fast authentication schemes have been proposed based on pre- authentication .... should provide message authentication via digital signature mechanism.
Secure and Fast Handover Scheme Based on PreAuthentication method for 802.16/WiMAX Infrastructure Networks Hung-Min Sun1, Yue-Hsun Lin1, Shuai-Min Chen1, Yi-Chung Shen2
1 2
Department of Computer Science, National Tsing Hua University, HsingChu, Taiwan 300, R.O.C Networks and Multimedia Institute, Institute for Information Industry, Taipei, Taiwan 106, R.O.C
Abstract- 802.16/WiMAX is going to be the most popular technology in wireless communications. In 2006, IEEE 802.16e has been proposed for mobility issue. In order to maintain security, re-authentication should be considered when the mobile station handovers. However, re-authentication often takes latency and consumes power. On the other hand, several fast authentication schemes have been proposed based on preauthentication concept in 802.11/WLAN networks. These schemes provide different methods to enhance the efficiency and security of re-authentication procedure. By using the preauthentication concept, we propose a pre-authentication scheme for WiMAX infrastructures in this paper. Due to flexibility and security, the proposed scheme is combined with the PKI architecture. It provides a secure and fast re-authentication procedure during macro-handover in 802.16/WiMAX networks.
I.
INTRODUCTION
Since IEEE 802.11 products [11] are going to be popular and developed for BWA (Broadcast Wireless Access) [3], IEEE 802.16 [1] seems to be the next generation in wireless technology. Before 2006, 802.16d standard [1] is suitable for fixed subscriber station (SS). In 2006 February, the IEEE 802.16 Task Group [14] published 802.16e standard [2] for mobile stations (MS) which is developed for mobile devices, including laptops, mobile phones, and so on. For the progress of 802.16 standards, WiMAX Forum [12] also takes a leading position. The Forum promotes and certifies compatibility and interoperability of 802.16 products, including security issue. In 802.16d [1], the security mechanism only provides RSA-based authentication under PKMv1. Conversely, there are many security flaws in PKMv1 [9], such as weak encryption method, lacks of message integrity, and leaking mutual authentication. In 802.16e, the Task Group adopts the Extension Authentication Protocol (EAP) [7], [10] for the authentication mechanism, and co-existing with the RSAbased authentication. Furthermore, they use a new version of PKM, PKMv2, to solve those security flaws which were found in PKMv1. Up to now, those security flaws are no longer the threats. EAP framework provides enough security strength in different wireless protocols, and becomes more popular and industrial. Unfortunately, re-authentication procedure in EAP framework which causes long time latency is a well-known bottleneck existing for a long time [4]. Therefore, many researches and technologies have been proposed to solve this problem [4]. For 802.11/WLAN environment, Proactive key distribution method (PKD) has been proposed to provide an efficient authentication scheme during handover [6]. The concept of the PKD scheme is pre-authentication. The
authentication task between a mobile station and the nearby access points can be done through the serving access point. When a mobile station roams to the neighboring area and try to access the neighboring access points, the authentication flow can become faster since some steps were executed before roaming. In this paper, we enhance the efficiency of EAP reauthentication procedure based on the pre-authentication methodology during handover. In the proposed scheme, the keys shared between MS and the authenticators should be pre-computed. After MS roams to the neighboring area, the re-authentication takes less time than the standard one. Moreover, for security issue, we apply the Public Key Infrastructure (PKI) architecture to the proposed scheme. This paper is organized as follows. In Section II, the background of 802.16/WiMAX and related researches on fast re-authentication are introduced. In Section III, the proposed scheme is given. In Section IV, the security and efficiency analysis of the proposed scheme are given. Finally, the conclusion is depicted. II. BACKGROUND AND RELATED WORKS A.
