WHITE PAPER: HELPING TO SECURE THE WIMAX WORLD ........................................

VeriSign WiMAX Public Key Infrastructure Service

Helping to Secure the WiMAX World

Who should read this paper The next generation of business and consumer mobile devices will have pervasive, high-speed mobile Internet access powered by WiMAX, a next-generation wireless technology. Early in the development of WiMax, the WiMAX Forum selected VeriSign (now a part of Symantec) to be an authorized provider of PKI solutions to members of the WiMAX ecosystem. Learn how VeriSign WiMAX Public Key Infrastructure (PKI) Service, a hosted solution managed by Symantec, provides the building blocks for strongly authenticated connectivity between WiMAX devices and service provider networks.

WHITE PAPER: HELPING TO SECURE THE WIMAX WORLD

Helping to Secure the WiMAX World WiMAX World VeriSign WiMAX Public Key Infrastructure Service

Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 WiMAX and the need for security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 WiMAX and PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Symantec PKI platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Symantec selected by the WiMAX Forum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Hosted PKI Service offerings for Device Manufacturers and Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service

Introduction
WiMAX is a next-generation wireless technology designed to enable pervasive, high-speed mobile Internet access to a wide array of business and consumer mobile devices. From a technical perspective, WiMAX is a collection of integrated wireless broadband technologies and products built around the harmonized IEEE 802.16e/ETSI HiperMAN standard. With a range upwards of 30 miles (50 kilometers), WiMAX networks are designed to enable wireless metropolitan area networks. Formed in 2001, the WiMAX Forum is a non-profit organization whose goal is to accelerate the introduction of WiMAX-based systems into the marketplace by promoting conformity and interoperability with the WiMAX standard. The WiMAX Forum offers a means of testing manufacturers equipment for compatibility, and also function as an industry group dedicated to fostering the development and commercialization of the technology. WiMAX is in competition with other initiatives to become the new de facto standard for broadband wireless data services. It is critical that all aspects of the WiMAX design specifications operate in a highly secure and scalable fashion in order to gain rapid market acceptance and credibility over competing broadband services deployed today like Wi-Fi and the GSM Long Term Evolution (LTE) roadmap. Time-to-market with a viable, trusted, and robust solution is a key enabler of broad adoption of a new standard. This is how the WiMAX Device and Server PKIs can function as the foundation of trust in the WiMAX ecosystem.

WiMAX and the need for security

Ensuring secure communication over WiMAX-based networks is a critical success factor for the growth of the WiMAX ecosystem. The WiMAX Forum, and its membership, has gone through considerable effort to build various levels and types of security into the WiMAX solution. Examples include: Adoption of the DOCSIS BPI+ (Data Over Cable Service Interface Specifications Baseline Privacy Plus) security protocol. WiMAX authentication relies, partially, on PKM-EAP (Public Key Management Extensible Authentication Protocol) and Transport Layer Security (TLS). WiMAX encryption uses CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), which uses the AES (Advanced Encryption Standard) algorithm for data encryption. WiMAX encryption also supports the earlier Triple DES standard. Seamless security that is transparent to the end user and authentication of WiMAX-based devices to prevent unauthorized access to services are also crucial for widespread adoption by both consumers and service providers. Security solutions based on Public Key Infrastructure (PKI) are particularly well-suited in addressing these security and authentication needs.

WiMAX and PKI

PKI platforms are based on a trusted Certification Authority (CA) that issues, renews, revokes, and manages digital certificates used for validating identification. PKI delivers strong authentication to ensure that valid devices are properly authenticated for access (for example, that a device really is authorized to access a given service). Strong authentication provides an additional layer of protection beyond traditional access methods, such as shared secret keys or user names and passwords. Solutions using PKI digital certificates are also relatively transparent as they are embedded on devices and do not require interaction from the end user to authenticate device identity.

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service
The WiMAX Forum determined that they needed a PKI-based solution, and that they would outsource the construction and maintenance of the infrastructure needed to operate a WiMAX-focused PKI platform, as opposed to developing it in-house. To ensure that the WiMAX ecosystem was properly secured, they realized that it would be a better fit to go with a vendor with deep expertise in PKI. The WiMAX Forum also required a solution that could evolve as their ecosystem evolved. This meant choosing a PKI solution that was: Tested to hold up to the rigors of an evolving and expanding platform Scalable to meet the increasing needs of new services/subscribers and device proliferation Available and reliable to meet customer and service provider satisfaction Flexible to evolve as WiMAX technology and the market matures Global to help enable expansion to the larger market

Symantec PKI platform

Symantec is the worlds leading provider of hosted and managed PKI services. At the core of the Symantec PKI platform lays proven technology. Software and hardware are used to implement the functions of a Certification Authority (CA) and Registration Authority (RA), including necessary certificate lifecycle and status verification. The demands on PKI technology are considerable, as it must support strong security, high availability, multiple certificate types, and multiple interfaces. Most importantly, it must have a modular design, which permits distribution of the various PKI functions to where they are most effectively and efficiently deployed.

