SAM: Secure Access of Media Independent Information Service with User Anonymity

Seamless handover across different access technologies is very important in the future wireless networks. To optimize vertical handover in heterogeneous networks, IEEE 802.21 standard defines Media Independent Handover (MIH) services. The MIH services can be a new target to attackers, which will be the main concern for equipment vendors and service providers. In this paper, we focus specifically on security of Media Independent Information Service (MIIS) and present a new access authentication scheme with user anonymity for MIIS. The protocol can be used to establish a secure channel between the mobile node and the information server. Security and performance of the protocol are also analyzed in this paper.

Recent advances in wireless communication technologies have resulted in the evolution of various wireless networks, such as cellular network, wireless local area network, ad hoc network personal communication network, Communication in next generation networks will use multiple access technologies, creating a heterogeneous network environment [1]. Practically, a single network cannot cater for all different user needs or provide all services. Nowadays the availability of multimode mobile devices capable of connecting to different wireless technologies provides users with the possibility to switch their network interfaces to different types of networks.

Real-time multimedia services such as voice over IP and interactive streaming become more and more popular in current wireless networks, so ubiquitous roaming support for real-time multimedia traffic in an access independent manner becomes increasingly important. Seamless mobility can be achieved by enabling mobile terminals to conduct seamless handovers across diverse access networks, that is, seamlessly transfer and continue their ongoing sessions from one access network to another. Vertical handover in the heterogeneous networks is one of the major challenges for seamless mobility with ubiquitous connectivity, since each access network may have different mobility, quality of service,Fn and security requirements [2]. Moreover, real-time applications have stringent performance requirements on end-to-end delay and packet loss. In general, the vertical handover process can be divided into three main phases, namely, system discovery, handover decision, and handover execution [3]. During the system discovery phase, the mobile terminals have to determine which networks can be used and the services available in each network. These wireless networks may also advertise the supported data rates for different services. During the handover decision phase, the mobile device determines which network it should connect to. The decision may depend on various parameters or handover metrics including the available bandwidth, delay, jitter, access cost, transmit power, current battery status of the mobile device, and even the user's preferences. Finally, during the handover execution phase, the connections need to be rerouted from the existing network to the new network in a seamless manner. This phase also includes the authentication and authorization, and the transfer of user's context information.

In order to achieve seamless vertical handover in heterogeneous networks, many works have been carried out to address the issues of service continuity. Some of them made efforts to methods about discovering neighbor networks and related information [4, 5]. Some of them focused on the issue of choosing the next network based on factors like bandwidth, cost, date rate, and so forth when the device is moving out of the current network [6–8]. Also, several approaches were published showing how to perform a fast authentication between different access technologies when handover-took place [9–11]. Apart from these, a number of works have also been carried out towards addressing other handover related issues [12–14].

Recent efforts by the IEEE 802.21 working group have designed a framework [15] to facilitate handover between heterogeneous networks by providing mobile users with information useful for making handover decisions. Examples of the information are the presence of neighboring networks, the type of their links, their characteristics, and the services supported. The heart of the framework is the Media Independent Handover Function (MIHF) which provides abstracted services to higher layers and vice versa by means of a unified interface. This is accomplished by defining a set of services, the Media Independent Handover (MIH) services, which consist of Media Independent Event Service (MIES), Media Independent Command Service (MICS), and Media Independent Information Service (MIIS). The MIES defines a solution for providing applications running above the data link layer with information about events triggered at the data link layer, such as the ones about the status of the link (link up, link down, etc.). The MICS introduces a set of commands that allows mobility functions running on the IP layer, or higher, to control the switching, scanning, and configuration functions of the data link layer. The MIIS specifies information about nearby networks useful for handover decisions and the query/response mechanism that allows mobile nodes to get that information. Users get that information from one or more information servers supporting MIH, as depicted in Figure 1. The Information Server (IS) may be located in the visited domains or in the users' home domain, that is, the domain of the service provider that holds information about the users' authentication and authorization profiles. The IEEE 802.21 working group is not trying to design a new mobility protocol, but to introduce a framework that supports the nodes involved in the mobility procedure to take handover decisions and to control the handover procedure. The IEEE 802.21 framework is complementary to existing mobility frameworks of wireless network.

MIIS in heterogeneous networks.

Full size image

As can be seen from Figure 1, MIH messages are exchanged over various wireless media between mobile nodes and access networks. Thus the MIH services can be a new target to attackers, which will be the main concern for equipment vendors and service providers [16]. Some typical threats about MIIS are listed below.

1. (i)

   Identity Spoofing Attempting to gain access to information service by using a false identity.

