Efficient Distributed Authentication Key Scheme for ... - Semantic Scholar

Adnan Shahid Khan et. al. / International Journal of Engineering Science and Technology Vol. 2(6), 2010, 2192-2199

Efficient Distributed Authentication Key Scheme for Multi-hop Relay In IEEE 802.16j Network ADNAN SHAHID KHAN Telematic Research Group, Faculty of Electrical Engineering, Universiti Teknologi Malaysia, Johor Bahru, Malaysia, [email protected] http://trg.fke.utm.my/members/adnan

NORSHEILA FISAL Telematic Research Group, Faculty of Electrical Engineering, Universiti Teknologi Malaysia, Johor Bahru, Malaysia, [email protected]

SHARIFAH KAMILAH Telematic Research Group, Faculty of Electrical Engineering, Universiti Teknologi Malaysia, Johor Bahru, Malaysia, [email protected]

MAZLAN ABBAS MIMOS BERHAD, [email protected]

Abstract: Relaying and cooperation have re-emerged as important research topic in the wireless communication over the past decade. IEEE 802.16j Multihop relay network is assiduously developing to accomplish high capacity services with large cell coverage. Considerable interest currently exists in the exploitation of Relay based Wimax. This is mainly the result of lower infrastructure cost and high data transfer rates compared to existing 3G. However due to lack of physical boundaries and injection of distributed relays, it is known to be more vulnerable to security holes as a trade off. In this paper we propose a new distributed authentication key scheme for Multihop Relays IEEE 802.16j network service. The propose scheme uses decode and forward relays with localized authentication. The scheme works in distributed authentication to authenticate Subscriber station (SS) and Relay stations (RS) at initial network entry. Our new efficient distributed scheme utilizes healthy security issues and the Multihop Relay network application features. Both analysis and performance evaluation shows that our scheme can significantly reduce the security holes as well as communication overheads. Keywords: Distributed Networks; IEEE 802.16j; Multi-Hop Relay; Key Management; Traffic Encryption Key. 1. Introduction Wireless networks have become more and more pervasive due to their many advantages. The IEEE 802.16 standard aims to provide broadband wireless access (BWA) for metropolitan area network (MAN), and is to design for the delivery of last mile BWA is alternative to the cable and DSL. To support BWA, high data transmission is necessary. In March 2006, a new task group IEEE 802.16j was introduced, which attempts to amend current IEEE 802.16e standard just by injections of RSs in between BS and Subscriber Stations(SSs) in order to support multi-hop relay operation in wireless broadband networks. This relays may operate in three possible schemes, depending on how it process the received signals amplify and forward, decode and forward and estimate and forward. As the matter of fact, any relays operate in amplify and forward scheme or transparent mode cannot decode the control information from the Multihop Relay base station (MR-BS). Contrary, Relays operates in decode and forward scheme or non-transparent Access Relays (NT-ARS) must transmit control information by themselves. Here we assume that relays is operating in non-transparent distributed scheduling and security mode, which can show better performance then other RS [2]. At the same coin, wireless networks represent an important example of such scenarios where capturing and forging packets is relatively easy; attacks against such networked system are becoming more complex and powerful. Thus, security is essential in wireless technologies to allow rapid adoption and enhance their maturity, while designing the standard, the IEEE 802.16 working group has taken into consideration the security aspects to avoid mistakes of IEEE 802.11. Standard security specifications can mainly be found within the MAC layer which is called security sublayer. The separate security sublayer provides authentication, secure key exchange and encryption. IEEE 802.16 employs a concept of security association (SA) which defines security parameters keys and encryption

