VLRi VLRj VLRk STPi
STP3
each condition as shown in the following table.
Condition Old domain
New
Domain Probability Cost with traditional schemes
x: the number of switches between the new and old domain
y: the number of switches between the new domain and HLR
Table.
Consequently, the average costs of both schemes are COSTtraditional = x * P1 + y * P3 and COSTour = x * P1 + Min[x, y] * P3.
Intuitively, the cost of our scheme is smaller than the traditional schemes and the difference is
∆C = COSTtraditional - COSTour = (y – Min[x, y]) * P3. From the equation, we conclude two factors that affect the network burden:
§ The mobile user should frequently roam among VLRs.
§ The cost of message transmission between the new domain and HLR should be larger than that between the new and old visiting domains.
If we assume the user handset is always power-on while traveling, the authentication and registration process should be immediately invoked when MS arrives in a new domain. That is, the new and old domains are geographically contiguous, and x is equal to 1. Thus, the difference can be simplfied as
∆C = (y – 1) * P3.
In order to clearly show the reduction of network burden due to the proposed chain authentication protocol, we normalize ∆C as the improvement rate R,
( )
real world since user handsets are not always power -on during their trips. Thus, x may be larger than y, and VLR will require HLR to help authenticate MS. Consequently, in the worst case, our scheme has the same network burden as traditional schemes.
(C) The Advantages of the Chain Authentication Protocol The chain authentication protocol has the following merits:
No assistance from HLR − The distance between VLRn and VLRo is generally shorter in a large PCS network than that between VLRn and HLR. A long connection path causes long propagation delay of messages, reduces the reliability of the communication channel, and makes far more traffic in the network. The proposed protocol merely uses VLRo to help VLRn authenticate MS; our scheme authenticates MS rapidly. An efficient authentication scheme is particularly crucial when time is of essence.
Another merit of the mechanism is that the certification between VLRn and VLRo is easier and faster than between VLRn and HLR, because VLRo lies closer to VLRn than does HLR. The certification is established by the public key scheme with a hierarchical architecture [18].
Therefore, the cost of the certification relies on the distance between the two communicating parties in the architecture.
Low overhead − Only four messages need be exchanged in the chain authentication protocol.
Since VLRn must contact with VLRo in the network to query the user information, four R
Fig. 11 The performance evaluation for the proposed scheme
HLR, consequently, the chain authentication can significantly reduce the network burden caused by the authentication process when MS tries to register in a new domain.
Furthermore, computation power required is low. Using a one -way function between MS and VLRn and a symmetric cryptosystem, such as DES [23], guarantees the confidentiality of messages. These two mechanisms demand only simple computation and have been applied in existing mobile telecommunication systems, such as GSM. Although we use the public key cryptosystem between VLRn and VLRo, which is more complex than above two mechanisms, VLRs can easily perform the task because they offer better computation power in practical systems.
Subscriber identity confidentiality − If IMSI is directly used to ide ntify MS's messages, MS's moving from a domain to another can be traced by listening to his identity on the radio path. The relation between the transmitted user data and MS is also available. To prevent the privacy of user location and to improve other security features, e.g., user data confidentiality, assurance the confidentiality of subscriber identities in the communication channels is imperative. We recommend that the user be registered as a temporary identity; this mechanism resembles that used by GSM [24]. A temporary subscriber identity TMSI used in the chain authentication protocol to identify MS's request of services. TMSI is generated by VLR of the domain and submitted to MS in ciphertext when MS arrives in a new domain. Since the temporary ident ity is changed as the user travels between domains, tracing the user location on the radio path is impossible.
Communication confidentiality − To maintain confidentiality of communications between MS and VLR, a session key is needed to encipher/decipher the data transmitted on the channels.
Herein, we only suggest using symmetric cryptosystems because the system demands low computational power of MS. The proposed protocol uses a one-way function with two
addition, within the initial/subsequent authentication procedure, all exchanged secret information, such as IMSI, ATn, and TMSIn, is transmitted as ciphertext to prevent eavesdropping.