2. (ii)

   Tampering Unauthorized modification of information data exchanged.

3. (iii)

   Information Disclosure. Unwanted exposure of information data.

4. (iv)

   Denial of Service. The process of making information service unavailable to a user.

In addition, another important threat regarding the handover scenario is about user anonymity. It is desirable to hide the roaming user's identity and movements from eavesdroppers and even servers different from the home server he subscribed to. In heterogeneous wireless environments a roaming user needs to acquire neighbor network information from IS. If a user's identity is exposed to IS, the movements of the mobile user may be easily tracked by IS, since it knows the user's current location information and possible target of handover.

However, security mechanisms are not within the scope of the IEEE 802.21 standard. Security of MIH protocol currently relies on security of underlying transport protocols without a mechanism to authenticate peer MIH entities. This lack of authentication of peer MIH entities does not provide proper authorization for MIH services. Because IEEE 802.21 provides services that affect network resource, network cost, and user experience, MIH level security will be an important factor to network providers that want to deploy these MIH services in their networks. Nevertheless, there are very few security mechanisms for MIH services in the literature.

IEEE 802.21a task group was set up to address security issues of MIH services. The task of the group is [17]: (i) to reduce the latency during authentication and key establishment for handovers between heterogeneous access networks that support IEEE 802.21 (ii) to provide data integrity, confidentiality, replay protection, and data origin authentication to MIH protocol exchanges and enable authorization for MIH services. The technical requirements document [18] of the group describes usage scenarios and requirements for security signaling optimization during vertical handover and MIH protocol security. The scope of document [19] is to propose some solutions based on the requirements described in [18].

Won et al. proposed a new secure MIH message transport solution called MIHSec [20]. The idea of MIHSec is to utilize the Master Shared Key (MSK) generated by the L2 authentication procedure, for generating the MIH keys. MIHsec method though has a good performance for MIH message transportation, it introduces other issues. First, it is closely integrated with L2 authentication, thus it is not media independent. Second, the MSK needs to be securely delivered to IS by AR (access router), which means a security association should be settled apriori between each AR and IS. So the scheme does not posses scalability. Finally, in MIHsec protocol, the AR that sends the MSK to the IS may know the key for MIH messages encryption, which degrades the level of security.

We note that user anonymity is not addressed in all above schemes. It is very important for a roaming user to keep his identity secret and movements untraceable. This paper proposes an anonymous protocol for Secure Access of MIIS, which is denoted as SAM for short. SAM not only has high level security but also obtains good performance. We give a rigorous formal analysis of its security using a modular approach. Some experiments and simulations about SAM are also done to evaluate performance of the protocol.

The rest of this paper is organized as follows. Section 2 is a quick review over some related works. In Section 3 we present our new approach in detail. Section 4 gives a formal security proof of our protocol under the CK model. Section 5 includes performance analysis. Finally, conclusions and future works are given in Section 6.

2.1. 802.21  a Task Group Proposals

Security is crucial for IEEE 802.21 standard to reach its market potential. Seamless mobility requires seamless security to make its applicability to government and enterprise networks. Thus 802.21a task group are making efforts to security mechanisms for IEEE 802.21 standard. In [19], proactive authentication techniques and MIH protocol level security mechanisms are elaborated.

Proactive authentication is a process by which an entity can perform a-priori network access authentication with a media independent authenticator and key holder (MIA-KH) that is serving a candidate network. The entity performs such authentication in anticipation of handover to the neighboring networks. Proactive authentication can be performed in two ways: (i) direct proactive authentication whereby the authentication signaling is transparent to the serving MIA-KH and (ii) indirect proactive authentication whereby the serving MIA-KH is aware of the authentication signaling. In each case either EAP (Extensible Authentication Protocol) [21] or ERP (EAP Reauthentication Protocol) [22] can be used as the authentication protocol.

As to MIH protocol security, two security frameworks were proposed: (i) MIH service access control applied through an authentication server and (ii) MIH service access control not applied through an authentication server.

In the first case (Figure 2), the access control may be applied by an access authentication through an EAP server or an AAA (Authentication, Authorization, and Accounting) server. Upon a successful authentication, the Mobile Node (MN) is authorized to access the MIH service through a Point of Service (PoS). The access authentication includes a key establishment procedure so that related keys are established between the MN and the Authentication Server (AS). The method can provide MIH level protection independent to media and network access protection. Since MIH protection is end to end between the MN and the PoS, it is independent of the transport protocol for MIH. The use case is suitable for MIIS since the PoS for MIIS is more centralized. In the proposed approach, EAP framework is used over MIH protocol for carrying messages of MIH service authentication, where the PoS acts as an authenticator and also runs as an AAA client. TLS [23] or DTLS [24] is introduced to the authentication process, key establishment, and ciphering. (D)TLS handshake is carried out over MIH protocol, and a MIH SA (Security Association) is established between two MIHF peers. Once the MIH SA is established by the MIH protocol, there is no need to have MIH transport level security.

