Chapter 3. Selecting Transition Process for WLAN Security
3.4 Transition Process Selection Mechanism
Since every AP advertises the MDID in the Beacon and Probe Response frames, the MS can select the appropriate transition process for intra-MD or inter-MD scenarios. Specifically, the
MAC addresses are used as the identifiers for R0KH and R1KH to ensure global uniqueness.
The MDID is assumed to be managed by vendors [15]. However, it is not clear how to guarantee unique MDID among vendors. If ambiguity of MDID does occur, this error will be detected at Step 5 in Figure 3.4 because the new PMK-R1 cannot be acquired. Therefore the MS is forced to stop the fast BSS transition process and is switched to perform the IEEE 802.11r initial MD association process.
Figure 3.5 The proposed selection mechanism for transition process
To resolve the ambiguous MDID issue, we propose a new method that does not require the MDID for transition. In our approach, every AP maintains an R0KH table recording all R0KHs that can be accessed by the AP. In Figure 3.1, the identifiers of R0KH1 and R0KH2 are recorded in AP0, AP1, AP2, and AP3, and the R0KH3 identifier is recorded in AP4 and AP5. Upon receipt
of the authentication request message (i.e., Step 1 in Figure 3.4), an AP queries its R0KH table to determine whether the MS comes from another MD, and selects the appropriate transition process for execution. Suppose that the MS moves from APOld to APNew. The following steps are executed (see Figure 3.5).
Step 1. The MS sends an authentication request message with FT authentication algorithm to APNew. This message is similar to that in Step 1 of Figure 3.4, but does not include the MDID in MDIE.
Step 2. Upon receipt of the authentication request, APNew checks the R0KH identifier in FTIE.
There are two possibilities. If the R0KH identifier is not found in the R0KH table of APNew, Steps 3 and 4 are executed (for inter-MD scenario). Otherwise, Steps 5 and 6 are executed (for intra-MD scenarios).
Steps 3 and 4. APNew exercises open system authentication and replies the authentication response message with parameter “open system authentication”. Then the MS proceeds to execute the IEEE 802.11r initial MD association process (Steps 2~8 in Figure 3.2).
Steps 5 and 6. APNew exercises FT authentication and replies the IEEE 802.11 authentication response message with parameter “FT authentication”. The IEEE 802.11r fast BSS transition process is executed (Steps 2~7 in Figure 3.4).
Through the R0KH table in an AP, the above mechanism correctly distinguishes the inter-MD scenario from the intra-MD scenarios without using the MDID.
A few other studies have been reported in the literature which has also carried out research similar to that reported in this chapter [5, 17, 27].
3.5 Summary
This chapter describes the IEEE 802.11r transition process for WLAN, where a three-level key hierarchy was proposed to speed up the transition process without executing the expensive IEEE 802.1X authentication for some scenarios. This hierarchy requires assignment of unique
MDIDs worldwide. However, how to guarantee the uniqueness of MDID is not clear. This chapter proposed a mechanism that does not need MDID, and therefore MDID management is eliminated. This mechanism also saves four message exchanges incurred in the original fast BSS transition when MDID ambiguity occurs.
Chapter 4.
A Key Caching Mechanism for Reducing WiMAX Authentication Cost in Handoff
IEEE 802.16e mobile Worldwide Interoperability for Microwave Access (WiMAX) provides broadband wireless services with wide service coverage, high data throughput, and high mobility. To access the IMS network with mobile WiMAX, several mobile telecommunications network issues, e.g., mobility management, voice quality, and power saving, must be addressed in the mobile WiMAX environment. Among them, security is probably one of the most important and essential issue that must be carefully addressed, which includes authentication and encryption aspects. This chapter will focus on the authentication aspect for mobile WiMAX.
The IEEE 802.1X is utilized in mobile WiMAX authentication. This procedure incurs long delay in WiMAX handoff. To resolve this issue, this chapter proposes a key caching mechanism to eliminate the non-necessary IEEE 802.1X authentication cost in WiMAX handoff. This mechanism is investigated through analytic and simulation modeling. Our study indicates that the key caching scheme can effectively speed up the handoff process.
4.1 Introduction to WiMAX AAA Architecture
To support security network access, the authentication, authorization, and accounting (AAA) mechanism is exercised in WiMAX [38]. Figure 4.1 shows the AAA architecture and protocol stack for WiMAX. In this architecture, the Access Service Network (ASN; Figure 4.1 (2)) consists of Base Stations (BSs; Figure 4.1 (4)) and ASN Gateways (ASN-GWs; Figure 4.1 (5)).
