Research Article A Cross-Layer Key Management Scheme for...
Transcript of Research Article A Cross-Layer Key Management Scheme for...
![Page 1: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/1.jpg)
Research ArticleA Cross-Layer Key Management Scheme for MIPv6 FastHandover over IEEE 80211 Wireless LAN
Chang-Seop Park1 Hyun-Sun Kang2 and Jaijin Jung3
1Department of Software Dankook University Jukjeon 16980 Republic of Korea2Department of General Education Namseoul University Cheonan 31020 Republic of Korea3Department of Applied Computer Engineering Dankook University Jukjeon 16980 Republic of Korea
Correspondence should be addressed to Chang-Seop Park csp0dankookackr
Received 21 June 2015 Accepted 29 October 2015
Academic Editor Francesco Gringoli
Copyright copy 2015 Chang-Seop Park et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited
A new key management and security scheme is proposed to integrate Layer Two (L2) and Layer Three (L3) keys for secureand fast Mobile IPv6 handover over IEEE 80211 Wireless Local Area Network (WLAN) Unlike the original IEEE 80211-basedMobile IPv6 Fast Handover (FMIPv6) that requires time-consuming IEEE 8021x-based Extensible Authentication Protocol (EAP)authentication on each L3 handover the newly proposed key management and security scheme requires only one 8021x-EAPregardless of how many L3 handovers occur Therefore the proposed scheme reduces the handover latency that results from alengthy 8021x-based EAP The proposed key management and security scheme is extensively analyzed in terms of security andperformance and the proposed security scheme is shown to be more secure than those that were previously proposed
1 Introduction
Mobile IPv6 Fast Handover (FMIPv6) [1] has been proposedin order to minimize the delay induced by handover opera-tions ofMobile IPv6 [2] When a wireless Mobile Node (MN)changes its attachment point to a new Access Router (AR) itis possible to provide IP connectivity in advance of the actualregistration of the mobile IP by tunneling data between thecurrent and the target access routers The basic idea behindFMIPv6 which is a kind of Layer Three (L3) handover isto leverage information from Layer Two (L2) technologiessuch as IEEE 80211 [3] to either predict or rapidly respondto a handover event On the other hand a wireless MNattached to an AR via an Access Point (AP) can move to anew AP without changing its attachment to the AR In thiscase an L2 handover occurs and the MN must reassociateand authenticate with the new AP using IEEE 8021x-basedExtensible Authentication Protocol (8021x-EAP) [4] Giventhat an L2 handover is also induced when an L3 handoveroccurs IEEE 80211-based FMIPv6 [5] has been proposed andhas been analyzed in terms of its handover latency [6 7]
There are two security issues associated with IEEE 80211-based FMIPv6 One issue is that of establishing an L3 keybetween an MN and a new AR on each L3 handover Basedon the L3 key the L3 signaling messages used to establishthe tunnel between the current AR and the target AR can beauthenticated in particular a compromise of the current L3key should not induce that of the future L3 key to suppress thedomino effect Several security mechanisms [8ndash10] have beenpreviously proposed to establish the L3 key However theyhave several weaknesses in terms of security and efficiencyThe other issue is to reduce the authentication delay causedby the L3 handoverTheMNwould perform a lengthy 8021x-EAP authentication with AAA (Authentication Authoriza-tion and Auditing) server on each L3 handover inducing theL2 handover As a result of successful 8021x-EAP authentica-tion the L2 key is shared and used for mutual authenticationbetween theMN and a new AP Since both L2 and L3 keys aregenerated and managed independently key management forIEEE 80211-based FMIPv6 becomes complex A simplifiedkey management scheme [10] to derive the L2 key from theL3 key has been proposed to reduce the authentication delay
Hindawi Publishing CorporationMobile Information SystemsVolume 2015 Article ID 708064 11 pageshttpdxdoiorg1011552015708064
2 Mobile Information Systems
L3 handover
L2 handover
AR0
AP0
AP1
AR2
AR1
(a)
AAA
MNc Associationauthentication
Traffic for MN
L3 signaling messages
L2 signaling messages
d forwardtoRequesta tunneltoRequest
Tunnel establishment
AR0
AP0
AR1
AP1
Subnet0 Subnet1
b
(b)
(L3) request to tunnel
(L2) associationauthentication❶ Re-association ❷ 8021x-EAP with AAA❸ L2 key distribution ❹ 4-way handshake
(L3) request to forward
with AP1
with AP1
MN larr AR0 FBackAR0 larr AR1 Hack
(L3) tunnel establishmentMN rarr AR0 MN larr AR0 PrRtAdv
RtSolPrPrefix1
FBUCoA1