MIH security with access control.

Full size image

In the second case (Figure 3), the MIH service access control is not applied through any access controller. The mutual authentication may be based on a preshared key or a trusted third party like certificate authority (CA). The MN and the PoS will directly conduct a mutual authentication and key establishment protocol to setup a-MIH-specific SA. The use case allows pairwise MIH level mutual authentication and protection. This kind of MIH protection is independent of media and access technique. Since the MIH protection is end to end between the MN and the PoS, it does not rely on the transport protocol. The use case can treat MIIS, MIES, and MICS equally because no centralized server is involved.

MIH security without access control.

Full size image

2.2. Canetti-Krawczyk Model

A proof of security has become an essential statement for structural correctness of mutual authentication and key establishment protocols. Canetti and Krawczyk [25] proposed a model for provable security, which provided reusable building blocks for construction of new provably secure protocols. We refer to this model as the CK model in this paper. Here a description of the CK model is given. Further details can be found in [25]. The CK model defines protocol principals who may simultaneously run multiple local copies of a message-driven protocol. Each local copy is called a session and has its own local state. Two sessions are matching if each session has the same session identifier and the purpose of each session is to establish a key between the particular two parties running the sessions. A session is expired if the session key agreed in the session has been erased from the session owner's memory.

A powerful adversary attempts to break the protocol by interacting with the principals. In addition to controlling all communications between principals, the adversary is able to corrupt any principal, thereby learning all information in the memory of that principal (e.g., long-term keys, session states, and session keys). The adversary may impersonate a corrupted principal, although the corrupted principal itself is not activated again and produces no further output or messages. The adversary may also reveal internal session states or agreed session keys. The adversary must be efficient in the sense of being a probabilistic polynomial time algorithm. An unexposed session is the one such that neither it nor a matching session has had its internal state or agreed session key revealed. If the owner of the session or a matching session is corrupted, the corruption occurs after the key has expired at the corrupted party.

Two adversarial models are defined: the unauthenticated-links adversarial model (UM) and the authenticated-links adversarial model (AM). The only difference between them is the amount of control the adversary has over the communications channels between principals. The UM corresponds to the "real world" where the adversary completely controls the network in use and may modify or create messages from any party to any other party. The AM is a restricted version of the UM where the adversary may choose whether or not to deliver a message, but if a message is delivered, it must have been created by the specified sender and be delivered to the specified recipient without alteration. In addition, any such message may only be delivered once. In this way, authentication mechanisms can be separated from key agreement mechanisms by proving the key agreement secure in the AM, and then applying an authentication mechanism to the key agreement messages so that the overall protocol is secure in the UM.

To define the session key security of a key exchange (KE) protocol, the capability of the adversary is extended by allowing it to perform a test-session query. At any time during the game, can issue a test-session query on a KE-session that is completed, unexpired, and unexposed. Let be the corresponding session key. A coin is tossed by the game simulator after receiving a test-session query from the adversary. If , is returned to ; otherwise, a value chosen according to the distribution of session keys is returned to . can still carry out regular activities on this test-session after issuing the query but is not allowed to expose the test-session. However, the attacker is allowed to corrupt a partner to the test-session as soon as the test-session expires at that party. This captures the perfect forward secrecy property of a key exchange protocol. At the end of its run, outputs a bit (as its guess for ).

Definition 1.

A key exchange protocol is called session key (SK)-secure in the AM if the following properties are satisfied for any AM-adversary .

1. (1)

   If two uncorrupted parties complete matching sessions then they both output the same key;

2. (2)

   the probability that guesses correctly the bit is no more than 1/2 plus a negligible fraction about the security parameter.

The definition of SK-secure protocols in the UM is done analogously. By distinguishing between the AM and the UM, Canetti and Krawczyk allow for a modular approach to the design of SK-secure protocols. Protocols that are SK-secure in the AM can be converted into SK-secure protocols in the UM by applying an authenticator to it. An authenticator is a protocol translator that takes as input a protocol and outputs another protocol , with the property that if is SK-secure in the AM, then is SK-secure in the UM. Authenticators can be constructed by applying a message transmission (MT) authenticator to each of the messages of the input protocol. Canetti and Krawczyk [25] and Tin et al. [26] provided some examples of MT-authenticators.