Leveraging Symantec state-of-the-art PKI infrastructure

The Symantec data center undergoes an annual industry-standard SAS-70 security audit that is conducted by a globally recognized independent auditor to ensure continued compliance with internal and external security policies and regulations. Over the past decade, Symantec has made significant investments in maintaining and enhancing data center security and a global infrastructure for delivering security services. Symantec's hosted and managed approach to PKI distinguishes itself from do-it-yourself, in-house alternatives by removing the burden of building and maintaining necessary elements of a PKI platform for a service provider or a device manufacturer. Symantec customers are able to leverage the company's significant investments in a fault tolerant and redundant processing center with disaster recovery, plus the experience of running one of the largest PKI in the world. This unique combination gives organizations the control over security decision making and practices without the technology investments and operational hassles that come with do-it-yourself, in-house PKI solutions,

Symantec selected by the WiMAX Forum

Following an intense and comprehensive evaluation, the WiMAX Forum selected VeriSign (now a part of Symantec) to be an authorized provider of Server PKI and Device PKI solutions to members of the WiMAX ecosystem. VeriSign WiMAX Public Key Infrastructure (PKI) Service is a hosted solution, managed by Symantec, that provides the building blocks for strongly authenticated connectivity between WiMAX devices and service provider networks. It employs a Web-based interface that is intuitive, easy to use, and scales easily to millions of PKI digital certificates.

Enabling the WiMAX ecosystem

WiMAX PKI Service also enables a PKI solution that evolves with, and benefits, the WiMAX ecosystem. Since WiMAX PKI Service is managed and hosted, the WiMAX ecosystem can evolve without changes to its PKI infrastructure. It is also an extensible solution. As more entities join

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service
the ecosystem, they can benefit from WiMAX PKI Service. Since the entire ecosystem is supported by a common PKI solution, interoperability between various device manufacturers and service providers is possible.

The WiMAX Forum rationale for selecting Symantec

Symantec and WiMAX PKI Service were chosen by the WiMAX Forum to be a provider of services for both the Server PKI and the Device PKI for the following reasons:

Successful and long-standing operation of its PKI environment long-standing environment

Symantec operates one of the longest running PKI platform in the industrySymantec's PKI business has been continuously operating since 1995. During this time, Symantec has steadily grown its business to include thousands of customers from around the world. A number of global networks rely on Symantec's PKI infrastructure, including the cable industries in the Americas, Asia, and Europe where tens of millions of devices operate with Symantec-issued digital certificates.

Global reach
Symantec provides 24 hours a day, seven days a week, 365 days a year support for thousands of customers around the globe. Symantec also supports regional sales and support partners in over 20 countries. Each operates authorized instances of Symantec's PKI infrastructure for their respective markets.

Minimal impact on WiMAX operations WiMAX

For both Server PKI and Device PKI, Symantec provides a zero-footprint, self-service Web portal for the majority of digital certificate lifecycle functions. These interfaces are time tested and have supported thousands of customers around the world.

A robust PKI infrastructure robust infrastructure

By partnering with Symantec, a leading and trusted brand on the Internet, WiMAX gains immediate credibility for its security and use of PKI. Symantec has achieved its reputation for delivering trust through the operation and support of a world-class PKI infrastructure. For more than a decade, companies, networks, and industry consortia have leveraged Symantec's brand and hosted PKI services to show the marketplace their commitment to the high level of security.

Commitment to PKI and WiMA X WiMAX

Symantec can provide an unmatched level of expertise towards multi-customer, large-scale PKI deployments that must meet strict guidelines for availability, reliability, performance, security, and support. Symantec has been delivering similar services to large infrastructures for over a decade.

Neutralit y Neutrality
Symantec operates as an independent, trusted third-party operator of critical infrastructure services. As sole operator the largest SSL certificate issuer in the world, Symantec is relied upon almost 50 billion times per day to provide services that must be neutral to all requestors. The membership of the WiMAX Forum consists primarily of service operators and device/equipment manufacturers.

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service
While Symantec is neither an operator nor a manufacturer, it has been an active member of the WiMAX Forum for the past several years and has positioned itself as an independent provider of security services. This makes Symantec the perfect choice to be a neutral, trusted thirdparty operator for the WiMAX Device and WiMAX Server PKI solutions.

