This section analyzes the security and performance of the proposed protocol and compares it with traditional mechanisms. (Only the enhanced initial authentication procedure is considered in this section.)
(A) Security Analysis
Once trust is established between MS and VLRo, whether MS and VLRn can trust each other can be determined using three criteria:
§ VLRo and VLRn trust each other,
§ VLRn proves to VLRo that MS has arrived in the new domain, and
§ VLRn proves to MS that VLRo trusts and authorizes VLRn.
We now explain how our protocol uses four messages to accomplish authentication and will use the BAN -logic to verify why it can correctly authenticate each communication party. (The BAN-logic formally verifies the correctness of authentication protocols. BAN-logic is neither sufficient nor complete; however, it can help verify the correctness of an authentication protocol to some extent. Refer to Ref. [22] for details.)
We first idealize our protocol to the BAN-logic form:
MS → VLRn: {Seed}Kc, <VIDn>ATo (M1)
VLRn → VLRo: {N, TMSIo, <VIDn>ATo }Kn-1 (M2) VLRo → VLRn: {N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo }Ko-1 (M3)
defined in BAN-logic [22]. <X>Y means that X is combined with the secret formula Y. The shared secret formula Y is ATo in our protocol. Since ATo is shared only by MS and VLRo, and is used only once, it is difficult to forge or replay f(ATo, X), where X is VIDn or VIDo. Thus, f(ATo, X) can prove the origin of the message and guarantee its freshness. That is,
VLRo believes fresh( <VIDn>ATo ) and
MS believes fresh( <VIDo>ATo ). (D1) The following analysis first employs the BAN-logic to describe the deductions obtained upon receipt of each message. The detailed proof is presented in Appendix. We then verify that our protocol meets the three criteria.
After (M1) − VLRn suspects all information received because it cannot verify the message. Thus, no deduction is derived.
After (M2) − The secret key Kn-1 of VLRn encrypts the message, VLRo believes that VLRn is the source of M2. Based on the deduction (D1) mentioned above, we deduce that
VLRo believes VLRn believes ( N, TMSIo, <VIDn>ATo ). (D2)
VLRo believes ( N, TMSIo, <VIDn>ATo ). (D3)
After (M3) − As for (M2), VLRn believes M3 is sent by VLRo, because the nonce N is generated by VLRn itself, and VLRn can verify if N is fresh. Thus, we deduce that
VLRn believes VLRo believes ( N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo ). (D4) VLRn believes ( N, {IMSI, MS Kc VLRo}Kn, <VIDo>ATo ). (D5) By (D5), it follows that VLRn believes also {IMSI, MS Kc VLRo}Kn. So, we deduce that
VLRn believes IMSI. (D6)
VLRn believes MS Kc VLRo. (D7)
After (M4) − If VLRn obtains the correct Seed in M1, MS and VLRn will share the same session key Kc'. Thus, by (D1), we make the following deductions
MS believes VLRn believes ( ATn, TMSIn, <VIDo>ATo ) (D8)
Since Kc' is generated by MS, Kc' = f(Seed, IMSI), therefore
MS believes ( MS Kc’VLRn ). (D10)
Using these deductions allow us to demonstrate that our protocol fulfills the three criteria to complete the authentication.
Criterion 1 − VLRo and VLRn must trust each other. Deduction (D2) and (D3) prove that message 2 meets the requirement that VLRo trusts VLRn. On the other hand, deductions (D4) and (D5) prove that message 3 satisfies the requirement that VLRn trusts VLRo. Therefore, criterion 1 is satisfied by messages 2 and 3.
Criterion 2 − VLRn must prove to VLRo that MS has arrived in the new domain. This requirement is trivial because our protocol guarantees (D2 and D3) and that only real MS can generate f(ATo, VIDn). VLRo therefore believes MS who announces identity by TMSIo and f(ATo, VIDn). Besides, since f(ATo, VIDn) contains the identity of VLR n and cannot be forged by VLRn, f(ATo, VIDn) suggests the location of MS.
Criterion 3 − VLRn must prove to MS that VLRo trusts and authorizes VLRn. MS can check this condition by decrypting message 4 with the new session key Kc' generated by MS. If MS can decrypt it and correctly verify f(ATo, IMSI), MS accepts the authority of VLRn granted by VLRo. Deductions (D9) and (D10) prove that our protocol satisfies this requirement.
Although the chain authentication protocol can fulfill the above criteria, we cannot infer that
"VLRn believes Kc'" in the above deductions. Our protocol only guarantees that VLRn trusts MS (see (D5)) and is able to get the correct session key Kc (see (D7)), but it does not imply that VLRn obtains the correct Seed (see (d15) in Appendix). This inability is because {Seed}Kc may be replaced by hostile intruders in message 1. VLRn cannot confirm the validity of session key Kc' until the former correctly decrypt the data encrypted using Kc' by MS. Fortunately, even in the worst case, when {Seed}Kc was replaced, only Kc' of VLRn is inconsistent with MS's and the
We guarantee, as explained above, that MS and VLRn can trust each other. That is, our protocol can authenticate the three communication parties, including MS, VLRo, and VLRn.
(B) Performance Evaluation
A simple HLR/VLR network model is illustrated in Figure 10 to show the benefit of the proposed authentication protocol. All HLR/VLRs exchange control signals, such as the registration messages, through middle switches. (In telecommunication systems, the switch is commonly called the Signalling Transfer Point (STP) in the Common Channel Signalling network with a Signalling System No. 7 (SS7) protocol [26].) For simplicity, we assume that the cost of signalling between HLR/VLRs is dependent on the number of switches. Therefore, the geographically contiguous domains have the smallest cost, def ined as 1. And we assume that the proposed chain authentication is combined with an intelligent VLR described in the previous section, so that VLRn will require VLRo or HLR to authenticate MS based on their costs. To compare the improvement, the traditional authentication scheme with the assistance of HLR, such as IS-41 or Molva's scheme, is used in the performannce evaluation.
Whenever MS roams from an old domain to a new domain, one of three conditions occurs. The mobile user may roam from his HLR to a VLR, from a VLR to his HLR, or from a VLR to another VLR. The following table summarizes the three conditions and the corresponding costs of the first authentication process with different protocols. For variant behavior of mobile users, we define three pr obabilities, P1, P2 and P3, for these conditions and their sum is equal to 1. And we assume P1 is equal to P2 since a user will finally return to his home after a long travel. With
Fig. 10 A network model for signal exchange between HLR/VLRs VLR1 VLR2
STP1
HLR