The MIIS message exchanges are critical to handover decision phase. Therefore the process of MIIS message exchanges has to be trusted. The mobile user needs both to protect itself from threats, and to provide the IS provable trust, in order that they can exchange the information securely. The user also wants to keep his identity secret and movements untracked from eavesdroppers, particularly the IS.

This section focuses on a new proposal SAM for anonymous access authentication of MIIS. The scenario we considered is that the access control for information service is applied through an access authentication controller, namely, an AS. The new solution has the advantages of lightweight computation, low communication cost, and easy implementation.

3.1. Network Model

We consider a wireless scenario as depicted in Figure 4. There are some application servers (S₁,S₂) in core network, which provide application services like, voice over IP, video conference, interactive games, and so forth. When an MN passes the network access authentication, it establishes connection with a Point of Attachment (PoA). The MN may request a kind of application service through a certain PoS. Frequently, some kind of authentication mechanism is necessary for application service to prevent invalid access without authority. In order to support mobile users to handover seamlessly between heterogeneous networks, an IS is deployed to provide information about neighbor networks for mobile users. We assume that all MNs should register with an AS and subscribe some services they needed at network initialization. When an MN registers to the AS, it generates a random number as the long-term shared key with the MN. Presumably AS has a pair of public/private keys (), which are generated by itself. These keys are used to achieve user anonymity. In our network model, the attacker is able to corrupt any principal except for AS which is assumed beyond the attacker's control. We also assume that AS delivers and public key to MN using a mechanism outside of the proposed protocol, such as preloading these keys.

MIIS access control in the network.

Full size image

Here, MIIS is taken as a service at the application layer. It is assumed that MNs have no secure associations with application servers directly. In scenario where many application servers exist, Kerberos [27] is an efficient scheme for secure access of services because of its singlesign-on characteristic. We adopt a simplified version of Kerberos for easy deployment. Suppose that AS and TGS (Ticket Granting Server) are implemented by the same physical entity, which simplifies protocol design. We also assume that all application servers, (S₁, S₂, and so on, including IS) have shared some keys with the AS, respectively. For example, there is a long-term key shared between the IS and the AS for secure connection or authentication. Suppose that is a secure key derivation function, and is a secure hash function. We assume that there is a time synchronization mechanism in the system. Below the new scheme is described in detail.

3.2. MIIS Access Authentication with User Anonymity

In order to handover seamlessly between heterogeneous networks while enjoying some real-time applications, each MN has to subscribe MIIS to AS when initializing. AS maintains an entry for each registered MN, which consists of the following items: , , service list. After an MN connects to the network, it should contact IS to get information about neighbor networks. Since the MN has no security associations with application servers (including IS), the access control of application services is applied through AS. To this end, the MN must obtain service ticket for IS. Then mutual authentication is performed between MN and IS using the service ticket. The message flows of SAM are depicted in Figure 5, in which flow (1) and (2) describe service ticket request and response flow and (3) to (4) describe mutual authentication between MN and IS.

Message flows of SAM.

Full size image

(1) IS service ticket request (MN→AS)

MN selects a random number and computes as an anonymity key using public key of AS. The identity ID_MN of MN is encrypted with . A temporary identity TID is also computed using the equation: . Then MN sends a service Ticket REQuest message (T_REQ) to AS for IS. The message content of T_REQ is as the following, {TReq, , TID, ID_IS, , ID_AS, , }, where TReq denotes the identifier of the request, ID_IS denotes the identifier of the information server, is the timestamp of MN, and is a message authentication code derived from the equation .

(2) IS service ticket response (AS→MN)

Upon receiving the T_REQ message from MN, AS extracts then computes using and its private key . AS decrypts the ciphertext , and gets the identity of MN. AS finds the item related to MN in its database, namely, the entry (, , service list). Then AS checks if the timestamp is within some allowable range compared with its current time. If is not valid, the request message is dropped because of staleness. Otherwise, AS computes the value using . If the value matches with in T_REQ, AS believes the message is really originated from MN. AS checks service list of MN to find whether it has subscribed service of IS. If MN has not subscribed the service of IS, AS will respond a reject message to MN. Otherwise, a service ticket will be generated for MN. AS chooses a random number   as the service key used by MN and IS for secure connection. The format of service ticket is as follows: , where denotes the cipertext encrypted with the key shared between AS and IS.

AS generates a service Ticket RESponse (T_RES) message. The T_RES message consists of the following items {TRes, TID, , TID, ID_IS, , ID_AS, , }, where TRes denotes identifier of the response, is the timestamp of AS, and is a message authentication code derived from the equation: .

Afterwards, T_RES message is transmitted to MN by AS.