Hosted PKI Service offerings for Device Manufacturers and Service Providers VeriSign WiMAX PKI Service for Device Manufacturers
VeriSign WiMAX PKI Service delivers a fast and efficient means to embed PKI-based digital certificates into any type of WiMAX-compliant subscriber station or device during the manufacturing process. It inherits industry-leading functionality from VeriSign Device Certificate Service, which currently has over 80 million devices worldwide that depends on it to deliver secure access to services. VeriSign WiMAX PKI Service is capable of supporting millions of end user PKI-based WiMAX digital certificates on a global scale, and enables a WiMAX Device PKI solution that is fully compliant with the latest WiMAX Forum Device PKI Certificate Policy (CP). Additionally, VeriSign WiMAX PKI Service: Supports requests for PKI-based digital certificates in bulk. The device manufacturer simply provides Symantec with a list of media access control (MAC) addresses, or unique device IDs. Symantec then generates the PKI-based digital certificates and securely delivers them to the manufacturer for inclusion on devices. Delivers WiMAX Device Public Key Certificates (PKCs) that are based on 2048- bit keys, signed by issuing Certificate Authorities (CA) using a SHA-256 signing algorithm, and contain the Authority Information Access (AIA) certificate extension. Can optionallyat the request of the manufacturergenerate private keys for Device PKCs. These private keys will be 2048-bit, and are delivered in a highly secure manner using encryption and requiring the use of smart card-based administrator certificates to decrypt the keys. Provides a Certificate Revocation List (CRL) that is fully compliant with the WiMAX Forum CRL profile. Most notably, the CRLs are based on 2048-bit keys and signed by issuing CAs using a SHA-256 signing algorithm. Can support both varieties of CA-hosting (for example, hosted by the manufacturer or hosted by Symantec). Symantec recommends an outsourced solution, where Symantec operates as the CA and also issues the end-entity certificates. This provides the most compelling value and long-term benefits of scale and service. The following diagram provides a high level flow for the Symantec hosted device certificate service:

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service

Figure 1: Device Certificate Deployment Process 1. The device manufacturers administrator logs in to the secure Web portal and uploads a certificate request file (text format) that contains the list of MAC addresses or unique IDs for the devices. Alternatively, the device manufacturer can submit a batch of PKCS#10-formatted Certificate Signing Requests (CSRs). 2. Symantec processes the certificate request file and generates a compressed TAR file containing all issued digital certificates, and optionally the private keys (when the request is based on MAC addresses or other unique IDs). 3. An email from Symantec informs the device manufacturers administrator that the batch of issued digital certificates is available for download. 4. The administrator downloads the compressed TAR file and uses the Symantec-provided uncompress and decrypt utility to receive all the digital certificates (and, optionally, private keys). 5. The administrator imports the resulting digital certificates into the manufacturers certificate repository (for example, a database). 6. The device manufacturer injects the PKI-based digital certificates into the target WiMAX devices during the manufacturing process.

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service VeriSign WiMAX PKI Service for Service Providers
The WiMAX Forum has selected Symantec as the sole provider for its Server PKI for service providers. Symantec was chosen because of its robust PKI platform that has been in service since 1995, and is currently used by thousands of enterprise and government customers to secure their environments. By leveraging Symantecs expertise and extensive PKI infrastructure, service providers can benefit from Symantecs significant investments and PKI knowledge while retaining complete control over digital certificate lifecycle management, including issuance, renewal, and revocation. Additionally, VeriSign WiMAX PKI Service: Delivers a WiMAX Server PKI solution that is fully compliant with the latest WiMAX Forum Server PKI Certificate Policy (CP). Delivers WiMAX Server Public Key Certificates (PKCs) that are based on 2048-bit keys, signed by issuing CAs using a SHA-256 signing algorithm, and contain the AIA certificate extension. Will allow the issuance of multiple certificates for the same server name, and allow them to be tracked using a certificate serial number. Delivers an On-line Certificate Status Protocol (OCSP)-based validation service that fully conforms to the latest WiMAX Form OCSP Profile. The OCSP responses are based on 2048-bit keys and signed by issuing CAs using a SHA-256 signing algorithm.

Figure 2: WiMAX PKI Service Fully Hosted by Symantec All PKI functions are hosted and managed by Symantec, enabling the service provider to focus on its core business. Certificate Issuance Process 1. A Certificate Signing Request (CSR) is entered by authorized operations personnel. 2. The administrator approves the request.

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service
3. A digital certificate is issued and a notification is e-mailed back to the requestor. 4. The requestor logs into a Symantec-hosted portal to securely acquire the digital certificate.

Conclusion
In order to deliver the high level of trusted security to the WiMAX ecosystem and consumers, the WiMAX Forum determined that it needed a device authentication solution based on PKI technology. After an extensive evaluation, the WiMAX Forum selected Symantec to operate both its Device PKI and Service PKI. Symantec was selected because of its time-tested PKI platform, scalability and high availability, global reach, and vendor neutrality. Symantec will be working closely with the WiMAX Forum, and the overall WiMAX ecosystem, to help ensure that business and consumers have secure access and reliable communication over WiMAX networks.

Helping to Secure the WiMAX World VeriSign WiMAX Public Key Infrastructure Service

About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.

For specific country offices and contact numbers, please visit our website.

Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com

Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security, and application security solutions. Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. 6/2011 21195843