ISSN: 0975-5462

2192

Adnan Shahid Khan et. al. / International Journal of Engineering Science and Technology Vol. 2(6), 2010, 2192-2199 algorithms. First, the authorization SA, though not explicitly defined by the standard, consists of an X.509 certificate, an authorization key (AK), a key encryption key (KEK) and a hash message authentication code (HMAC) key, which will be used for authorization, authentication and key management. Second, the data SA for transport connections consists of a SA identifier (SAID), a cipher; traffic encryption keys (TEKs) and initialization vectors for TEKs, which will be used for secure data transmission as IEEE 802.16j. In a Multihop Relay network, when an SS is accessing a BS through RS, the RS should do the same authentication function on behalf of the BS. In contract to basic standard, where the routing is only done at BS. IEEE 802.16e is not doubt vulnerable to securities threats and has several possible solutions but after the injection of RSs in the standard, make it again open for the attacker to play with the system like rogue RS station. Interleaving attack and replay attack was unsolved issues in IEEE 802.16e. This paper gives the overview of securities issues on Multihop Relay networks, such as Replay attacks, Denial of Service (DoS) and interleaving attacks. The rest of the paper is organized as follow. In section 2 related works on securities issues on Multihop Relay network are introduced. In section 3, we discuss different securities issues of IEEE 802.16j. Section 4 discussed Proposed distributed authentication scheme in detail. In section 5, we analysis of the proposed distributed authentication scheme. Section 6 evaluates the performance of section 3. We follow up with a conclusion and acknowledgment in section 7&8 respectively. 2. Related Works IEEE 802.16 standard stipulate some powerful security controls, including PKMv2, EAP-based authentication and over-the-air AES based encryption. But secure technology doesn’t in itself comprise a secure end-to-end network and consequently, Wimax presents a range of security vulnerabilities. Since the first Amendment was released on MR specifications [1], a few papers have been published to introduce and address the security issues. There are some papers that review this standard in details such as [2] and [3]. Sen Xu and Manton Mathews published a series of work like [4] and [5] on security issues on the standard as well as on Privacy key Management protocols (PKM). Karen Scarfore with his team come up with a special publication on Guide to security for Wimax technologies(Draft) which was the recommendations of the national institute of standards and technology(NIST). Taeshik Shon, Wook Choi [6] discussed about the Analysis of Mobile Wimax Security, Vulnerabilities and Solutions. Y.Lee and H.K.Lee in their paper [7] gives more focus on hybrid authentication scheme and key distribution for MMR in IEEE 802.16j. Other papers like [8], [9] gives more detailed pictures of efficient rekeying algorithms. The authors [10], [11] and [14] review the standard and analyzed its security in many aspects, such as vulnerabilities in authentication and key management protocols and failure in data encryption. In [12] the PKM protocol is discussed in details, more attacks on the versions of the PKM protocols listed in [10], [13] and [1]. In IEEE 802.16j standard, Multihop Relay (MR) is an optional deployment in which a BS in (802.16e) may be replaced by a Multihop Relay BS (MR-BS) and one or more relay stations (RS). The MR mechanism provides several advantages, such as providing additional coverage for the serving BS, increasing transmission speed in an access network, providing mobility without SS handover, decreasing power consumption when transmitting and receiving packets, and enhancing the quality of services [15]. However none of these above publications cover the security in non-transparent Relays in distributed environment in a detailed way. 3. Security Issues of IEEE 802.16j The security sublayer lies above the physical layer and below the MAC CPS, which is encrypted, authenticated and validated. However, header and control information added by the physical layer are not encrypted or authenticated. Thus physical layer information attached to the higher layer packets is vulnerable to analysis[18]. The MAC management messages are sent in the clear to facilitate network operations. Thus , MAC header , DCD, DL-MAP, UCD, UL-MAP, RNG-REQ, RNG-RSP, PKM-REQ, PKM-RSP, SBC-REQ and SBC-RSP, all above messages are sent unencrypted, give wide field for the attacker to play. Especially for the interleaving attacks replay attacks, if above cannot be successful then for sure above informative messages are enough for DoS attack. DoS attack on the BS/NT-ARS may possibly ensue during the PKMv2 authentication because of the intense public key computational load, an attacker might simply flood the BS/NT-ARS with messages and the BS/NT-ARS could use up its computational resources, evaluating signatures and decrypting messages[16]. BS and NT-ARS/SS/Subordinate RS authentication process in PKMv2 is vulnerable to an interleaving attack. In this attack, the attacker impersonates a valid NT-ARS/SS/Subordinate RS, exchange the first two messages of PKMv2 sequences with a valid BS or NT-ARS, and then it replays these to the original, valid NTARS/SS/Subordinate RS to gain the final PKMv2 messages. The attacker then uses the final message from the original NT-ARS/SS/Subordinate RS to complete the original PKMv2 sequence with the BS. This results in unauthorized access to the network [17]. As the number of Hops increased in the distributed and non-transparent

