We are often asked the question: Is CDMA secure? with an underlying ask: Is Aeriss CDMA service secure?
In this post, I will address the question of data security in the CDMA world, and what Aeris has done to improve this further for M2M Applications operating on our network.
But, before I start, here are some basic assumptions that I make about the M2M Devices:
- They are using CDMA packet data services and Short Message Service (SMS) packets for data transmissions.
- They are communicating with one, or more, Customer servers inside their private network.
Thus, the data security chain is from the Device to the Customer server systems.
Security by Design
The Aeris network is designed such that all network elements, including the M2M Devices, are protected from access outside Aeris to the maximum extent possible.
Security is further enhanced by segmenting the Aeris network by Customer accounts and further segmenting Customer accounts by Servicenames.
Using these Servicenames to separate traffic prevents inadvertent access from one Customer server (and the Devices) to another Customer server (and their devices) from inside the Aeris network.
The Elements in the Data Chain
These are the elements in the data transmission chain for 1xRTT, EV-DO and SMS:
- CDMA Radio Access Network (RAN).
- Aeriss Carrier partner infrastructure.
- Inter-Carrier network infrastructure.
- Aeriss internal network and infrastructure.
- Aeris Customer data connection.
Each element in the chain has its own security features that is appropriate for its operation and function.
In the rest of this post, I will examine these elements in a bit more depth, specifically for understanding the support for data security at those elements.
CDMA Radio Access Network
This element of the chain provides the wireless communication path between the M2M Devices and the CDMA base stations (commonly called towers).
People often think that the radio interface is the weakest link in the chain, since it is, after all, a radio transmission. Thus, there is a belief that this radio transmission can be easily intercepted and decoded.
Fortunately, this is not true for CDMA networksthe protocol incorporates a robust authentication and encryption protocol that resists such problems.
CDMA Devices have a 64-bit authentication key that generates a 128-bit Shared Secret Data (SSD) key value, a portion of which is sent to request access to the cellular network.
If the network elementspecifically an Authentication Center (AC)does not match the received value to its calculation of the key, the attempt to access the network is rejected and the Device does not receive any service.
Unlike the other common technologiesspecifically, FDMA and TDMAthe Code Division Multiple Access (CDMA) protocol uses codes to combine the transmissions from all the Devices at a location into a single frequency channel (or spectrum).
In standard ANSI-2000 CDMA, this is a 1.25 MHz bandwidth channelalthough depending on the density of the market, there may be multiple such channels providing service at a tower.
In the radio interface, the user data is multiplied by a pseudo-random noise (PN) sequence prior to actually transmitting the bits. The output of the multiplication is a new signal that is randomly spread over a frequency band (the 1.25 MHz channel) that is determined by the PN sequence length.
The receiving radios multiply the received data with the same synchronized PN sequence and extracts (or despreads) the original user data.
The CDMA system uses the unique code for the duration of a given data session or call, and avoids assigning the same code to other simultaneous sessions. Thus, multiple users can share a single radio channel.
Since there are over 4,400 billion code combinations available, it is very difficult to intercept a specific sessions PN sequence and decode the user data.
This technology is termed Direct-sequence Spread Spectrum and provides the necessary anti-jamming protections to make it a very secure radio transmission technology.
Carrier Partner Infrastructure
The Aeris network uses the Carrier infrastructure from the base station to the hand-off point to Aeris, although there may be multiple servers and systems in the path.
This includes the Carrier infrastructure elements, the Signaling System 7 (SS7) network for SMS data and cellular control information, as well as the Packet Data Support Node (PDSN) and Home Agent (HA) systems for the 1xRTT and EV-DO data traffic.
While these paths vary from each Carrier and base station, as a general rule, all the communication links are over private, dedicated lines, or over encrypted Virtual Private Network (VPN) connections.
The communication paths between Aeris and our Carrier partners, over which data and SMS messages flow, include the following:
- SMS messaging services using private SS7 networks.
- 1xRTT and EV-DO packet services using VPNs and private lines.
These communication paths are very secureparticularly the SS7 network that is designed to be secure and uses special protocols (ANSI-41) that are not available to the general public.
The telecommunications industry has standardized on SS7 for control and signal messages, as well as the transport of SMS data.
Aeriss Internal Infrastructure
Aeris has several unique security features that are designed specifically for M2M applications.
The Aeris internal network uses only private IP addresses and all access points to the Internet are fully fire-walled. Aeris coordinates IP addressing to essentially extend the Customers network into Aeris using VPNs or private data lines.
The Aeris systems are physically located in Class 1 Colocation facilitiesthese are commercial sites with carefully controlled access (using retina scan and fingerprint scan technology) and protected by armed security guards.
In addition, each data transport service has its unique security features, as described below.
SMS messaging security features include:
- Device validation via the Home Location Register ("HLR") and Authentication Center ("AC").
- Delivery validation via MINServicename matching.
- Device-to-Device SMS packet blocking.
The Packet Data services security features include:
- ANSI-2000 Mobile IP ("MIP") authentication, using full 128 bit SSD information.
- No Device-to-Device IP communications.
- No Device-to-Internet IP communications, unless specifically requested by the Customer.
- No endpoint server to other endpoint server access (i.e. into another Customers VPN).
- No general access to the Internet for Customer Devices, unless specifically requested by the Customer.
The last element is the connection between the Customer servers and the Aeris network systems.
Through proper configuration, the Aeris network becomes an extension of the Customers corporate network: Customers connect to the Aeris network via either a VPN or a dedicated line.
SMS data is transmitted to (and from) the Customer systems using the AerFrame Web Services interface (a standard XML/SOAP interface), or via SMS Peer-to-Peer Protocol (SMPP).
1xRTT and EV-DO packet services data is transmitted to the Customer via a TCP/IP or UDP/IP session (optionally, using additional IP stack client software like FTP).
Finally Application Data Encryption
We are often askedparticularly during the Application design phasewhether data to and from the Devices should be encrypted or not.
We believe that the inherent security of the Aeris CDMA network relieves the Customer of the need to encrypt Application data.
The encryption can add additional data overhead to the data transmissions, increasing operating costs.
It also adds complexity to the development process, increasing development and debugging costs.
However, we do not restrict Customers from making this choice.
Thus, if the particular industry requirements of the Customer M2M Application demands encryption, or if the Customer decides that end-to-end data encryption is necessary, then they can certainly implement encryption in their data transmissions.
The Bottom Line
In general, Customer data transmitted in compliance with the Aeris network security protocols will not traverse an open connection on the Internet or an equivalent public network.
Thus, data sent via a CDMA network, including the Aeris CDMA network, is quite well protected and sufficiently secure for M2M Applications.
What are your Comments?
I ask all readers of this post to provide comments, or ask questions, about the topics covered in this post.