Motorola Wireless Broadband Platform manual Canopy’S Proprietary Protocol, Authentication

Today, the Canopy system incorporates a flexible security model that supports a wide variety of system configurations ranging from a fully open system to an authenticated/encrypted air link with dynamic session key assignment. The Canopy system uses industry proven authentication and encryption technologies to ensure that the service provider maintains control of the network. The system comes with Data Encryption Standard (DES) to protect against eavesdropping and Advanced Encryption Standard (AES) is available as an option for customers requiring the most secure network available. The following paragraphs highlight each of these advanced features in further detail.

CANOPY’S PROPRIETARY PROTOCOL

Canopy’s proprietary air interface provides a strong foundation against attacks by invaders. First of all, because the Canopy system is based on a proprietary protocol, there are no published specifications for the product by which sniffer radios could be built. In addition, a sniffer would require the proprietary Canopy chip set that is not readily available. Second, the MAC protocol for packet assembly, disassembly and retransmission is not published. Third, data transmitted over the air is scrambled into 64- byte data packages thus providing an additional obstacle to unauthorized decoding. Finally, the directionality of the Canopy system transmissions impedes eavesdropping. In other words, the proprietary air interface presents a major hurdle for unauthorized parties. Of course, the Canopy system’s security is not based merely on secrecy of its air interface.

AUTHENTICATION

Clearly it is inadvisable to transmit information that one assumes is secure using clear text as it can be easily monitored. Unlike many fixed wireless broadband products, the Canopy system does not use clear text transmissions but rather a proprietary protocol for transmissions. When this protocol is combined with the Canopy Bandwidth and Authentication Manager (BAM), an added level of security is achieved for the operator and the network.

The BAM controls access to a Canopy system, and each AP module can be configured to require secure SM authentication prior to providing network access. Each SM must be authenticated by the BAM before entering the network. SMs are authenticated and keys are managed individually. The authentication process also takes into account the electronic serial number unique to each transceiver along with a 128-bit secret key that is unique to each SM and is known only to the network operator. The eight step authentication process is shown in Table 1.

3