Figure 4.1 WiMAX AAA architecture and protocol stack
An ASN-GW controls several BSs. A BS provides WiMAX radio access for Mobile Stations (MSs; Figure 4.1 (1)) after the MSs are authenticated by the AAA server (Figure 4.1 (6)) in the Connectivity Service Network (CSN; Figure 4.1 (3)). In the WiMAX AAA architecture, the ASN-GW serves as the authenticator for the MS. The authenticator is responsible for forwarding authentication messages between the MS and the AAA server, and for maintaining the MS related information (e.g., encryption keys) after authentication. We assume that the Subscriber Identity Module (SIM)-based Extensible Authentication Protocol (EAP) is utilized for AAA [12]. Note that this approach reuses the authentication mechanism in mobile telecommunications [8]. In the authentication procedure, an EAP-SIM message (Figure 4.1 (a)) is encapsulated in an EAP message (Figure 4.1 (b)). The MS then encapsulates the EAP message in Privacy Key Management protocol version 2 (PKMv2; Figure 4.1 (c)) before it is transmitted to the BS. The BS exercises the Authentication Relay protocol (AuthRelay; Figure 4.1 (d)) to forward the received EAP message to the authenticator (i.e., the ASN-GW). Upon receipt of an EAP message, the authenticator translates it into a Remote Authentication Dial-In User Service (RADIUS; Figure 4.1 (e)) message. Then the RADIUS message is sent to the
AAA server. Upon receipt of the RADIUS message, the AAA server utilizes the Mobile Application Part (MAP; Figure 4.1 (f)) of the Signaling System Number 7 protocol (SS7; Figure 4.1 (g)) to communicate with the Home Subscriber Server (HSS)/Authentication Center (AuC;
Figure 4.1 (7)). The HSS is the mobility database of the GSM/UMTS mobile telecommunication networks [8, 21]. The AuC maintains the secret keys of the MSs, and provides the authentication information to the AAA server.
4.2 WiMAX Initial Network Entry Process
By using the protocols described in Figure 4.1, the WiMAX authentication works as follows.
Suppose that an MS first connects to the WiMAX network, the following steps are executed for the initial network entry process (see Figure 4.2):
Step 1. The MS, the BS, and the ASN-GW (authenticator) negotiate the security policy (i.e., to select the encryption and decryption algorithms) and the authorization policy; specifically, to select the message authentication code (MAC) type.
Step 2. The authenticator sends an EAP Request message to the MS. This message initiates the IEEE 802.1X authentication procedure by requesting the user identity.
Steps 3 and 4. The MS replies an EAP Response message with the user identity to the authenticator. The user identity consists of two elements: the AAA server address AAA-addr and the user account User-acct. In the SIM-based EAP authentication, the user account is set to the International Mobile Subscriber Identity (IMSI) of the MS [21].
According to AAA-addr, the authenticator forwards the EAP Response message to the AAA server.
Step 5. Upon receipt of the user identity, the AAA server performs the SIM-based EAP authentication with the MS as follows:
Step 5.1. The AAA server issues an EAP Request message with type “Start” to the MS.
Figure 4.2 WiMAX initial network entry process
Step 5.2. The MS replies the EAP Response message containing a random number MS-RAND. This random number is used to derive the encryption keys in Steps 5.3 and 5.5.
Step 5.3. Based on the IMSI received in Step 4, the AAA server communicates with the HSS/AuC to obtain the authentication information, including a random number RAND, a signed result SRES, and a cipher key Kc. Both the MS and the HSS/AuC utilize the RAND and the secret key Ki (stored in the SIM card and the HSS/AuC) to execute the A3 and the A8 algorithms for deriving the signed result SRES and the cipher key Kc [20]. Then the AAA server utilizes Kc and MS-RAND (received in Step 5.2) to derive the Master Session Key (MSK) and
the EAP integrity key KEAP.
Step 5.4. The AAA server sends a challenge EAP Request message with the RAND and the MAC. This MAC is derived from KEAP and is used to ensure integrity of this message.