ISSN: 0975-5462

2193

Adnan Shahid Khan et. al. / International Journal of Engineering Science and Technology Vol. 2(6), 2010, 2192-2199 environment, unreliability increases thus more powerful and complex interleaving attacks can be established. In the case, the attacks involves the BS, it’s a little bit tricky for the attacker to attack but if the case when NT-ARS in involve as NT-ARS is not too complex and intelligent then the BS so the chances of interleaving attack for NT-ARS is high then BS. 4. Proposed Distributed Authentication Scheme When an access RS is operating in non-transparent distributed security mode, the authentication key established between SS/RS and BS is distributed to this NT-ARS. According to the standard, during the registration process, an NT-ARS can be configured to operate in distributed security mode based on its capabilities. In IEEE 802.16j Multihop network, two different security modes are referred, the first one, referred to as the centralized security mode, is based on key management between an MR-BS and an SS. In centralized authentication, we have centralized security control residing in the BS in the Multihop Relay system, the security association (SA) is established between SS/RS and BS without the involvement from the intermediate RS. The RS doesn’t try to decrypt the user data or authenticate the MAC management message (MM) it receives from MS but simply relays it. if only centralized authentication is used, then chances of those unsolved attacks in IEEE 802.16e is high like reply and interleaving attacks, and if PKMv1 is used then in centralized authentication scheme Man-inthe-Middle attack plays a worst role. The second security mode, referred to as the distributed authentication mode, incorporates authentication and key management between BS and a NT-ARS and between the NT-ARS and an SS/RS. Also NT-ARS can generate its own authentication keys to secure the localized environment. Node to node authentication is preferred as compared to centralized authentication where authentication is end to end. Usually BS periodically broadcast DL-MAP MM. RS/MS scan those MM and send the request to neighbor facilitator BS/RS, however, when an NT-ARS is operating in distributed security mode, the authentication key established between SS and BS is distributed to this NT-ARS. An NT-ARS operating in this mode relays initial PKM messages between the BS and SS/RS. When the master session key (MSK) is calculated by BS and NT-ARS and fully established, then BS shall securely transfer the relevant authorization key (AK) to its NT-ARS. NT-ARS derives all the necessary keys and start traffic encryption key (TEK) with SS/RS. NTARS first join the network by sending its authentication information message and as usual BS may ignore this message , however, immediately it send authorization request message to BS, in response , BS generate AK0 to reply to NT-ARS as shown in Fig 1. Once NT-ARS achieve AK0 from BS, it is now eligible to facilitate its neighboring NT-ARS/SS/RS with its own generated AK01. We assume that system is having more then two hops. NT-ARS2 is ready to derive its own AK02 to transfer upon authentication request from SS/RS. At this stage, if any SS2 send authentication request to NT-ARS, for sure it will be acknowledged with AK02. Now, SS2, (NT-ARS1 & NTARS2) and BS have AK02, AK01 and AK0 respectively. The main responsibility of SS is to refresh its AK by making an authorization request periodically to the NT-ARS to avoid service interruptions during reauthorization. Successive generations of the SS’s AKs have overlapping lifetime. SS need to support up to two simultaneously active AKs during this transition period with NT-ARS but NT-ARS need to support up to four simultaneously active AKs during the transition period with BS and other NT-ARS /SS/RS. The BS shall always be prepared to start re-authentication upon request. The BS shall be able to support two simultaneously active AKs for each client NT-ARS/SS/RS. Now NT-ARS has four active AKs during an AK transition period; the four active keys have overlapping lifetimes. AK transition period begins when the NT-ARS receives an Auth Request message from an NT-ARS /SS/RS and the NT-ARS has a double active AK for that SS/RS. On the other hand, NT-ARS need to maintain two active keys with BS to remain authenticated. In response to the Auth Request from SS/RS, the NTARS activates a second AK which shall have a key sequence number one greater (modulo 16) than that of the existing AK and shall be sent back to the requesting SS/RS in an Auth Reply message as shown in Fig 2. The NT-ARS shall set the active lifetime of this second AK to be the remaining lifetime of the first AK plus the predefined AK Lifetime; thus, the second, “newer” key shall remain active for one AK Lifetime beyond the expiration of the first, “older” key. The key transition period shall end with the expiration of the older key. As long as the NT-ARS is in the center of an SS/RS AK transition period, and thus is holding two active AKs for that /SS/RS, and two active AKs with BS, it shall respond to Auth Request messages with the newer of the two active keys. Once the older key expires, an Auth Request shall trigger the activation of a new AK, and the start of a new key transition period as shown in Fig 2.

