Manualshelf

User Manual

ManualsBrandsAxcera ManualsElectronicsModel: BTS-7010 Multi-Channel MMDS/ITFS Booster
51525354555657585960
ADCP-XX-XXX • November 2000 • Section 3: WMTS Functional Description
Page 3-16
2000, ADC Telecommunications, Inc.
WMTS registration is immediately followed by initialization of the Privacy security functions.
Baseline Privacy initialization begins with the WMU sending the WMTS an authorization request,
containing data identifying the WMU (e.g., MAC address), the unicast SIDs that have been configured
to run Baseline Privacy. (The list would be empty if a cable modem was configured to only run
Baseline Privacy on multicast SIDs.) If the WMTS determines the requesting WMU is authorized for
these services, the WMTS responds with an authorization reply containing a list of SIDs (both unicast
and multicast) that the WMU is permitted to run Baseline Privacy on. After successfully completing
authorization with the WMTS, the cable modem sends key requests to the WMTS, requesting traffic
encryption keys to use with each of its Baseline Privacy SIDs (or SAID - Security Associated ID. A
algorithm [RFC2104]); the message authentication key is derived from the authorization key obtained
during the earlier authorization exchange. The WMTS responds with key replies, containing the
traffic encryption keys; the keys are DES encrypted with a key encryption key derived from the
authorization key. Like the Key Requests, Key Replies are authenticated with a keyed hash, where the
message authentication key is derived from the authorization key.
6.9 Key Update Mechanism
The traffic encryption keys which the WMTS provides to client WMUs have a limited lifetime key
value, in the key replies it sends to its client WMUs. The WMTS controls which keys are current by
flushing expired keys and generating new keys. It is the responsibility of individual cable modems to
insure the keys they are using match those the WMTS is using. Cable modems do this by tracking
when a particular key request for the latest key prior to that expiration time. In addition, cable
modems are required to periodically reauthorize with the WMTS; as is the case with traffic encryption
keys, an authorization key has a finite lifetime which the WMTS provides the WMU along with the
key value. It is the responsibility of individual cable modems to reauthorize and obtain (1) a new
authorization key and (2) a current list of supported SIDs before the WMTS expires their current
authorization key.
6.10 Baseline Privacy Key Management (BPKM) Protocol
The BPKM protocol is specified by two separate, but interdependent, state models: an authorization
state model (the Authorization state machine) and an operational service key state model (the Traffic
Encryption Key, or TEK state machine).
6.11 Authorization State Machine
The Authorization state machine consists of five states and seven distinct events (including receipt of
messages) that can trigger state transitions. The Authorization finite state machine (FSM) is presented
below in a graphical format, as a state flow model. The state flow diagram depicts the protocol
messages transmitted and internal The typographic conventions in the following flowcharts are:
- Ovals are states
- Events are in italics
- Messages are in normal font