Authenticating overall participant communication parties − The modern telecommunication system only authenticates those subscribers seeking services. Furthermore, the system assumes that the network is trustworthy. In contrast, the proposed protocol authenticates all communication parties participating in the protocol, i.e. MS, VLRn, and VLRo. Between VLRo and VLRn, the public key cryptosystem are used to authenticate each other. Between MS and VLRo, the secret information, ATo and IMSI, is used to authenticate each other. Based on the two mutual authentications, MS and VLRn can authenticate each other, as mentioned earlier in this section.
Consideration of multiple service providers in a local area − Future PCS network will include multiple competing service providers in a local area. The proposed enhanced initial authentication procedure enables VLRo to distinguish the service provider chosen by MS.
Domain separation − Both the session key Kc and the temporary identity TMSI are local information. They are only valid within the domain that generated them. Thus, all domains are separated by this local and secret information. (If the administration of HLR/VLR betrays, an evil system-operator armed with MS's secret information, i.e. TMSI, Kc, and AT, can masquerade as MS in a different domain. Before the masquerade, however, if MS moves and is registered elsewhere, the evil operator (although holding these secrets) is powerless).
Session key confidentiality − Our session key generation relies on a random number and a secret information IMSI. MS and VLRn generate the key, that is unknown to anyone, including HLR and VLRo. This scheme ensures confidentiality of the new session key and reduces the probability eavesdropping by a third party. (Many practical systems, including GSM, adopt this scheme.)
Low cost for preventing replay attacks − We use an authentication number AT rather than the timestamp in the exchanged messages to ensure the freshness. Therefor e, the clock synchronization is unnecessary and message replay is difficult.
The following figure shows the comparison between our protocol and other protocols.
Protocol
* The registration still requires the assistance of HLR.
** It is the S authentication scheme in IS-41.
*** It does not include the messages of the location updating and acknowledges.
Fig. 12 Comparisons of the protocols
6. Conclusions
To enhance the quality of communication services, users and service providers desire a more secure environment to prevent accessing unauthorized services or disclosing confidential information. Numerous modern mobile telecommunication systems contain simple security functions, such as subscribers' authentication and the confidentiality of the communication on
referred to herein as the chain authentication protocol. This protocol contains a series of procedures, including the preparation for subscribing in HLR, the initial authentication for registering in a new domain, and the subsequent authentication for querying a service. In the initial authentication procedure, we exemplify two cases regarding a local area containing a single or multiple service provider(s). Furthermore, we also consider the occurrence of the fault that VLR o is unreachable during the initial authentication procedure, and a possible solution is proposed by modifying the original procedure.
Our protocol guarantees the confidentiality of exchanged messages and of the subscriber's identity; furthermore, the protocol uses minimal messages to authenticate all communicating parties (including MS and all participative service providers), does not require the clock synchronization, and, importantly, operates independently of HLR for MS authentication. The protocol can be applied in large communication networks with multiple service providers, such as the global PCS network.
Acknowledgement
This work is supported in part by FarEasTone Telecommunications Co., Ltd. The authors are grateful to Dr. Herman Rao and Dr. Hung-Fa Sun of FarEasTone Telecommunications Co. for their many suggestions that help improve the paper.
Reference
[1] Bennett Z. Kobb, "Personal Wireless," IEEE SPECTRUM, Jun. 1993.
[2] M. Mouly, M. B. Pautet, "The GSM System for Mobile Communications," ISBN:
2-9507190-0-7, 1992.
[3] CDPD Consortium, "Cellular Digital Packet Data System Specification," Release 1.0, July 1993.
[4] EIA/TIA, "Cellular Intersystem Operations (Rev. C)," Technical Report IS-41, EIA/TIA, 1995.
[5] S. P. Shieh, C. T. Lin, and J. T. Hsueh, "Secure Communication in Global Systems for Mobile Telecommunications," Proceedings of First Workshop on Mobile Computing, pp.
136-142, 1995.
[6] C. Perkins, Editor, "IP Mobility Support," RFC 2002, Oct. 1996.