Step 5.5. Upon receipt of the EAP Request message, the MS utilizes RAND, MS-RAND (generated in Step 5.2), and Ki (stored in the SIM card) to generate SRES*, Kc, MSK, and KEAP. With KEAP and the received RAND, the MS verifies the received MAC. If the MAC is correct, the AAA server is successfully authenticated by the MS. Then the MS replies a challenge EAP Response message with a code MAC* derived from KEAP and SRES*.
Step 6. The AAA server verifies MAC* by using KEAP (generated in Step 5.3) and SRES (received in Step 5.3). If MAC* is correct, the MS is successfully authenticated by the AAA server. The AAA server sends the EAP Success message to the authenticator containing MSK (generated in Step 5.3), the MSK lifetime, and the MS authorization profile (e.g., service restrictions and supplementary services). The MSK lifetime is the period that the MS is authorized to access the ASN-GW. When the MSK lifetime is expired, the MS should execute the IEEE 802.1X authentication with the AAA server again.
Step 7. The ASN-GW stores MSK, the MSK lifetime, and the authorization profile. Then it derives the Authentication Key (AK) by using the MSK and the BS address. This AK is shared between the MS and the BS.
Step 8. The ASN-GW forwards the EAP Success message to the BS with AK. The BS passes the EAP Success message to inform the MS that the authentication is successful. Upon receipt of this message, the MS generates its version of AK.
Step 9. The BS generates the final encryption key Traffic Encryption Key (TEK). This encryption key is used to provide data integrity and confidentiality for a communication
session between the MS and the BS. The BS passes the generated TEK (encrypted by AK) to the MS.
The relationship of WiMAX encryption keys and the locations maintaining these keys are shown in Figure 4.3.
Figure 4.3 WiMAX key derivation tree
If the MS moves from the old BS to the new BS connecting to a different authenticator (ASN-GW), a new MSK must be generated in this inter-ASN-GW handoff process, which is the same as the initial network entry process described in Figure 4.2. In this case, the authenticator (ASN-GW) of the old BS will remove the MS key record (i.e., MSK, the MSK lifetime, and the MS authorization profile). When the MS moves back to the old ASN-GW again, another inter-ASN-GW handoff process should be performed, which may incur long delay.
4.3 The Key Caching Mechanism
To speed up the inter-ASN-GW handoff process, we propose a key caching mechanism. The idea is simple: When the MS moves from the old ASN-GW to the new ASN-GW, the old ASN-GW still keeps the MS key record. If the MS returns to the old ASN-GW before the MSK lifetime expires, it can reuse the MSK without executing the IEEE 802.1X authentication. That is, only Steps 1 and 9 in Figure 4.2 are executed to speed up the inter-ASN-GW handoff process.
In Figure 4.2, Step 1 contains 2 message exchanges and Step 9 contains 5 message exchanges
[38]. Therefore, the caching mechanism speeds up the process by saving 50% (= 7/14) message exchanges between the MS and the BS.
Although the key caching mechanism may effectively avoid the execution of IEEE 802.1X authentication, it consumes extra storage to keep the MS key records at the old ASN-GW, where a stored key record includes 512 or 1024 bits for MSK, 32 bits for the MSK lifetime, and 512 or 1024 bits for the MS authorization profiles. Therefore, it is desirable to select an appropriate MSK lifetime to eliminate the IEEE 802.1X authentication without consuming too much extra storage in the ASN-GW. We investigate the effect of the MSK lifetime on the caching performance by an analytic model described below.
Figure 4.4 Relationship of the MSK key lifetime and the MS movement
Figure 4.4 illustrates the relationship between the movement of an MS and its MSK lifetime. In this figure, the IEEE 802.1X authentication is executed at time τ0 (Figure 4.4 (1)), and the MSK lifetime expires at time τ3 (Figure 4.4 (4)). At time τ1 (Figure 4.4 (2)), the MS moves from the old ASN-GW to the new ASN-GW. The residual MSK lifetime is tK = τ3 - τ1. If the MS will not return to the old ASN-GW before the MSK lifetime expires, we call this tK
period the unused key period. At time τ2 (Figure 4.4 (3)), the MS returns to the old ASN-GW.
Let tM =τ2 - τ1 be the period between when the MS leaves the old ASN-GW and when it returns.
If the MS returns before the MSK lifetime expires, the MS can reuse the MSK for period tK* = tK - tM without executing the IEEE 802.1X authentication. Period tK* is referred to as the reused key period. We make the following assumptions:
z We consider two distributions for the MSK lifetime T. That is, T is either an Exponential period with rate µ or a fixed period.
z The MS residence time tM in new ASN-GWs has the density function f (tM) with mean 1/λ and variance VM.
