Security
DOCSIS includes MAC layer security services in its Baseline Privacy Interface specifications. DOCSIS 1.0 utilized the initial Baseline Privacy Interface (BPI) specification. BPI was later improved with the release of the Baseline Privacy Interface Plus (BPI+) specification used by DOCSIS 1.1 & 2.0. Most recently, a number of enhancements to the Baseline Privacy Interface were added as part of DOCSIS 3.0, and the specification was renamed "Security" (SEC).
The intent of the BPI/SEC specifications is to describe MAC layer security services for DOCSIS CMTS to cable modem communications. BPI/SEC security goals are twofold:
- provide cable modem users with data privacy across the cable network
- provide cable service operators with service protection; i.e., prevent unauthorized modems and users from gaining access to the network’s RF MAC services
BPI/SEC is intended to prevent cable users from listening to each other. It does this by encrypting data flows between the CMTS and the cable modem. BPI & BPI+ utilize 56-bit DES encryption, while SEC adds support for 128-bit AES. All versions provide for periodic key refreshes (at a period configured by the network operator) in order to increase the level of protection.
BPI/SEC is intended to allow cable service operators to refuse service to uncertified cable modems and unauthorized users. BPI+ strengthened service protection by adding digital certificate based authentication to its key exchange protocol, using a public key infrastructure (PKI), based on digital certificate authorities (CAs) of the certification testers, currently Excentis (formerly known as tComLabs) for EuroDOCSIS and CableLabs for DOCSIS. The relationship of the cable modem to the user is often done by means of manually adding the cable modem's MAC address to a customer's account with the cable service operator, who would then allow network access to a cable modem which can attest to that MAC address using a valid certificate issued via the PKI. The earlier BPI specification (ANSI/SCTE 22-2) had limited service protection because the underlying key management protocol did not authenticate the user's cable modem.
Security in the DOCSIS network is vastly improved when only business critical communications are permitted, and end user communication to the network infrastructure is denied. Successful attacks often occur when the CMTS is configured for backwards compatibility with early pre-standard DOCSIS 1.1 modems. These modems were "software upgradeable in the field", but did not include valid DOCSIS or EuroDOCSIS root certificates.
Read more about this topic: DOCSIS
Famous quotes containing the word security:
“I think the girl who is able to earn her own living and pay her own way should be as happy as anybody on earth. The sense of independence and security is very sweet.”
—Susan B. Anthony (1820–1906)
“Is a Bill of Rights a security for [religious liberty]? If there were but one sect in America, a Bill of Rights would be a small protection for liberty.... Freedom derives from a multiplicity of sects, which pervade America, and which is the best and only security for religious liberty in any society. For where there is such a variety of sects, there cannot be a majority of any one sect to oppress and persecute the rest.”
—James Madison (1751–1836)
“... most Southerners of my parents’ era were raised to feel that it wasn’t respectable to be rich. We felt that all patriotic Southerners had lost everything in defense of the South, and sufficient time hadn’t elapsed for respectable rebuilding of financial security in a war- impoverished region.”
—Sarah Patton Boyle, U.S. civil rights activist and author. The Desegregated Heart, part 1, ch. 1 (1962)