Secure Pre-authentication Schemes for Fast Handoff in Proxy Mobile IPv6

  • cc icon
  • ABSTRACT

    In mobile communication, there are various types of handoff for the support of all forms of mobility. Proxy mobile IPv6 (PMIPv6) enables local network-based mobility management of a mobile node without any effect of mobility-related signaling. Recently, PMIPv6 has been considered for supporting mobility management in LTE/SAE-based mobile networks. To support seamless mobility in heterogeneous mobile networks, the overall cost of handoffs needs to be minimized and the procedure should be guaranteed to be secure. However, the reduction of the authentication cost has not been fully investigated to provide seamless connectivity when mobile users perform a handoff between the PMIPv6 domains. This paper proposes secure pre-authentication schemes, completing an authentication procedure before performing a handoff, for a fast handoff in PMIPv6. Analytic models have been used for measuring the authentication latency and for the overhead cost analysis. In addition to providing fast authentication, the proposed pre-authentication schemes can prevent threats such as replay attacks and key exposure.


  • KEYWORD

    AAA , Authentication , Handoff , MIP , Mobile IP , PMIP

  • I. INTRODUCTION

    Proxy mobile IPv6 (PMIPv6) has been standardized by the NETLMN Working Group; it enables local network-based mobility management for meeting the needs of a heterogeneous handoff (HO) environment where client mobility can be performed without the use of another mobility management operation [1]. However, PMIPv6 cannot directly support global mobility and any specific authentication approach between different domains because it was originally designed for local mobility in a single domain. Because of these security issues, authentication is the fundamental security technology and has become the focus of security research [2].

    Recently, some research has been conducted on the domain-level mobility of the PMIPv6 authentication method. This paper proposes secure pre-authentication and key management schemes for fast HO in PMIPv6. In addition to providing pre-authentication, the proposed authentication method can prevent threats such as replay attacks and key exposure. Further, analytic models have been used for measuring the authentication latency and for cost analysis. Then, the effects of mobility and traffic parameters on the authentication cost and latency, respectively, are analyzed.

    II. RELATED WORKS

    In [3], Zhou et al. proposed a PMIPv6 authentication scheme based on diameter protocol, utilizing a pre-shared key between the AAA sever and the proxy mobile entities. They suggested that the interactions between the AAA sever and a proxy mobile entity can reduce the access efficiency. However, they do not mention sharing the key in advance. In [4], Zhang et al. proposed a certificateless signcryption scheme in the authentication process to solve the key management issue in a wireless environment during key negotiations with the AAA server, leading to an increase in the AAA server’s cost, and the scheme did not mention how to deal with handoff authentication. In [5], Gao et al. proposed an authentication scheme for PMIPv6 on the basis of a two-level identity-based signature scheme, which is a mutual access authentication protocol, for eliminating the interactions between the home network and an access network and thereby improving authentication efficiency and reducing cost. Nevertheless, their scheme is restricted to mobile access gateways (MAGs) in the same domain and does not consider a reduction in the authentication delay as in the case of the pre-authentication.

    III. PROPOSED SCHEME

      >  A. Authentication Architecture

    We use EAP-AKA, RADIUS, and the L2 triggers defined in IEEE 802.21 MIH for supporting a secure key distribution, mutual authentication, and inter-local mobility anchor (LMA) HO when a mobile node (MN) crosses the boundaries of a MAG within a PMIPv6 domain. We presume that the MAG and the LMA take charge of the authentication routine for a visiting MN. The AAA client is located at MAG and LMA. When the MN initiates a new session, the MN needs to be authenticated (i.e., initial authentication). In the standard EAP-AKA, the MN and the AAA must generate a master session key (MSK) and an extended MSK (EMSK) after successful authentication [6]. An MSK is delivered to the access point (AP) to be used in generating a transient session key (TSK). An EMSK is generated, but its use is not determined. We propose the use of an EMSK to derive additional keys in order to achieve secure pre-authentication without compromising security. We extend the key hierarchy in the EAP-AKA protocol by introducing MAG domain-level and local-level keys derived from the MSK and the EMSK as shown in Fig. 1. Globallevel keys are unique keys derived by the AAA and the MN for a PMIPv6 domain. Local-level keys are unique keys derived by the LMA and the MN for an AP within the MAG domain. Session keys are unique keys derived by the MAG and are later used for deriving TSKs. MSK is used for deriving additional keys for the MN’s re-authentication operations without HO. Further, we propose the use of the EMSK as the root key for HO pre-authentications.