Three output measures are evaluated in our study.
z α: the probability that the MS returns to the old ASN-GW before the MSK lifetime expires.
z E [ tK | tM ≥ tK]: the expected unused key period under the condition that the MS does not return to the old ASN-GW before the MSK lifetime expires (therefore, the cached MSK will not be reused).
z E [ tK* | tM ≤ tK]: the expected reused key period under the condition that the MS returns to the old ASN-GW before the MSK lifetime expires (the cached MSK is reused).
We derive the above output measures for Exponentially distributed tM with fixed T, and then generalize the derivation for Generally distributed tM with Exponentially distributed T.
4.3.1 Derivation for Exponentially Distributed tM and Fixed T
Suppose that the departure of the MS from the old ASN-GW is a random observer to the MSK lifetime. For fixed MSK lifetime T, from the residual life theorem [32], tK has the Uniform distribution over 0 ≤ tK ≤ T. Then α is derived as
α 1 1
(4.1) E [ tK | tM ≥ tK] is expressed as:
| Pr | d
4.3.2 Derivation for Generally Distributed tM and Exponential T
Since the departure of the MS from the old ASN-GW is a random observer to the MSK lifetime, from the residual life theorem, tK is Exponentially distributed with mean E[T] = 1/µ. Let tM have a General distribution with density function f (tM) and Laplace transform f *(s). Then α is derived as
E [ tK* | tM ≤ tK] is derived as
| Pr | d
1 1
(4.6)
Equation (4.6) says that E [ tK* | tM ≤ tK] is not affected by the tM distribution.
To further investigate (4.4) and (4.5), we assume that tM has the Gamma distribution, which has been used in telecommunication modeling [22, 39]. The Gamma distributed tM has the mean 1/λ, variance VM and Laplace transform
1
1
(4.10)
Equations (4.1), (4.2), (4.3), (4.6), (4.9) and (4.10) provide the mean value analysis to show the
“trends” of the output measures. These equations are also used to validate the simulation experiments in the next section.
4.4 Simulation Validation
We utilize simulation experiments to validate the analytic model described in Section 4.3. The MSK lifetimes T are either produced from a random number generator with mean 1/µ or set as a fixed period 1/µ. According to the residual life theorem, the residual MSK lifetime tK can be generated directly. The tM periods are first drawn from an Exponential random number generator with mean 1/λ to validate against the analytic model. Then we use Gamma random number to investigate the impact of General tM.
Figure 4.5 The simulation flowchart
To ensure that the results are stable, we simulate 107 departures from the old ASN-GW. In the simulation process, the counter N records the number of simulation runs, n counts the number of MSK reused times, unusedT calculates the sum of periods which the unused MSK stored in the old ASN-GW, and reusedT calculates the sum of periods which the MSK reused in the old ASN-GW. The simulation flowchart is shown in Figure 4.5, and the details are described as follows.
Step 1. The variables N, n, unusedT, and reusedT are initialized to 0.
Step 2. The Nth departure from the old ASN-GW is performed. Periods tM and tK are generated, and tK* is set to tK - tM.
Step 3. If tK* > 0, it means that the MS returns to the old ASN-GW before the MSK lifetime expires, and the flow goes to Step 4. Otherwise, go to Step 5.
Step 4. The MSK is reused in the old ASN-GW, and the MSK reused counter n is incremented by 1. The sum of the MSK reused periods reusedT is added by tK*.
Step 5. Since the MSK cannot be reused, the sum of the MSK unused periods unusedT is added by tK.
Step 6. N is incremented by 1.
Step 7. Check if 107 MS departures from the old ASN-GW have been simulated. If so, go to Step 8. Otherwise, go to Step 2.
Step 8. The simulation is complete, and the output measures are computed as follows.
|
|
Based on equations (4.1), (4.2), (4.3), (4.6), (4.9) and (4.10), Table 4.1 shows that the
simulation is consistent with the analytic analysis and all errors are within 1%. Therefore, the analytic and the simulation results are consistent.