[7] R. Molva, D. Samfat, and G. Tsudik, "Authentication of Mobile Users," IEEE Network, Mar./Apr. 1994.
[8] R. Jain, Y. B. Lin, C. Lo, and S. Mohan, "A Caching Strategy to Reduce Network Impacts of PCS," IEEE Journal on Selected Areas in Communications, Vol. 12, No. 8, Oct. 1994.
[9] R. Jain, Y. B. Lin, and S. Mohan, "A Forwarding Strategy to Reduce Network Impacts of PCS," IEEE INFOCOM, 1995.
[10] C. Perkins, "Mobile-IP Local Registration with Hierarchical Foreign Agents," IETF Internet-Draft, Feb. 1996.
[11] "GSM 02.09: Security Aspects," European Telecommunications Standards Institute, Jun.
1993.
[12] W. Diffie and M. Hellman, "New Directions in Cryptography," IEEE Trans. Information Theory, Nov. 1976.
[13] R. Atkinson, "Security Architecture for the Internet Protocol," RFC-1825 , Aug. 1995.
[14] "Recommendation X.509 and ISO 9594-8, Information Processing Systems - Open Systems Interconnection - The Directory - Authentication Framework," CCITT Technical report, Mar. 1988.
[15] J. Linn, "Privacy Enhancement for Internet ElectronicMail, Parts I: Message Encryption and Authentication Procedures," RFC-1421 , SRI Network Information Center, Feb. 1993.
[16] S. Kent, "Privacy Enhancement for Internet ElectronicMail, Parts II: Certificate-Based Key Management," RFC-1422, SRI Network Information Center, Feb. 1993.
[18] S. Chokhani, "Toward a National Public Key Infrastructure," IEEE Communications Magazine, Sep. 1994.
[19] Ravi S. Sandhu and Edward J. Coyne, "Role-Based Access Control Models," IEEE Computer, Feb. 1996.
[20] "Trusted Computer System Evaluation Criteria," DoD STD-5200.28, Dec. 1985.
[21] R. L. Rivest, A. Shamir, and L. Adelman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Commun. of the ACM, Vol. 21, No. 2, pp. 120-126, Feb. 1978.
[22] M. Burrows, M. Abadi, and R. Needham, "A Logic of Authentication," ACM Transaction on Computer Systems, Vol. 8, No. 1, Feb. 1990.
[23] NBS FIPS PUB 46-1, "Data Encryption Standard," National Bureau of Standards, U.S.
Department of Commerce, Jan. 1977.
[24] "GSM 03.20: Security Related Network Functions," European Telecommunications Standards Institute , Jun. 1993.
[25] K. Buchanan, R. Fudge, D. McFarlane, T. Phillips, A. Sasaki, and H. Xia, "IMT-2000:
Service Provider's Perspective," IEEE Personal Communications Magazine, Vol. 4, No. 4, Aug. 1997.
[26] A. R. Modaressi and R. A. Skoog, “Signalling System No. 7,” A tutorial, IEEE Communications Magazine, pp. 19-35, Jul. 1990.
[27] Y. B. Lin, Introduction to Mobile Network Management, Wei-Keg Publishing Co., 1997.
[28] EIA/TIA, “Mobile Station-base Station Compatibility Standard for Dual-Mode Wideband Spread Spectrum Cellular System, ” Technical Report TIA/EIA/IS-95-A, EIA/TIA, 1995.
Appendix
In this proof, we use the same notations and logical postulates as the BAN-logic [15].
§ (P1): for the message using shared key, we postulate:
P believes P Q, P sees {X}KK P believes Q said X
§ (P2): for the message using public key, we postulate:
P believes Q, P sees {X}K-1K P believes Q said X
§ (P3): for the message using secret information, we postulate:
P believes Q P, P sees <X>Y P believes Q said X
Y
§ (P4): the nonce-verification rule:
P believes fresh(X), P believes Q said X P believes Q believes X
§ (P5): the jurisdiction rule:
P believes Q controls X, P believes Q believes X P believes X
§ (P6):
P sees (X, Y) P sees X
§ (P7):
P sees <X>Y P sees X
§ (P8):
P believes P Q, P sees {X}KK P sees X
§ (P9):
P believes P, P sees {X}KK P sees X
§ (P10):
P believes Q, P sees {X}K-1K P sees X
§ (P11):
P believes fresh(X) P believes fresh(X, Y)
As mentioned in section 5, we have the following four idealized messages.
