Certified Wireless USB - Security

Security

Robustness is one of the main concerns upon which the specification is built, and as such resource management and connection/disconnection of devices becomes even more important than in wired USB. Packet loss and corruption are dealt with through timeouts as well as hardware buffering, guaranteed retries (as mentioned in the description of transfer models) and other flow control methods. If synchronism policies cannot be maintained, errors can be handled either by hardware or software (retries, maximum number of retries failure, failure recovery decisions and so on).

The W-USB host tries to mitigate the unreliability of wireless mediums (a 10% error rate is considered acceptable for 1 kB packets; in wired media this value is usually around 10−9) maintaining counters and statistics for each device and possible requesting information from them. It can also access and modify the transmit power control functions of each device, as well as change transmission parameters such as data payload size and bandwidth adjustments.

The focus is always on providing quality of service comparable to that of traditional USB. Wires offer a very high level of security (given a typical trusted working environment), so standard USB does not deal with it, even though it does not hinder its applicability or implementability; W-USB manages security explicitly, but instead of harnessing the base of UWB it designs a model which is valid for USB in general. Because of this, it must be added to the common USB device control plane.

For communication to exist, secure relationships must be established. These must have a defined purpose and restrict membership to the group, which serves as the base of trust to carry out the desired work. Within a wired systems, data transfers imply a controlled physical connection; this translates into the wireless domain through the concept of ownership: the user grants trust to the devices, which in turn prove this trust to others (interacting in so-called ceremonies) in order to form the desired associations. The USB address identifier is a token of the owner's trust. Applications may require other bases of trust not directly supported by this USB-specific model, in which case they can be implemented on top of the core USB stack.

Even more, trust needs to be maintained, otherwise it will expire. After receiving the group key of a cluster, a device must keep the connection alive by at least confirming its presence within each trust timeout boundary, which is set to four seconds. If it does not succeed at keeping up with this requirement, reauthentication is demanded.

Following the natural asymmetry of USB, the host initiates all processes (except signaling), security being no exception. Security requests are made to devices to find their security capabilities, after which the appropriate devices can be chosen. The standard, symmetric encryption method is AES-128 with CCM, though public key encryption may be used for initial authentication (namely, only the sending of the initial CCM key), provided that the achieved security level is comparable (in practice by using 3072-bit RSA and SHA-256 for hashing).

Note that there is a difference between master keys and session keys. Master keys are long-lived and usually work as a shared secret or a means to distribute session keys, which in turn do not outlive the connection for which they were created and usually serve as the functional encryption/decryption mechanism. A specific header field indicates which of the possible keys is to be used. It is also important to note that replay prevention mechanisms require the keeping of counters which are updated on valid receptions. The range of these counters further limits the life of session keys.