Demystifying WiMAX Public Key Infrastructure (PKI) for Operators and Device Vendors

Guest post by Sanjiv Gupta, Intel Corp.

Since the first historical mobile WiMAX network deployment by Clear over a year ago, there have been more than 600 WiMAX networks worldwide which have either commercially launched or have entered into a planning/pre-deployment stage. For new devices (WiMAX Forum Certified or other devices) entering a Greenfield network, or for new devices entering an existing live mobile WiMAX network, the network operator, the device manufacturer or both need to comply with the WiMAX Forum defined Public Key Infrastructure (PKI) requirements ( The same mandate applies to existing fixed WiMAX (IEEE802.16-2004 or 802.16d) network deployments worldwide that plan on upgrading to a mobile WiMAX (IEEE802.16e-2005 or 802.16e) network infrastructure. PKI utilizes X.509 digital certificates and their respective keys to correctly identify the devices and servers AAA (Authentication, Authorization, and Accounting)], as well as to mutually authenticate within the mobile WiMAX network. The proper format and use of the X.509 certificates are described in the [IETF RFC3280 document with the cryptographic algorithms located in the PKCS#1-PKCS#13 specifications devised and published at RSA. VeriSign is the leading source for the Secure Sockets Layer (SSL) Certificate Authority (CA) as well as the sole entity for the processing of WiMAX Forum PKI certificate orders made by WiMAX operators.

Essentially, the operator and the device manufacturer are each tasked with configuring their respective AAA servers or devices with the proper WiMAX Forum® server certificates and device certificates, respectively – to ensure a successful EAP-TLS mutual certificate exchange between the server and the device. The certificate requirements summarized below are specific for the case of client devices (netbooks, notebooks, etc.) containing the Intel® Centrino® Advanced-N + WiMAX 6250 PCI Express Mini Card that will be conversing with the server.

The AAA server should contain six added files: the AAA Server Certificate bundled together with the WiMAX Forum Server Subordinate CA Certificate, the AAA specific Private Key, and the WiMAX Forum Device Root (CA) Certificates inside the “Trusted Store” (WiMAX Device Root (for Intel IT Flex), the WiMAX Device Root CA1 (for Verisign), and the WiMAX Device Root CA2 (for Motorola). The operator has to generate the AAA Private Key as part of the Certificate Signing Request Form (CSR), and the CSR (containing the AAA Private Key) has to be submitted to VeriSign. Upon processing the submission, VeriSign will provide the Scuba and the AAA Server Certificate to the operator. On the client side, the device has seven files added (burned into the Non-Volatile Memory (NVM) contained on Intel’s WiMAX PCI Express Mini Card solution): the Server Root Certificates (WiMAX Server Root (for Intel IT Flex), WiMAX Server Root CA1 (for VeriSign), WiMAX Server Root CA2 (for VeriSign), and the WiMAX Server Root CA3 (for VeriSign)), the Device specific Certificate bundled together with the WiMAX Forum Device Subordinate CA certificate, and the Device specific Private Key. Please keep in mind that the four distinct Server Root Certificates are used to accommodate most of the commonly used AAA servers used today.

What is free and what needs to be purchased? The WiMAX Forum Server Root (CA) Certificate and the WiMAX Forum Device Root (CA) Certificate are free, whereas, the WiMAX Forum Server Subordinate CA Certificate, the Server Certificate, the Device Subordinate CA Certificate, and the Device Certificate all need to be purchased.

Finally, with the PKI house-keeping completed, a mobile WiMAX device can now be deployed inside a mobile WiMAX network and begin the certificate exchange process with the AAA server. To put it simply, the process begins with the client device sending the Device Certificate and Device Subordinate CA Certificate (certificate chain) to the AAA server. The server then validates the Device Certificate using the Device Subordinate CA Certificate and the Device Root CA Certificate. Next, the AAA server sends the Server Certificate and Server Subordinate CA Certificate (Certificate chain) to the client device. It is now the client’s turn to validate the Server Certificate by using the Server Subordinate CA Certificate and the Server Root CA Certificate.

Comments are closed.