Table 4.1 Comparison of analytic and simulation results
(a) α (Exponential tM)
(b) E [ tK | tM ≥ tK] (Gamma tM and Exponential T)
(c) E [ tK* | tM ≤ tK] (Gamma tM and Exponential T)
4.5 Numerical Examples
According to the analytic and the simulation models, we use numerical examples to investigate how the MSK lifetime T affects the performance of the key caching mechanism. Figure 4.6 plots the results for Exponential tM. Figure 4.6 (a) plots α against E[T]. The figure indicates that α is an increasing function of E[T]. It is intuitive that if E[T] is large, then it is more likely that
the MS will return before the MSK lifetime expires. From (4.1)
1 1
Since E[T]=1/µ, from (4.9), we have
1⁄ 1
This figure also shows that the Exponential T outperforms the fixed T in terms of α.
Figure 4.6 (b) plots the unused key period E [ tK | tM ≥ tK] as the function of E[T]. The figure shows that the unused key period increases as E[T] increases. From (4.2), we have
| 1
Therefore, the maximum unused key period is E[tM] = 1/λ. When E[T] is small (e.g., less than 1/λ), the fixed T outperforms the Exponential T. When E[T] is large, the Exponential T yields better performance in terms of the unused key period.
Figure 4.6 (c) plots the reused key period E [ tK* | tM ≤ tK] as the function of E[T]. The figure indicates the intuitive result that the key reused period increases as E[T] increases. From (4.3), we have
The figure also indicates that the Exponential T outperforms the fixed T in terms of the reused key period.
(a) Effect of E[T] on α
(b) Effect of E[T] on E [ tK | tM ≥ tK]
(c) Effect of E[T] on E [ tK* | tM ≤ tK] Figure 4.6 Effect of µ
(a) Effect of VM on E [ tK | tM ≥ tK] (b) Effect of VM on E [ tK* | tM ≤ tK] Figure 4.7 Effect of VM
Figure 4.7 (a) plots the unused key period E [ tK | tM ≥ tK] against E[T] and VM. When E[T]
≥ 1/λ, the unused key period increases as VM increases. This phenomenon is explained as follows. As VM increases, more long and short tM are observed. Since a random observer (an MS movement) tends to observe long tM, short tM will not contribute to E [ tK | tM ≥ tK]. Therefore, more long tK are observed as VM increases. From (4.8),
|
1 1 1
1 1 1
1
1 1
1
1
When E[tK] < 1/λ, E [ tK | tM ≥ tK]≒E [tK], which is not sensitive to VM.
Figure 4.7 (b) plots the reused key period E [ tK* | tM ≤ tK] against E[T] and VM. For Exponential T, according to (4.6), E [ tK* | tM ≤ tK] = E[T]. This phenomenon is explained as follows. Since the residual MSK lifetime tK is Exponentially distributed, the arrival of the MS to the old ASN-GW is a random observer to tK. Thus, from the residual life theorem, tK* is also
Exponentially distributed with the mean E[T]. For fixed T, E [ tK* | tM ≤ tK] increases as VM
increases. Since we only consider the case when tM ≤ tK, as VM increases, short tK periods are observed and long tK will not contribute to E [ tK* | tM ≤ tK]. Thus, for fixed T, the reused key period increases as VM increases and eventually approaches to E [tK] = T/2.
Figure 4.7 shows that the Exponential T outperforms the fixed T in terms of the reused key period. On the other hand, for the unused key period, the fixed T outperforms the Exponential T in most cases. Another advantage of Exponential T over the fixed T is that the reused key period E [ tK* | tM ≤ tK] performance is not affected by the variance VM. This stability property is important for telecom-grade system.
4.6 Summary
This chapter proposed a key caching mechanism to speed up the inter-ASN-GW handoff for mobile WiMAX. With this mechanism, when an MS leaves the old ASN-GW, the MS key record (e.g., the MSK) is cached in the old ASN-GW. If the MS returns to the old ASN-GW before the MSK lifetime expires, it can reuse the MSK without executing the IEEE 802.1X authentication. On the other hand, the old ASN-GW consumes extra storage to maintain the MS
This chapter proposed a key caching mechanism to speed up the inter-ASN-GW handoff for mobile WiMAX. With this mechanism, when an MS leaves the old ASN-GW, the MS key record (e.g., the MSK) is cached in the old ASN-GW. If the MS returns to the old ASN-GW before the MSK lifetime expires, it can reuse the MSK without executing the IEEE 802.1X authentication. On the other hand, the old ASN-GW consumes extra storage to maintain the MS