Raj, I'm fine with having out of scope threads on the master device or the wsdb themselves.
Maybe PAWS could help the wsdb to detect a compromised master device (or slave device). Or misuse, e.g. incorrect position and antenna info. Spending few words on this may help. Here is room for more thoughts: can PAWS help the wsdb to decide this info is correct? A straightforward approach would be sending a picture with recent newspaper, the antenna and a clear view of the surrounding :-) More serious: in a project where I am involved, each set of equipment is registered, including photo's. Providing such to a wsdb is less inept as one may think. Thanks, Teco Op 27 jan. 2012, om 20:39 heeft <[email protected]> <[email protected]> het volgende geschreven: > > Hello, > > While discussing the requirements we concluded that it would be useful to > have a threat model for PAWS. Below is an initial writeup of the threat > model. This threat model can be included in the Security considerations > section of the Use-case and Requirements I-D. Security requirements can be > derived from this threat model. > Comments welcome. > > -Raj > > > Threat model for the PAWS protocol > ---------------------------------- > > Assumptions: > ............ > > o It is assumed that an attacker has full access to the network medium > between the master device and the white space database. The attacker > may be able to eavesdrop on any communications between these > entities. The link between the master device and the white space > database can be wired or wireless and provides IP connectivity. > > o It is assumed that the master device or the white space database > have NOT been compromised from a security standpoint. > > Threat 1: Obtain master device authentication/authorization secrets > The master device needs to authenticate itself with the white > space database prior to requesting channel information. The > attacker may try to get access to the secrets of the master > device which can be used maliciously. The effect of such an > attack being successful would result in a malicious client > replaying the stolen authentication/authorization secrets to a > white space database. > > Threat 2: Spoofed white space database > A master device discovers a white space database(s) thru which > it can query for channel information. The master device needs > to ensure that the white space database with which it > communicates with is an authentic entity. The white space > database needs to provide its identity to the master device > which can confirm the validity/authenticty of the database. An > attacker may attempt to spoof a white space database and > provide responses to a master device which are malicious and > result in the master device causing interference to the primary > user of the spectrum. > > Threat 3: Modifying a query request > An attacker may modify the query request sent by a master > device to a white space database. The attacker may change the > location of the device or the capabilities in terms of its > transmit power or antenna height etc. which could result in the > database responding with incorrect information about available > channels or max transmit power allowed. The result of such an > attack is that the master device would cause intereference to > the primary user of the spectrum. It could also result in a > denial of service to the master device by indicating that no > channels are available. > > Threat 4: Modifying a query response > An attacker could modify the query response sent by the white > space database to a master device. The channel information or > transmit power allowed type of parameters carried in the > response could be modified by the attacker resulting in the > master device using channels that are not available at a > location or transmitting at a greater power level than allowed > resulting in interference to the primary user of that > spectrum. Alternatively the attacker may indicate no channel > availability at a location resulting in a denial of service to > the master device. > > Threat 5: Using query response information > An attacker may be a master device which is not certified for > use by the relevant regulatory body. The attacker may listen to > the communication between a valid master device and white space > database and utilize the information about available channels > in the response message by utilizing those channels. The result > of such an attack is unauthorized use of channels by a master > device which is not certified to operate. > > > > > _______________________________________________ > paws mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/paws _______________________________________________ paws mailing list [email protected] https://www.ietf.org/mailman/listinfo/paws