(3) IS service access request (MN→IS)

When MN receives the T_RES message from AS, MN first validates . If the result is positive, it calculates the value and compares the value with in the T_RES message. If the two values are identical, MN believes the message is generated by AS. MN decrypts , ID_IS, to get the service key .

Now MN is able to contact with IS for MIIS. MN needs to send an information Service Access REQuest message (S_Acce_REQ) to IS. The message format of S_Acce_REQ is as the following: , where SAReq denotes identifier of the request, is the service ticket generated by AS, and is current timestamp of MN. is calculated using .

(4) IS service access response (IS→MN)

On receiving the IS_Acce_REQ message, IS validates and decrypts using the key shared with AS to obtain the service key . It also gets the identifiers in the service ticket to determine whether the ticket is for TID and IS. Then IS computes and compares it with the value of . If the two values are identical, IS believes the requestor is a valid client. IS then computes as the service session key. IS generates an information Service Access RESponse message (S_Acce_RES) and sends to MN. The message has the following items: , where SARes denotes the identifier of the response and .

After MN receives S_Acce_RES message, MN first validates then computes and compares it with the value of . If the two values are identical, IS passes the authentication to MN. MN computes as the session key of information service. Afterwards, MN uses the service session key to secure access MIIS.

For accessing services other than the MIIS, the user needs to obtain the corresponding service ticket from AS. The user then sends an authentication request message directly to the application server which runs the authentication process as depicted in Figure 5. Based on the user credentials, the application server authenticates the user, which means that it checks user's service ticket and decides whether to grant access or not according to the authentication result. The application server and the user can use the shared secret key resulting from successful authentication to set up IPSec security at IP level or simply use the key to perform symmetric-cryptography based security at application level.

In this section, we will give a rigorous proof for security of SAM under the CK model. We first present a basic SK-secure protocol in AM. Second, we extend it to achieve user anonymity. Third, we apply authenticators to the protocol to derive a protocol that is automatically secure in UM. Finally, we get our new protocol by reordering and reusing message components to optimize the resulting protocol.

4.1. Secure Key Distribution (SKD) Protocol in AM

We propose a key distribution protocol in AM where MN and IS rely on a trusted server AS for service key generation. This protocol uses only symmetric encryption. Figure 6 shows the flow chart of the protocol.

Flow chart of SKD protocol for MIIS access.

Full size image

1. (1)

   IS service ticket request (MN→AS)

MN sends a service ticket request message (T_REQ) to AS for IS. The message content of T_REQ is as {TReq, ID_MN, ID_IS}.

1. (2)

   IS service ticket response (AS→MN)

Upon receiving the T_REQ message from MN, AS validates if MN and IS are the correct entities which have proper contractions with it. Then AS checks service list of MN to find whether MN has subscribed service of IS. If MN has subscribed the service of IS, AS chooses a random number   as the service key used by MN and IS for secure connection. AS generates a service ticket as follows: . Then AS sends to MN a service ticket response message (T_RES). The T_RES message consists of the following items: {TRes, ID_MN, ID_IS, , (ID_MN, ID_IS, )}.

1. (3)

   IS service access request (MN→IS)

When MN receives the T_RES message from AS, MN needs to send an information Service Access REQuest message (S_Acce_REQ) to IS. The message format of S_Acce_REQ is as the following: {SAReq, TID, ID_IS, }.

1. (4)

   IS service access response (IS→MN)

On receiving the IS_Acce_REQ message, IS decrypts using the key to obtain the identity of MN (which is confirmed by AS) and service key . IS then computes as the service session key. IS generates an information Service Access RESponse message (S_Acce_RES) and sends it to MN. The message has the following items: SARes, ID_MN, ID_IS.

After MN receives S_Acce_RES message, MN computes as the session key of information service. Afterwards, MN uses the service session key to secure access MIH information service.

Theorem 1.

The protocol SKD is SK-secure in the authenticated links model (AM) if the encryption algorithm used in SKD is a CCA-(chosen ciphertext attack-) secure symmetric encryption scheme.

Proof sketch

It is easy to see that both parties MN and IS are in possession of the same session key upon the completion of the protocol execution, and therefore the protocol satisfies condition 1 of SK-security in Definition 1. So we concentrate on proving condition 2 of the SK-security.

Let be an adversary against the protocol SKD. Let be the advantage of indistinguishing between a session key and a random value of the same length. We show that if   is nonnegligible, we can construct an algorithm to break the encryption algorithm . sets up a virtual scenario for the run of SKD and activates . Virtual players include user MN, information server IS and authentication server AS. The scheduled operations are performed by on behalf of all virtual players for SKD. We use (resp., and ) to denote the maximum number of MN (resp., IS and AS) that can be invoked. Let denote the maximum number of sessions between the chosen parties. By running as a subroutine, can break the encryption algorithm with overall probability . The advantage is non-negligible. This contradicts our assumptions in Theorem 1.