(M1) MS → VLRn: {Seed}Kc, <VIDn>ATo
(M2) VLRn → VLRo: {VIDn, N, TMSIo, <VIDn>ATo}Kn-1
(M3) VLRo → VLRn: {N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo}Ko-1 (M4) VLRn → MS: {ATn, TMSIn, <VIDo>ATo, MS Kc' VLRn}Kc’
Before the proof, the following assumptions are made.
(A1) VLRo believes Kn VLRn (A2) VLRn believes Ko VLRo (A3) VLRn believes Kn VLRn (A4) VLRo believes VLRo ATo MS (A5) MS believes VLRo ATo MS (A6) MS believes MS Kc’VLRn (A7) VLRo believes fresh(ATo) (A8) MS believes fresh(ATo) (A9) VLRn believes fresh(N)
(A10) VLRo believes VLRn controls (VIDn, N, TMSIo, <VIDn>ATo)
(A11) VLRn believes VLRo controls (N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo) (A12) VLRn believes VLRo controls {IMSI, MS Kc VLRo}Kn
(A13) MS believes VLRn controls (ATn, TMSIn, <VIDo>ATo, MS Kc’ VLRn)
A) After message 1
No deduction is derived because MS and VLRn do not share any key or information.
B) After message 2
1. By (P2), (A1) and (M2) imply
VLRo believes VLRn said (VIDn, N, TMSIo, <VIDn>ATo). (d1) 2. By (P11), (A7) implies
VLRo believes fresh( <VIDn>ATo ) and (d2)
VLRo believes fresh(VIDn, N, TMSIo, <VIDn>ATo). (d3) 3. By (P4), (d1) and (d2) imply
VLRo believes VLRn believes (VIDn, N, TMSIo, <VIDn>ATo). (d4) 4. By (P5), (A10) and (d4) imply
VLRo believes (VIDn, N, TMSIo, <VIDn>ATo). (d5) C) After message 3
1. By (P10), (A2) and (M3) imply
VLRn sees (N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo). (d6) 2. By (P2), (A2) and (M3) imply
VLRn believes VLRo said (N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo). (d7) 3. By (P11), (A9) implies
VLRn believes fresh(N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo). (d8) 4. By (P4), (d7) and (d8) imply
VLRn believes VLRo believes (N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo). (d9) 5. By (P5), (A11) and (d9) imply
VLRn believes (N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo). (d10)
6. By (P5), (A12) and (d9) imply
VLRn believes {IMSI, MS Kc VLRo}Kn. (d11)
7. By (P9), (A3) ,
VLRn sees (IMSI, MS Kc VLRo). (d12)
8. (d11) and (d12) imply
VLRn believes (IMSI, MS Kc VLRo). (d13)
9. By (P8), (d13) and {Seed}Kc that received in (M1) imply
VLRn sees Seed. (d14)
D) After message 4
1. By (P1), (A6) and (M4) imply
MS believes VLRn said (ATn, TMSIn, <VIDo>ATo, MS Kc’VLRn). (d15) 2. By (P11), (A8) implies
MS believes fresh(<VIDo>ATo) and (d16)
MS believes fresh(ATn, TMSIn, <VIDo>ATo, MS Kc’VLRn). (d17) 3. By (P4), (d15) and (d17) imply
MS believes VLRn believes (ATn, TMSIn, <VIDo>ATo, MS Kc’VLRn). (d18) 4. By (P5), (A13) and (d18) imply
MS believes (ATn, TMSIn, <VIDo>ATo, MS Kc’VLRn). (d19)