Hereinafter, a security sublayer used for a broadband wireless access system is briefly explained in the following description.
A security service provides confidentiality (security) and integrity for network data. Integrity means that specific information can be accessed or modified by an authorized user only in data and network security. In particular, the integrity secures a message not to be randomly modified by a third party or the like. And, confidentiality means that specific information is opened to authorized persons only. That is, the confidentiality perfectly protects contents of transferred data to prevent an unauthorized person from accessing contents of information.
Security sublayer provides security, authentication and confidentiality in a broadband wireless network. The security sublayer is able to apply an encryption function to a medium access control protocol data unit (MAC PDU) transferred between a mobile station and a base station. Therefore, the base station or the mobile station is able to provide a powerful defense capability against a service theft attack of an illegal user.
Base station performs encryption on a service flow across a network to prevent a data transfer service from an unauthorized access. Security sublayer controls a base station to distribute key-related informations to a mobile station using a key management protocol of an authenticated client/server structure. In doing so, it is able to further reinforce a function of a basic security mechanism by adding digital certificate based mobile station device authentication to the key management protocol.
While a basic function negotiation is in progress between a base station and a mobile station, if the mobile station does not provide a security function, authentication and key exchange procedures are skipped. Moreover, even if a specific mobile station is registered as a mobile station incapable of supporting an authentication function, a base station is able to regard that authority of the mobile station is verified. If a specific mobile station fails to support a security function, a service is not provided to a corresponding mobile station. Hence, a key exchange or a data encryption function is not performed.
Security sublayer consists of an encapsulation protocol and a privacy key management (PKM) protocol. The encapsulation protocol is the protocol for security of packet data in a broadband wireless network. The encapsulation protocol provides a set of cryptographic suites such as data encryption and data authentication algorithm and a method of applying such algorithm to a MAC PDU payload. The PKM protocol is the protocol or providing a method of safely distributing key relevant data to a mobile station from a base station. The base station and the mobile station are able to provide a method of safely distributing key relevant data using the PKM protocol. If a key management protocol is used, key relevant data can be shared between a mobile station and a base station. And, the base station is able to control a network access.