    The keys derived from the EMSK are the HO root key (HOK), the global-level HO key (GHK), and the local-level HO key (LHK). LHK is ultimately used for deriving TSK in intra- and inter-MAG HO.

      >  B. Intra/Inter-LMA HO Authentication Procedure

    When an MN initiates a new session in a PMIPv6 domain, an authentication procedure is started. To derive the required additional keys, we suggest the following modifications to the EAP-AKA message flow as depicted in Fig. 2. After the EAK-APA protocol is successfully performed, six new keys are generated. The HOK, that is, the root HO key is derived from the EMSK by the AAA and the MN. Both nodes use a special pseudo random function (PRF) similar to the one used in generating the MSK in the standard EAP-AKA protocol.

    image

    where “|” denotes concatenation and MN# represents the MN address in the medium access control layer. AAAID indicates the identity of the AAA server.

    image

    The global-level HO key, GHK, is derived from HOK by the AAA and the MN.

    image
    image

    where LMAID and MAGID denote the identity.

    The global-level and local-level re-authentication keys, GRK and LRK, are derived from the MSK and the GRK by the AAA and the LMA, respectively.

    image
    image

    A key used for securing traffic between the MN and the AAA, KMAG−MN. This key is exclusively inferred by the MN and the MAG.

    image

    Secure delivery of GRK, GHK and TMAGID is performed by the AAA to the LMA. Secure delivery of LRK is performed by LMA to the MAG. The derivation of HOK, GHK, LHK, GRK, LRK, and KMAG−MN by the MN.

      >  C. Intra/Inter-LMA Pre-authentication Procedure

    An MN roams to a neighbor AP when experiencing the low signal intensity level of the current AP (CAP). The target AP (TAP) may be in the same LMA domain or belong to a different LMA domain. Because of the lack of an LMA HO authentication protocol in the PMIPv6 domain and the inadaptability of existing MIPv4/MIPv6 authentication protocols, we have designed intra and inter-LMA HO preauthentication protocols to minimize the authentication delay and the signaling overhead. The proposed protocols utilize the EAP-AKA messages and can efficiently operate in the PMIPv6 domain. The intra-LMA HO is locally carried out when the CAP and the TAP reside in the same LMA domain. Further, the inter-LMA HO is executed when the CAP and the TAP reside in different LMA domains. The intra/inter-LMA HO minimizes the dependency on the HSS and the HAAA to authenticate the MN and thus results in improved performance without compromising security.

    The MN needs to supply the identities of the TAP and the TMAG that it requires to execute an HO to TAPID and TMAGID, respectively. Thus, we propose an adjustment of the IEEE 802.11 probe response management frames sent by the TAP to include its identity and the identity of the MAG associated with it as the information elements (IEs). A part of the IEs is set aside for future use and can be utilized for this purpose [7]. Do note that HO-related decisions such as HO triggers and the best TAP selection are out of the scope of this paper. Further, Fig. 3 depicts the inter-MAG HO authentication operation; here, the MAG controls the MN authentication instead of the HSS and the HAAA. The inter-MAG HO authentication protocol proceeds as follows:

    image
    image
    image

    The MAG also increments CTR and sends an EAP success message to the MN. Consequently, the MN derives LHK and increments CTR. CMAG and TMAG exchange a notify-request and notify-accept RADIUS AAA message to confirm the HO operation. Finally, LHK is sent to the TAP in the RADIUS access-accept messages with the MS-MPPE-Recv-Key attribute [8].

    In the inter-LMA HO, the authentication procedure is completed without the need to retrieve security keys from the HSS, as shown in Fig. 4. The protocol procedure is as follows:

    image
    image

    At the conclusion of a successful intra- or inter-LMA HO, a fresh LHK is retained by the MN and the TAP. The LHK is used for deriving TSK, which is then applied to generate additional keys that are demanded to secure the channel between the MN and the TAP.