4.2. Anonymous SKD Protocol in AM

Now we focus on extending the SKD protocol to achieve user anonymity. In [28], the authors proposed a general security framework to capture user anonymity and untraceability. They introduced a security definition for anonymity and untraceability in UM. Different to [28], we will define anonymity and untraceability in AM.

Let be a system-wide security parameter. Let the set of mobile users in the system, the set of information servers in the system, and be the set of authentication servers in the system, where , ,and are some polynomials and , , and are the corresponding identifiers of the parties, for , and . First we depict a game of attacker similar to [28].

Anonymous Game: The game is carried out by a simulator which runs an adversary . It is based on the adversarial model AM.

1. (1)

   sets up a system with users in , information servers in , and authentication servers in .

2. (2)

   then runs and answers 's queries.

3. (3)

   can execute the SKD protocol on any parties in the system by activating these parties and making queries.

4. (4)

   Among all the parties in the system, picks two users , , an information server , and an authentication server , such that , and are the registration users of .

5. (5)

   sends a test query by providing , , , and .

6. (6)

   The simulator simulates one SKD protocol run among , and , and another one among , and . also updates the state information of each party due to the simulation. Then tosses a coin , . If , the simulation transcript with is returned to , otherwise, that with is returned to .

7. (7)

   After receiving the response of the test query, can still launch all the allowable attacks through queries and also activate parties for protocol executions as before.

8. (8)

   At the end of 's run, it outputs a bit (as its guess for ).

wins the game if (1) A, , and are uncorrupted, (2) for the one session above, can only perform session-state reveal, session-key reveal,and session expiration queries to . (3) guesses correctly the bit (i.e., outputs ).

(1)

Definition 2.

(user anonymity and untraceability) An SKD protocol provides user anonymity and untraceability if for sufficiently large security parameter , is negligible.

The formulation of Definition 2 is very powerful and can be shown to ensure both user anonymity and user untraceability required by a good SKD protocol. It guarantees that as long as the authentication server is uncorrupted, the adversary can neither tell the identity from the messages of one session nor link that session to another one.

Based on the secure SKD protocol (in AM), we now modify it so that it also provides user anonymity and untraceability. To provide user anonymity, the identity of the user should not be sent in clear. In addition, the identity should not be known to the information server according to the anonymity definition above. To do so, we use an identity hiding mechanism. Figure 7 depicts the message flows of the anonymous SKD protocol.

Flow chart of anonymous SKD protocol for MIIS access.

Full size image

(1) IS service ticket request (MN→AS)

MN selects a random number computes as an anonymity key using the random number and public key of AS. The identity ID_MN of MN is encrypted with . A temporary identity TID is also computed using the equation . Then MN sends a service ticket request message (T_REQ) to AS for IS. The message content of T_REQ is as the following: {TReq, , TID, ID_IS, }.

(2) IS service ticket response (AS→MN)

Upon receiving the T_REQ message from MN, AS extracts , then computes using and its private key . AS decrypts , and gets identity of MN. AS finds the item related to MN in its database, namely, the entry (MN, , service list). AS checks service list of MN to find whether it has subscribed service of IS. If MN has not subscribed the service of IS, AS will respond a reject message to MN. Otherwise, a service ticket will be generated for MN. AS chooses a random number   as the service key used by MN and IS for secure connection. The format of service ticket is as follows: . AS generates a service ticket response (T_RES) message. The T_RES message consists of the following items: {TRes, TID, ID_IS, , TID, ID_IS, }.

(3) IS service access request (MN→IS)

When MN receives the T_RES message from AS, MN decrypts TID, ID_IS, to get the service key . MN needs to send an information Service Access REQuest message (S_Acce_REQ) to IS. The format of the message is as: {SAReq, TID, ID_IS, }.

(4) IS service access response (IS→MN)

On receiving the IS_Acce_REQ message, IS decrypts using the key to obtain the temporary identity of MN (which is confirmed by AS) and service key . IS then computes as the service session key. IS generates an information Service Access RESponse message (S_Acce_RES) and sends to MN. The message has the following items: SARes, TID, ID_IS.

After MN receives S_Acce_RES message, MN computes as the session key of information service. Afterwards, MN use, the service session key to secure access MIH information service.

Theorem 2.

If is CCA-secure and CDH (compute diffie-helleman) problem is difficult, the advantage that wins the anonymity game is negligible.