Network Model in WiMAX Before discussing the authentication scheme in 802.16/WiMAX, we review the network model [13] first, illustrated in Fig. 1. The network model contains two operators, NAP and NSP. In WiMAX standard [13], NAP is Network Access Provider which provides WiMAX radio access through one or more ASNs. A NAP comprises several ASNs (Access Service
Figure 1. The 802.16/WiMAX Network Model
Network). It provides a complete set of functionalities needed for WiMAX MS (mobile station). For AAA framework [8], it transfers AAA messages to the backend AAA server located in the NSP. On the other hand, the NSP is a main service provider which is constructed with several CSNs (Connectivity Service Network). Since authentication is one of the services, AAA servers are often located in CSN networks. Based on this infrastructure, ASNs are used for two purposes, AAA proxy or authenticator. Generally speaking, ASNs are usually relay components in the communication. Each ASN contains one or more base stations (BS). The serving BSs provide large radio access area and communications with mobile users (MS). Since WiMAX standard supports mobility [2], it defines two types of handover in the standard. One is microhandover. It means that a MS moves from one BS to another BS which is located in the same ASN network. Another is macro-handover which means that a MS moves from one ASN to another ASN. The roamed MS can still be authenticated since two ASN gateways are in the same CSN. B.
EAP-TLS WiMAX forum [13] figures out that Supplicant and AAA Server should execute the mutual authentication through one of EAP methods, including EAP-TLS, EAP-AKA, and so on. Since the proposed scheme focus on EAP-TLS method, we use Fig. 2 to show the procedures of EAP-TLS [10]. In Fig. 2, after authentication process, the Supplicant and AAA Server cooperate to generate a Master Session Key (MSK), and then the AAA Server will transfer the MSK to Authenticator (ASN). After ASN and MS received the MSK, they can derive the Pairwise Master Key (PMK) and Authorization Key (AK) from the MSK. Next, the ASN transfers AK to the serving BS. Finally, BS and MS execute SA-TEK three-way handshake through the AK and Key Request step to complete the authentication flows. C.
Fast Pre-Authentication Scheme Recently, Kassab et al. proposed a fast pre-authentication scheme [5] for 802.11 networks based on proactive key distribution [6]. This scheme reduces the handover latency
by reducing the steps of EAP-TLS and pre-computes necessary key material between MSs and BSs. There are two re-authentication schemes are proposed: PKD with IAPP caching and PKD with anticipated 4-way handshake. The basic scheme, PKD [6], uses the pre-computation of PMK between MS and the neighbor access point (AP). The procedure should be executes with AAA server. When MS roams to the neighboring area, the PMK should be no longer adopted. The extension version is PKD combining with IAPP caching [5]. In pre-authentication stage, AP executes IAPP exchange with its neighboring APs to negotiate PTK (Pairwise Transient Key) and the TIME_AUTH value. Next, the previous PKD starts. When handoff occurs, the MS and new AP share PMK and PTK. Therefore, they only execute Group Key Handshake. The major enhancement is that the PTK is generated before MS roams. Another one is PKD with anticipated 4-way Handshake [5]. The scheme is a modified version of PKD scheme. The PTK negotiation procedure is moving to the preauthentication stage. Therefore, during handover, the MS only executes Group Key Handshake exchange with the new AP to complete the authentication. Due to the limited space of the paper, we advise the readers to see the paper for thorough information. III. SECURE HANDOVER SCHEME A.
PKI Framework Before describing the proposed scheme, we discuss the PKI (Public Key Infrastructure) framework since it provides high secure. With the PKI framework, the proposed scheme can provide confidentiality and secrecy. The functionalities used in the proposed scheme are listed in Table I, including data encryption and digital signature. The data encryption provides data confidentiality and the signature scheme provides integrity of message and non-repudiation. The proposed scheme is mainly based on the important security properties of PKI. In PKI architecture, the Certificate Authorization (CA) organization issues key pairs to each user: a public key and a private key. The public key is stored in a public area accessible to everyone. It is often stored in a well-formatted certificate, e.g., X.509 format certificate. On the other hand, the privacy should be kept as secret for the key owner. These TABLE I NOTATIONS Notation PUK_A PRK_A
A private key of A
ENCPUK_A(X)
Encrypt X with A’s public key
DECPRI_A(X)
Decrypt X with A’s private key Generate Signature for message X through A’s private key Verify message X with the corresponding signature S through A’s public key Pseudo-random number generated by A
SIGNPRK_A(X) VerifyPUB_A(X,S) XA
Figure 2. EAP-TLS Authentication Flow
Definition A public key of A
IDA
The identifier of Role A
H()
One-way hash function
M1 ||M2
Concatenation of M1 and M2
Figure 3. The Flows of the Proposed Scheme. The number in parenthesis dedicates the number of step in the paragraph. When MS roams to other domains, it only executes the red area instead of the whole EAP-TLS process.