ISSN: 0975-5462

2194


Fig 1: Proposed AK Management in NT-distributed Multihop Relay Networks

ISSN: 0975-5462

2195


Fig 2: Proposed Authorization State Machine Flow Diagram

5. Analysis of the Proposed Distributed Authentication Scheme 5.1 Denial of Service Dos attacks on the BS/NT-ARS could happen during the PKMv2 authentication because of the heavy public key computational load. Here, we assume that the attacker is external to the network and is able to analyze the unencrypted parts of the management traffic and observes the timing, size, and source of traffic. Attacker can prevent or hinder communication with little effort by disrupting certain important packets. All messages communicated prior to secure key exchange between BS and NT-ARS/SS/RS are not authenticated. In our distributed authentication scheme, BS authenticate NT-ARS and create a trustworthy environment and securely

ISSN: 0975-5462

2196

Adnan Shahid Khan et. al. / International Journal of Engineering Science and Technology Vol. 2(6), 2010, 2192-2199 transfer the AK to NT-ARS, which further create a trustworthy environment with its single hop localized SS or subordinate RS and securely transfer the AK , which minimize the chances of DoS in the network. 5.2 Replay attack In a replay attack, the attacker captures a transmitted message and resends it after certain amount of time, for example, BS/NT-ARS may face a replay attack from an adversary who intercepts and saves the authentication messages sent by legitimate NT-ARS/SS/RS previously. In our proposed authentication key scheme, for NTARS, MAC header contains CID field of NT-ARS which is incremented after each new session. Thus as a hopby-hop or localized authentication scheme, this leads to the break down of the replay attack. If NT-ARS/BS repeats a transmission with same CID, it will negotiate a new set of secret keys requiring the recalculation of HMAC digest thus maintain the trustworthy environment within network. 5.3 Interleaving attack In IEEE 802.16 network, for the attacker to accomplish the interleaving attack, only two problems were left. First, the AK in PKMv2 is derived from Pre-AK with the MAC address of BS and SS. To mimic MAC address of BS and SS is not the big deal in wireless networks. Second, PKMv2 uses AAA server to bind a securely session, this can also be counterfeit or replayed by attacker to SS [5]. In IEEE 802.16j Multihop networks, number of wireless devices engross is increased, thus produce wide space for interleaving attack. In our proposed scheme NT-ARS acts as BS to its subordinate RS or SS, that’s why BS need to achieve full confidence of trust on NT-ARS prior to sending any messages to its SS. It’s just like a localized authentication, for single hop, interleaving attack is a bit tricky [5]. Once NT-ARS is successfully authenticated by BS then it ought to be allowed to decode and forward all the messages from BS to other RS or SS. 5.4 Communication Cost Communication cost of our distributed scheme consists of two parts: the cost of communication of NT-ARS with BS and SS/RS and communication of BS with NT-ARS and SS/RS. The cost of NT-ARS is directly proportional to the number of BS, SS/RS involved and the number of hops. Upon each communication, NT-ARS send ‘S’ request and receive as many response. So the total communication cost of NT-ARS is .

.

.

.

.

Where Request-size is the size of the request message in bytes, Response-size is the size of the response messages, SbU is the size of the buffer and Avg.Num.Hop is the average number of Hops between the networks. The cost of communication of BS with NT-ARS and SS/RS is actually not distributed; we compute the maximum cost by including impersonates message attacks as well. .

.

.

.

.

.

Where I ( ) is the load of impersonate nodes message of different attacks. In our case, we try to decrease the cost of I ( ), even if the cost of hops increases in either case, still communication cost remain same.

6.

Performance Evaluation

To demonstrate the feasibility of the previously illustrated attacks and countermeasures. The approach of our result is to evaluate the most vulnerable hop in IEEE 802.16j Multihop network by using our efficient distributed authentication key scheme. We observed as NT-ARS is not healthy complex and intelligent, even in the secured environment, more given attacks were found in between NT-ARS and SS/RS communication as compared to the attacks found in between BS and NT-ARS. However, unsecured environment seems to be most vulnerable. Our distributed authentication scheme proves to be powerful against above mentioned attacks.

ISSN: 0975-5462

2197


Fig: 3 Comparison of attacks occurs within different Localized Hops

7. Conclusion Although IEEE 802.16 has very robust and promising security architecture, still there are some slots which need to be sort out. As in the case, IEEE 802.16j Multihop Relays networks, if the number of devices or Hops increases, highly unreliability increase, which ascends to the extensive field for the attacker to fool around. Here, in this paper, NT-ARS acts as BS and is just a subset of it; BS with its strong, intelligent and complex nature as well as organized backhaul support is less vulnerable. We have discussed three severe attacks on existing standard, DoS, Replay and interleaving attacks. The proposed authentication scheme where NT-ARS act as SS to BS, MSK is calculated at NT-ARS and BS initially, then BS securely transfers AK to NT-ARS. Once NT-ARS is successfully authenticated, it start doing the same steps with further to NT-ARS/SS/Subordinate RS, rather then directly transfer MSK to SS via NT-ARS where the probability of above given attacks befall more high. Our finding also includes the communication cost which is identical as the standard that makes this scheme more powerful and efficient as well. 8. Acknowledgments This work is fully funded by MTCP (Malaysian Technical Cooperation Programme) award and partially by MIMOS CoE. My heartily gratitude to Prof. Dr. Norsheila Fisal, (director of MIMOS CoE), Associate Prof. Dr.Sharifah Kamilah and Dr. Mazlan Abbas for their constant supervision.