    IV. PERFORMANCE ANALYSIS

      >  A. Analysis of Average Authentication Cost

    We define the authentication cost as the amount of signaling load and processing load during each authentication procedure. Then, the initial authentication cost, Ci, can be represented as follows:

    image

    where Nh denotes the number of hops between the MN and the AAA server. The first item is the signaling cost, and the other items are the processing costs. The cost parameters Ct, Cv, Ced, and Ck denote the transmission cost on one hop, the verification cost of the AAA server, a pair of encryption and decryption costs for a value, the key generation cost, respectively. As shown in Fig. 2, an MN needs to request identity from the MAG first. The distance that the messages traverse is 2 in this step. Then, the authentication messages need to reach the AAA. The distance between the MN and the AAA is assumed to be Nh hops. Since no security association (SA) exists between the MAG and the LMA, a mutual authentication process to the LMA is needed, which requires the messages to traverse four more hops in a roundtrip transmission. Thus, the total number of hops that the authentication messages traverse in the round-trip transmission is 2 + 2Nh + 4 = 2(Nh + 3). In this authentication process, the challenge/response values are verified twice at the AAA and the MN for mutual authentication. Thus, the coefficient for Cv is 2. In this process, three pairs of encryption and decryption costs are needed. The first pair is for encrypting and decrypting the challenge/response values between the MN and the AAA; the second is for encrypting and decrypting the session key between the AAA and the LMA; and the third is for encrypting and decrypting the session key between the AAA and the MAG. Thus, the coefficient for Ced is 3. Because the AAA needs to generate a dynamic key for the LMA, the MAG, and the MN, the coefficient for Ck is 12. As shown in Fig. 3, we can determine the inter-MAG HO authentication cost, Cmh, as follows:

    image

    where the last processing cost, 2NmCt, is the transmission cost for the notify-request, notify-accept, and AAA messages between the CMAG and the TMAG. The cost parameter Nm denotes the number of hops between the CMAG and the TMAG. The average authentication cost is defined as the sum of the authentication cost over a number of ARs per unit time, which can be written as follows:

    image

    where Ci and Cmh represent the initial and the HO authentication cost expressed in Eqs. (13) and (14), respectively, and λµ denotes the call arrival rate. As shown in Fig. 4, we can determine the inter-LMA HO authentication cost, Clh, as follows:

    image

    where the last processing cost, 4NmCt, is the transmission cost for the notify-request, notify-accept, and two AAA messages between the CLMA and the TLMA. The cost parameter Nm denotes the number of hops between the CLMA and the TLMA. The average authentication cost is defined as the sum of the authentication cost over a number of ARs per unit time, which can be written as follows:

    image

    where Ci and Clh denotes the initial and the HO authentication cost in Eqs. (13) and (16), respectively, and λµ represents the call arrival rate.

      >  B. Analysis of Average Authentication Delay

    We define authentication delay as the time from when an MN sends out an AR to when the MN receives the authentication reply (i.e., the EAP success message). Then, the delay per initial authentication, Ti, can be written as follows:

    image

    where the time parameters Tpr, Ttr, Twm, Twa, Ted, Tv, and Tk represent the message propagation time on one hop, the message transmission time on one hop, the AR service and waiting time at the MAG, the AR service and waiting time at the AAA, a pair of encryption and decryption times for a value, the verification time at the MN/the AAA, and the key generation time at the AAA, the LMA, the MAG and the MN, respectively. The coefficients in front of the time variables in Ti denote the number of time variables for each authentication. Similar to the analysis in Eq. (13), we can calculate the number of hops that the round-trip signaling messages traverse in the authentication process to be 2(Nh + 3). Then, the coefficient in front of Tpr + Ttr is 2(Nh + 3). Since the authentication process needs to pass the MAG four times, the coefficient of Twm, i.e., the AR service and waiting time, is 4. Because the authentication message traverses the AAA twice, the coefficient of Twa, i.e., the AR service and waiting time at the AAA, is 2. Similar to the coefficient analysis in front of Ced and Ck in Eq. (13), we can calculate the coefficient of Ted to be 3 and the coefficient of Tk to be 12. As shown in Fig. 3, the delay per inter-MAG HO authentication, Tmh, can be expressed as follows:

    image

    where the time parameter Nm denotes the number of hops between the PMAG and the TMAG. The average authentication delay is defined as the sum of an authentication delay over a number of ARs in unit time, which can be expressed as follows:

    image

    where Ti and Tmh denote the delay per initial and inter-MAG HO authentication expressed in Eqs. (18) and (19), respectively, and λµ represents the call arrival rate. As shown in Fig. 4, the delay per inter-LMA HO authentication, Tlh, can be expressed as follows:

    image

    where the time parameter Nm denotes the number of hops between the previous LMA (PLMA) and the target LMA (TLMA). The average authentication delay is defined as the sum of an authentication delay over a number of ARs in unit time, which can be expressed as follows:

    image

    where Ti and Tlh represent the delay per initial and interLMA HO authentication shown in Eqs. (18) and (21), respectively, and λµ represents the call arrival rate.

      >  C. Analysis of Results

    The parameters to evaluate the authentication cost and delay are shown in Table 1. Some parameter values for the analysis have been taken from [3]. The authentication cost in Eqs. (13), (14), and (16) can be calculated using the number of messages [10]. We utilize the ratio of the processing times to obtain the authentication cost because the time required to complete an operation represents the payload of the server to complete it [11]. The key generation cost, Ck, is normalized to a cost unit because it is the lightest load compared to the other costs. The values of the other costs are determined by a comparison with Ck using the time taken to complete the procedure. In Eqs. (13), (14), and (16), we only consider Twm, Twa, and Tv to be the random variables because the variance of the other time variables is small. Tpr is a function of the distance between two points, Ttr is determined by the message length and the link speed, Ted is mainly related to the performance of the computer and the message length, and Tk is directly related to the computer performance. In practice, the distance between two points, the message length, the link speed, and the computer performance are all fixed. Therefore, we do not consider Tpr, Ttr, Ted, and Tk random variables in this work. However, Twm, Twa and Tv are all related to the traffic load, queue length, and service time, which are varied from time to time and have a large variance. For the sake of simplification, we consider that the M/M/1 queues are applied at the MAGs, LMAs and the AAA and that the PDFs of Twm, Twa, and Tv are independent, identical distributions. The effects of the mobility and the traffic pattern on the average authentication cost and delay are shown in Figs. 512. In Figs 5 and 6, the average authentication costs decrease with an increase in the residence time of an MN in a MAG because the longer an MN stays in the MAGs, the lower is the handoff AR. Thus, if the residence time of an MN approaches infinity, the authentication cost will be stable and will be the same as the initial authentication cost because only the initial authentication exists in this case. Conversely, when the residence time approaches 0, most of the authentications are handoff authentications and the average authentication cost approaches infinity. However, for the sake of clarity, this is not depicted in Figs. 5 and 6. Figs. 7 and 8 show that the average authentication costs increase with an increase in the call arrival rate of an MN. As shown in Eqs. (15) and (17), the authentication cost is proportional to the call arrival rate λµ.

    Figs. 58 show that the average authentication cost increases with an increase in the number of hops between the AAA servers. This is attributed to the fact that a relatively high transmission cost will be needed in such a case. Figs. 9 and 10 show the effect of the residence time on the average authentication delay. As we can see, the authentication delay decreases with an increase in the residence time of an MN in a MAG. As in the case of the authentication cost, this trend is attributed to the decrease in the handoff AR. Thus, if the residence time of an MN approaches infinity, the authentication delay will be the same as the initial authentication delay. In contrast, when the residence time approaches 0, most of the authentications are handoff authentications and the average authentication delay approaches infinity. However, for the sake of clarity, this is not shown in Figs. 9 and 10. Figs. 11 and 12 show that the average authentication delay increases with an increase in the call arrival rate of an MN. As shown in Eqs. (20) and (22), the authentication delay is proportional to the call arrival rate λµ. Figs. 912 show that the average authentication delay increases with an increase in the number of hops between the MN and the AAA server as more message propagation time and message transmission time are needed.

    V. CONCLUSION

    In this paper, we proposed a pre-authentication method for the PMIPv6 protocol, which invokes the EAP-AKA signaling messages towards the AAA system. The proposed secure pre-authentication method prevents threats such as replay attacks and key exposure. We also conducted a performance analysis of the authentication cost and delay with respect to the mobility and traffic patterns. Therefore, this scheme presents a further understanding of the authentication mechanism in PMIPv6 networks. In the future, we plan to improve the proposed authentication method with a more detailed security analysis and better comparisons with other new authentication mechanisms in a PMIPv6-based network.