two keys are used for data transmission and message signing. Without loss of generality, we assume that Alice and Bob have each other’s certificate (public key) issued by a trusted CA. When Alice wants to send messages to Bob, she encrypts the data with Bob’s public key obtained from Bob’s certificate issued by the CA. In addition, Bob’s certificate can be verified through CA’s certificate. After receiving the encrypted message, Bob can decrypt the cipher by his private key. If an attacker intercepts the transmitted message, he obtains none information without Bob’s private key. The only possible is that the attacker can break the underlying hard problem, such as integer factoring, discrete logarithm problem or other NP-hard problems. However, it is impossible to design a polynomial-time algorithm to break it. The cryptosystem is provable secure. The other threat is impersonating. An attacker may impersonate Alice to send fake messages to Bob, the system should provide message authentication via digital signature mechanism. When Alice wants to send a message to Bob, she can attach the corresponding signature by signing the origin message with her private key. After receiving the message accompany with the signature, Bob can verify the message with its signature through Alice’s public key. If the signature is legal, he can ascertain the message’s correctness. In conclusion, the PKI framework satisfy secure demand when designs the proposed scheme.
B.
The Proposed Scheme In this section, we introduce the proposed preauthentication scheme based on pre-authentication method. The detail of the procedure is depicted in Fig. 3. We describe each step in the following paragraphs. 0th Step: The MS finishes the mutual authentication with AAA server through EAP-TLS protocol over RADIUS. In this step, the authenticator (ASN1 gateway) and AAA server are trusted to the MS. 1st Step: ASN1 sends its neighbor ASNs list (NL) to the MS which contains the identities of ASNs and the corresponding certificates of ASNs (NCL). The public keys are stored in the corresponding certificates. NL and NCL are mapping with each other. e. g., (ASN1, PUK_ASN1), (ASN2, PUK_ASN2), …, (ASNn, PUK_ASNn). It is reasonable to assume that n is less than 10, since it is the number of ASN’s neighbor. Therefore, the amount of receiving data for MS is acceptable. Since the certificates are issued by root CA, PUK_ASNi can be verified through CA certificate. 2nd Step: MS generates a pseudo-random number Xi and encrypt it with ASNi ’s public key and concatenated with the identity of itself and ASNi, e.g., ENCPUK_ASNi[Xi ]||IDMS||IDASNi. For simplicity, we re-write it as Pi. Moreover, to ensure the integrity, MS also signs the message, e.g., SIGNPRI-MS[Pi]. The cipher and its signature will be sent to ASN1. After receiving this values, ASN1 will verify the correctness of the signed message by verifying the signature, e.g., verifying the signature by SIGNPRI-MS[Pi ] to obtain Pi ' and checking the
consistency of the obtained Pi ' with the received Pi . If equal, it means the received Pi is not modified during transmission. Next, ASN1 will relay the receiving message to ASNi. 3rd Step: After receiving the message from ASN1, ASNi first verifies the correctness by verifying the signature. It is the same as 2nd Step. If verification is success, ASNi will decrypt it to retrieve Xi through DECPRI_ASNi[Xi]. ASN2 generates a random number Yi and encrypts it with PUB_MS, and then concatenates with MS and his identity, e.g., ENCPUB_MS[Yi ] || IDASNi || IDMS. ASNi also signs the message to ensure the confidentiality. After ASNi encrypting and signing this message, he will transmit it to MS through ASN1. After receiving the message, MS can verify the correctness of the receiving message and decrypt it to retrieve Yi. 4th Step: Once MS handoffs to the ASNi radio range, MS sends re-authentication request to ASNi. Since MS and ASNi had negotiated with each other previously, they have two pseudo-random numbers, Xi and Yi . ASNi and MS will compute the PMKi by hashing Xi and Yi, e.g., PMKi= H(Xi ||Yi ). After these steps, MS and ASNi share the same PMKi, and they can compute the AK as well as the 802.16 standard proposed. After generating the AK, ASNi will transfer AK to the serving base station BS. BS and MS can perform the SATEK three-way handshake as IEEE 802.16 specified [13].
In this paper, we proposed a secure handover authentication procedure in 802.16/WiMAX infrastructure, based on pre-authentication schemes combining with PKI architecture. It can be applied to macro-handover during different ASN networks. The main advantage of this scheme is efficient and secure. In the near future, to make the proposed scheme more convinced, we will do experience through 802.16e devices instead of theoretical analysis only. Moreover, the proposed scheme can be combined with QoS mechanism in 802.16e standard [13].