Proof.

We prove it by contradiction. Namely, if the protocol is not anonymous, that is, if wins the game with non-negligible advantage, , over random guess (which is half chance), we construct a distinguisher   to break or to solve CDH problem.

We start by describing a game for the distinguisher . First, adaptively queries a decryption oracle with any ciphertext. Then chooses two messages msg₀ and msg₁ and asks the game simulator for a ciphertext. The simulator randomly picks and gives the ciphertext such that .

After receiving , adaptively queries the decryption oracle with any ciphertext except . is to output a value as its guess for . Now we construct which simulates anonymous game. First, sets up the system appropriately by creating a set of users, a set of information servers, and a set of authentication servers. It then initializes all the users in and information servers with randomly chosen symmetric keys from , and initializes all the authentication servers in with randomly chosen public key pairs for encryption. Afterwards, randomly picks an authentication server A, and replaces its encryption public key and private key corresponding to and .

runs as a subroutine and answers all its queries and simulates all the responses of party activation due to protocol execution. If picks , as two users, A as the authentication server, and I as the information server during the test query, answers the query by providing the transcript of a protocol constructed as follows.

First, randomly chooses a session ID in , and constructs two messages msg₀ and msg₁ as follows: , and .

queries the CCA-security encryption oracle with msg₀ and msg₁. Suppose the CCA-security oracle returns and a ciphertext , which satisfies , where . Then, constructs

message 1: TReq, , TID, ID_IS,

message 2: TRes, TID, ID_IS, , TID, ID_IS,

message 3: SAReq, TID, ID_IS,

message 4: SARes, TID, ID_IS

The transcript returned by to , as the response for 's test query is (message 1, message 2, message 3, message 4). continues the game by answering all the queries made by and simulating all the responses of party activation due to protocol execution. If corrupts , the simulator returns the long-term keys of , and the internal state of which includes the state information of session , to .

When outputs a bit value as its guess, outputs and halts. If does not pick as the authentication server in his test query, just randomly picks a value , outputs it and halts.

Analysis

Let be the event that picks as the authentication server in its test query. Since chooses from in the game uniformly at random, .

Hence we have

(2)

which is non-negligible over random guess.

may win the game by the following means.

1. (1)

   analyses CCA-secure encryption scheme with the help of adaptive query to plaintext of any chosen ciphertext except to the challenge .

2. (2)

   computes the key with the knowledge of and , then decrypt the ciphertext to get msg_b;

3. (3)

   guesses directly with correct probability .

Assume probability of case (1) is Adv_Enc and probability of case (2) is Adv_CDH.

Thus, .

If is non-negligible, at least one of Adv_Enc and Adv_CDH is non-negligible. So we have constructed a distinguisher to break or to solve CDH problem.

4.3. Anonymous SKD Protocol in UM

Now we come to the anonymous secure key distribution protocol in UM. Since the adversary can forge and modify any message, the identities of the user, the information server, and the authentication server all should be authenticated in the scenario.

An anonymous SKD protocol in UM can be derived by applying certain MT-authenticators to the SKD protocol in AM according to the CK approach [25]. Here we apply the one-pass timestamp based-MT-authenticator to the message flows of the protocol depicted in Figure 7.

The one-pass timestamp based MT-authenticator is depicted as Figure 8. Though the authenticator is very simple, it is widely used in synchronized system. It helps simplify the authentication procedures and improve the protocol efficiency.

One-pass timestamp based MT-authenticator

Full size image

Suppose that a party shares a random key with another party . There exists a time synchronization mechanism between and . The one-pass timestamp based MT-authenticator proceeds as follow:

1. (i)

   Whenever wants to send a message to , extracts its timestamp , sends , , to , where MAC is a message authentication function, and adds a message " sent to " to s local output.

2. (ii)

   Upon receiving , , , verifies that the is correct and is within allowable range. If all verifications are correct, outputs " received from ."

After deriving the anonymous SKD protocol in UM, an optimization [26] of message flows can be applied. As a result, we obtain a UM anonymous SK-secure protocol SAM in Figure 5, which provides secure access for information service with user anonymity.

Protocol performance has become an increasingly important concern in wireless computing and networking environments. It is always desirable to make an authentication protocol more efficient. Our protocol may be quite efficient, since it relies mainly on symmetric key operations and a few rounds of message exchanges during access authentication process. The computational cost of our protocol is very reasonable, especially for the mobile node. The computation operations in our protocol are negligible compared to any strong public-key authentication. In the proposal of 802.21a task group [19], EAP framework is suggested to fulfill mutual authentication between peers for the centralized MIH service. EAP-TLS [29] is a typical and widely applied authentication protocol in EAP protocol family. We take it as an example for comparison.