  • 1. Gundavelli S., Leung K., Devarapalli V., Chowdhury K., Patil B. 2008 “Proxy mobile IPv6,” google
  • 2. Wie S., Jang J. 2013 “Tunnel-free scheme using a routing table in a PMIPv6-based nested NEMO environment,” [Journal of Information and Communication Convergence Engineering] Vol.11 P.82-94 google doi
  • 3. Zhou H., Zhang H., Qin Y. 2009 “An authentication method for proxy mobile IPv6 and performance analysis,” [Security and Communication Networks] Vol.2 P.445-454 google doi
  • 4. Zhang L., Mo T., Zhao L. 2012 “Authentication scheme based on certificateless signcryption in proxy mobile IPv6 network,” [Application Research of Computers] Vol.29 google
  • 5. Gao T., Tan L., Qiao P., Yim K. 2016 “An access authentication scheme based on Hierarchical IBS for proxy mobile IPV6 network,” [Intelligent Automation & Soft Computing] Vol.22 P.389-396 google doi
  • 6. 2008 3GPP, “3G security; Wireless Local Area Network (WLAN) interworking security,” 3GPP TS 33.234 (v8.1.0) google
  • 7. 2004 IEEE Standard for information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 6: Medium Access Control (MAC) Security Enhancements, IEEE SA 802.11i-2004 google
  • 8. Arkko J., Haverinen H. 2006 “Extensible authentication protocol method for 3rd generation authentication and key agreement (EAP-AKA),” google
  • 9. Arbaugh W., Aboba B. “Handoff extension to RADIUS,” draft-irtf-aaaarch-handoff-04.txt, 2003 [Internet] google
  • 10. Baek S., Pack S., Kwon T., Choi Y. 2006 “A localized authentication, authorization, and accounting (AAA) protocol for mobile hotspots,” [in Proceedings of 3rd Annual Conference on Wireless On-demand Network Systems and Services (WONS2006)] P.144-153 google
  • 11. Liang W., Wang W. 2005 “On performance analysis of challenge/ response based authentication in wireless networks,” [Computer Networks] Vol.48 P.267-288 google doi
  • [Fig. 1.] Key hierarchy of proposed schemes.
    Key hierarchy of proposed schemes.
  • [] 
  • [] 
  • [Fig. 2.] Modified key initiation procedure of EAP-AKA.
    Modified key initiation procedure of EAP-AKA.
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [Fig. 3.] Inter-MAG HO authentication.
    Inter-MAG HO authentication.
  • [] 
  • [] 
  • [Fig. 4.] Inter-LMA HO authentication.
    Inter-LMA HO authentication.
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [] 
  • [Table 1.] Parameters for evaluation
    Parameters for evaluation
  • [Fig. 5.] Authentication cost versus residence time in inter-MAG HOs.
    Authentication cost versus residence time in inter-MAG HOs.
  • [Fig. 6.] Authentication cost versus residence time in inter-LMA HOs.
    Authentication cost versus residence time in inter-LMA HOs.
  • [Fig. 7.] Authentication cost versus call arrival rate in inter-MAG HOs.
    Authentication cost versus call arrival rate in inter-MAG HOs.
  • [Fig. 8.] Authentication cost versus call arrival rate at inter-LMA HOs.
    Authentication cost versus call arrival rate at inter-LMA HOs.
  • [Fig. 9.] Authentication delay versus residence time in inter-MAG HOs.
    Authentication delay versus residence time in inter-MAG HOs.
  • [Fig. 10.] Authentication delay versus call arrival rate at inter-MAG HOs.
    Authentication delay versus call arrival rate at inter-MAG HOs.
  • [Fig. 11.] Authentication delay versus call arrival rate at inter-MAG HOs.
    Authentication delay versus call arrival rate at inter-MAG HOs.
  • [Fig. 12.] Authentication delay versus call arrival rate at inter-LMA HOs.
    Authentication delay versus call arrival rate at inter-LMA HOs.