IV. DISCUSSION
REFERENCES
In this section, we analyze the security and efficiency of the proposed scheme. A. Security Analysis In the security analysis part, we define attack method by two factors, identities and attacking methods. For attacking identities, we assume there are two attacking identities, including malicious MS, and ASN gateways. For attacking methods, there are three types of attacks, including eavesdropping, impersonating, error message injection. We listed the results in Table II. Taking eavesdropping as example, secret is encrypted with identity’s public keys, such as Xi and Yi. The second attacking method is impersonating. However, it will be failed since each certificate we use are signed by a trusted CA. Centralized PKI architecture makes the proposed scheme more simple and elegant. The last part is MITM, man in the middle attack. The attack method does not occur in the MS side. Actually, MITM does not happen in the public-key cryptosystem. The result is positive since the proposed scheme can against with these three attacks through malicious MS side or ASN side. B. Efficiency of The Proposed Scheme The proposed scheme is efficient than the previous schemes [13]. The number of steps in the standard EAP-TLS is 13. In the proposed scheme, the number is reduced to 6
steps. The major enhancement is that MS eliminates EAPTLS authentication flow, including exchanging server and client’s certificates, challenges, and feedback. It saves lots of time and computation power since verification of certificates and challenge protocols always involve signature signing and verification. In fact, we alter the cost to the preauthentication part. A MS exchanges different PMK keys with different ASN gateways before it roams to the nearby ASNs. The only drawback occurs when the number of nearby ASN gateways is not small. It means the MS wastes unnecessary power for key exchanging with other ASNs which it never roams to. Fortunately, the number of nearby ASNs is often small. V. CONCLUSIONS AND FUTURE WORK
[1] [2] [3]
[4] [5]
[6] [7] [8] [9]
[10] [11] [12] [13] [14]
TABLE II SECURITY ANALYSIS Attacking methods
Malicious MS
Eavesdropping Impersonating
fail fail
Man-in-the-middle
Not occur.
Malicious ASN gateways fail fail fail
IEEE Standard 802.16-2004: Air Interface for Fixed Broadband Wireless Access Systems, Oct 2004. IEEE Standard 802.16e-2005: Air Interface for Fixed Broadband Wireless Access Systems, Amendment 2: Physical and Medium Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands, Feb 2006. A. Ghosh, D.R. Wolter, J.G.Andrews and R. Chen, “Broadband Wireless Access with WiMax/802.16: Current Performance Benchmarks and Future Potential,” IEEE Communications Magazines, vol. 43, issue 2, pp. 129-136, Feb 2005. A. Mishra, M. Shin and W. Arbaugh, “Context Caching using Neighbor Graphs for Fast Handoffs in a Wireless Network,” In Proceedings of IEEE INFOCOM, Hong Kong, March 2004. M Kassab, A Belghith, JM Bonnin and S Sassi, “Fast Pre-Authentication Based on Proactive Key Distribution for 802.11 Infrastructure Networks,” In Proceedings of the 1st ACM workshop on Wireless multimedia networking and performance modeling, pp. 46-53, 2005. A. Mishra, M. Shin and W. Arbaugh, “Pro-active Key Distribution using Neighbor Graphs,” IEEE Wireless Communication, vol. 11, Feb 2004. Bluck Larry and John Vollbrecht, “PPP Extensible Authentication Protocol (EAP),” IETF RFC 2284, March 1999 FreeRadius: The FreeRadius Server Project url: http://www.freeradius.org/ S Xu, M Matthews and CT Huang, “Security Issues in Privacy and Key Management Protocols of IEEE 802.16,” In Proceedings of the 44th annual southeast regional conference, pp. 13-118, 2006. RFC3748-Extensible Authentication Protocol, B. Aboba, et al., June 2004, Standard Track. IEEE 802.11 LAN/MAN Wireless LANS standard website, http://standards.ieee.org/getieee802/802.11.html WiMAX Forum, http://www.wimaxforum.org/home/ WiMAX Forum, “WiMAX End-to-End Network Systems Architecture, Stage 2: Architecture Tenets, Reference Model and Reference Points [Part 2],” August 2006. The IEEE 802.16 Working Group on Broadband Wireless Access Standards, http://grouper.ieee.org/groups/802/16/