REFERENCES [1] IEEE 802.16's Relay Task Group. http://www.802wirelessworld.com. [2] Intel white paper, “IEEE 802.16 and WiMax: Broadband Wireless Access for Everyone,” 2004. [3] Roger Marks, “A technical Overview of the WirelessMANAir Interface for Broadband Wireless Access,” IEEE C802.16-02/05, 2002. [4] Sen Xu, Manton Matthews and Chin-Tser Huang. Security Issues in Privacy and Key Management Protocols of IEEE 802.16. In ACM SE'06. Florida USA. March 2006. [5] S. Xu, and C. T. Huang, “Attacks on PKM protocols in IEEE 802.16 and its later versions”, ISWC06, September 2006. [6] Taeshik Shon, Wook Choi: An Analysis of Mobile WiMAX Security: Vulnerabilities and Solutions, First InternationalConference, NBiS 2007, LNCS, Vol. 4650, pp. 88-97, 2007 [7] Y.Lee, H.K.LEE, G. Y. Lee, H. J. Kim and C. K. Jeong, “ Design of Hybrid Authentication Scheme and Key Distribution for Mobile Multi-hop Relay in IEEE 802.16j”, EATIS’09, June 3-5, Prague, CZ, 2009. [8] David Johnston and Jesse Walker. Overview of IEEE 802.16 Security. IEEE Security & Privacy, Society. May/June 2004. 40-48. [9] Ju-Yi Kuo: Analysis of 802.16e Multicast/Broadcast group privacy rekeying protocol, Stanford University, CA, USA,2006, available at http://www.stanford.edu/class/cs259/projects/project01/01-Writeup.pdf

ISSN: 0975-5462

2198

Adnan Shahid Khan et. al. / International Journal of Engineering Science and Technology Vol. 2(6), 2010, 2192-2199 [10]

[11]

[12] [13] [14]

.[15] [16] [17] [18]

S. Adibi, B. Lin, P.-H. Ho, G.B. Agnew, S. Erfani, Authentication Authorization and Accounting (AAA) Schemes in WiMAX, University of Waterloo, Broadband Communication Research Centre (BBCR) , appears in: Electro/information Technology, 2006 IEEE International Conference on 7-10 on pages: 210-215, May2006. S. Adibi, G. B. Agnew,T. Tofigh, End-to-End (E2E) Security Approach in WiMAX: Security Technical Overview for Corporate Multimedia Applications, 747-758, Handbook of Research on Wireless Security (2 Volumes) Edited By: Yan Zhang, Jun Zheng, Miao Ma, 2008. Yanchao Zhang and Yuguang Gang. ARSA : An Attck- Resilient Security Architecture for Multihop Wireless Mesh Networks. IEEE Journal on Selected Areas in Communications. Vol. 24. No. 10. (Oct. 2006) 1916-1928. Yuksel E.: Analysis of the PKMv2 Protocol in IEEE 802.16e-2005 Using Static Analysis Informatics and Mathematical Modeling, Technical University Denmark, DTU, 2007, available at http://www2.imm.dtu.dk/pubdb/views/publication_details.php?id=5159 Adnan Shahid Khan, Prof.Dr.Norsheila Fisal, Sazzad Hossain, “Man-in-the-Middle Attack and possible solutions on Wimax 802.16j”. In proceedings of International Conference on Recent and Emerging Advanced Technologies in Engineering (iCREATE 2009). Pan pacific KL international airport Hotel Malaysia, 22-24 November 2009 Mosato Okuda, Chenxi Zhu and Dorin Viorel, Multihop Relay Extension for Wimax Networks- Overview and Benefits of IEEE 802.16j Standard, FUJITSU Sci.Tech.J., 44,3, p.292-302 (July 2008). Maccari L, Paoli M, Fantacci R. Security analysis of IEEE 802.16. IEEE international conference on communications, 2007: 11601165. Huang C, Chang J. Responding to security issues in Wimax networks. IT Professional 2008; 10(5):15-21 Adnan Shahid Khan, Prof.Dr.Norsheila Fisal, Abdelhamid. “Security Sublayer : A Required Evolution of Wireless Security IEEE 802.16j”.In proceedings of IEEE international Conference on Antenna Propagation and System (INAS 2009) Grand paragon Hotel, Johor Bahru, 3-5 December 2009

ISSN: 0975-5462

2199