile station does not provide a security function while mobile station basic capability negotiation is being performed, an authentication and key exchange process will be omitted. Even though a specific mobile station has been registered as a mobile station that does not support an authentication function, the base station can regard that authority of the mobile station has been verified. If the specific mobile station does not support a security function, since no service is provided to the corresponding mobile station, a key exchange or data encryption function is not performed.
The security sublayer includes an encapsulation protocol and a key management protocol (PKM). The encapsulation protocol is for security of packet data in a broadband wireless access network, and provides a method of applying an algorithm to cryptographic suites such as data encryption and data authentication algorithm and MAC PDU payload.
Cryptographic suites represent security association (SA) sets indicating an algorithm for data encryption, data authentication and TEK exchange. Namely, cryptographic suites represent a pair of data algorithm and data authentication algorithm.
The key management protocol provides a method of safely distributing key data from a base station to a mobile station. The base station and the mobile station can provide a method of safely distributing key data by using the key management protocol. If the key management protocol is used, key data can be shared between the mobile station and the base station, and the base station can control network access.
The security sublayer is connected with a physical layer through a physical service access point (PHY SAP). The PHY layer serves to transfer PDUs generated and encrypted in the MAC layer to a destination.