To evaluate our protocol and 802.21a proposal, we implemented all cryptographic operations required in the two schemes using the Crypto++ Library (version 5.6.1) [30]. The cryptographic experiments were executed on a laptop with PIII 1.6 GHz CPU and 128 MB RAM. The results are listed in Table 1, where SHA-1, AES, and RSA are used for analysis. The computational costs required by MN, AS, and IS (or PoS) are given in Table 2. Compared with SAM, 802.21a proposal is a rather complex and high-cost process because of using public key certificates. That method adds too much load to entities involved (consuming much time and energy). According to Table 2, we can conclude that the computational cost of MN, AS and IS can be reduced nearly by 41.7%, 40.8% and 30.0% in SAM, respectively.

As to communication performance, in the first phase of SAM (service ticket request), only a 2-way handshake is executed between MN and AS. It fulfils tasks of data origin authentication and service ticket distribution. In the second phase (information service access request), mutual authentication between MN and IS is also carried out through a 2-way handshake procedure. Nevertheless in 802.21a proposal, a full EAP-TLS procedure requires 8 message flows between MN and AS for their mutual authentication, afterwards it has to perform mutual authentication between PoS of IS, and MN (at least 3 message flows). The whole process of 802.21a needs so many message flows that it consumes too much bandwidth and time. Thus our protocol performs better than the proposal of 802.21a task group.

We carried out some simulation experiments of SAM and 802.21a proposal using OPNET 10.5 [31] to verify analysis above. For simplicity, only a WLAN was used as the access network in the topology, and one AS and one IS were deployed, where the two servers were both connected to the Internet as in Figure 4. The simulations run with 20~100 MNs and 10 APs uniformly distributed in the WLAN area for 5 minutes of simulation time. For the MIIS authentication request pattern, each MN made 10 requests randomly distributed over the whole simulation period. The simulation parameters are listed in Table 3. Here we mainly focus on the measurements of average authentication latency and the number of messages delivered in the network.

Figure 9 shows the average authentication latency of the two schemes as the number of MNs changes. We can see that the average authentication latency of SAM and 802.21a both become larger as the number of MNs increases. The reason is that the number of packets generated in the network increases as the number of MNs increases, which makes packets collision and retransmission happen more often. The average authentication latency obtained using SAM is about 60% to that obtained using 802.21a in all scenarios. This suggests that SAM is highly effective in authentication latency. Figure 10 shows the changes of the number of messages delivered in the network when the number of MNs changes. As we can see from the results, the number of messages delivered of 802.21a increases sharply while that of SAM increases smoothly as the number of MNs increases. The number of messages delivered of SAM is about 30% to that of 802.21a in all scenarios.

Comparison about average authentication latency.

Full size image

Comparison about number of messages delivered

Full size image

The simulation results indicate that SAM has advantages in communication performance compared with 802.21a.

The IEEE 802.21 standard aims at optimizing handovers among heterogeneous wireless networks. In this paper, we propose an anonymous access authentication protocol for MIIS defined in the 802.21 standard. We adopt a modified version of Kerberos featuring of user anonymity in service ticket distribution and service access authentication. The security and performance analyses show that the proposed scheme has good characteristics. In fact, our work can be applied to offer integrated authentication and authorization functionalities for any type of application service.

By ensuring a robust access authentication for MIIS, our scheme can be a step forward from best-effort to support seamlessly mobility in wireless world. Now we are making an effort to put up a real testbed to evaluate performance of our protocol. There are also some interesting works deserving considerations. The information server may not have a previously established security association with the mobile user's authentication server, then how to implement secure access for MIIS at this scenario? The mobile user and the information server may belong to different security domains, thus cross-domain authentication schemes ought to be established. In the future heterogeneous networks, there may exist several information servers deployed by different providers; the mobile user needs an efficient method to choose a more trusted one from a set of information servers.

The authors would like to thank the anonymous reviewers and the editor for their constructive comments that have helped them to improve this paper. This work is supported by the National Natural Science Foundation of China (60872041, 60633020, 60702059, 60803154), the National High Technology Research and Development Program of China (2007AA01Z429, 2009AA01Z417), and the China Postdoctoral Science Foundation (20100471604).

Authors and Affiliations

1. Ministry of Education Key Laboratory of Computer Networks and Information Security, Xidian University, Xi'an, Shaanxi, 710071, China

   Guangsong Li, Jianfeng Ma & Qi Jiang

2. Department of Information Research, Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002, China

   Guangsong Li

Corresponding author

Correspondence to Guangsong Li.

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and permissions