MN rarr AR0
AR0 rarr AR1 HICoA0CoA1
= Disconnected from AP0 =
= Connected to AP1 =
MN rarr AR1 UNA
(c)
Figure 1 L3 handover procedure of IEEE 80211-based FMIPv6
However it is still required for the MN to be interconnectedwith the AAA on each L3 handover and it has a securityproblem in that a session hijacking attack is feasible whichwill be shown in this paper
A new key management and security scheme is proposedto secure IEEE 80211-based FMIPv6 signaling messages Acontribution of this paper is twofold first a new L3 keyestablishment scheme is proposed which is secure againsta variety of session hijacking and redirection attacks in caseof an L3 key compromise Second unlike the original IEEE80211-based FMIPv6 where the MN would perform a fullIEEE 8021x-EAP authentication with the AAA on each L3handover the newly proposed scheme requires only oneIEEE 8021x-EAP authentication regardless of how many L3handovers occur Therefore the proposed scheme reducesthe handover latency that results from the lengthy IEEE8021x-EAP authentication In particular the proposed keymanagement scheme is of a cross-layer type in the sensethat the L2 keys are derived from the L3 key In Section 2the background of FMIPv6 over IEEE 80211 WLAN isintroduced along with related works A new keymanagementand security scheme is proposed in Section 3 The newscheme is analyzed and compared with previous schemes
in terms of security and performance in Sections 4 and 5Finally concluding remarks are given in Section 6
2 FMIPv6 over IEEE 80211 WLAN andRelated Works
21 FMIPv6 over IEEE 80211WLAN We consider a networkenvironment of Figure 1(a) where each subnet of the AR iscomprised of one or more APs When the MN moves fromAP0to AP
1 then both L3 and L2 handovers occur Namely
the MNrsquos subnet changes from subnet0to subnet
1
Suppose an L2 handover from AP0to AP
1is anticipated
as in Figure 1(b) By exchanging both the Router Solicitationfor Proxy Advertisement (RtSolPr) and the Proxy RouterAdvertisement (PrRtAdv)messages theMNconfigures a newcare-of-address (CoA) CoA
1 according to the subnet prefix
Prefix1 of AR
1 Then the MN sends a Fast Binding Update
(FBU) message to request AR0to forward packets destined
for theMN to AR1 (sbquo in Figure 1(c)) A tunnel is established
between AR0and AR
1by exchanging Handover Initiate
(HI) andHandover Acknowledgment (Hack) messages (ƒ inFigure 1(c)) where the HI message carries the current CoAof the MN CoA
0 and a new CoA CoA
1 to be used on
Mobile Information Systems 3
a subnet of AR1 The packets for the MN start to flow to and
are buffered at AR1 Then a Fast Binding Acknowledgment
(FBack)message is sent to theMN to notify of the completionof the tunnel establishment
When finally disconnected from AP0 namely when the
L2 handover occurs the MN reassociates with AP1(e in
Figure 1(c)) and performs a full IEEE 8021x-EAP authenti-cation with the AAA (f in Figure 1(c)) If it is successful L2key distribution starts based on the MSK
1shared between
the MN and AAA The PMK1truncated from the MSK
1is
securely distributed to AP1(g in Figure 1(c)) Subsequently
a 4-way Handshake (h in Figure 1(c)) based on PMK1is
performed between the MN and AP1 At this point the
MN is successfully attached to a subnet of AR1(subnet
1)
through AP1 Finally the MN sends an Unsolicited Neighbor
Advertisement (UNA) message to request AR1to deliver the
buffered packets forwarded from AR0( in Figure 1(c)) The
fields inherent to the L3 signaling messages (eg RtSolPr)are intentionally omitted for the sake of providing a simpleexplanation Instead they will be padded with the security-related fields when discussing the mechanism used to securethem
22 Threat Models and Problem Statements Without properprotection for L3 signaling messages in FMIPv6 (sbquo and inFigure 1) an adversary can forge or modify them to mount avariety of redirection attacks Unless the previous AR (AR
0
in Figure 1) can verify that the FBU message comes froman authorized MN legitimate traffic for the MN might beredirected to the adversary Furthermore the packets for theMN can be redirected to any other host to execute a floodingattack against it or against the subnet to which it belongsTheadversary can also forge the UNAmessage to steal the trafficdestined for the legitimate MN In order to avoid the aboveattacks security associations should be established betweenthe MN and ARs An L3 key shared between the MN andAR0is used to authenticate the L3 signaling messages of sbquo
in Figure 1 while the L3 signaling messages of in Figure 1can be authenticated based on another L3 key shared betweenthe MN and AR
1 Therefore it is necessary to embed L3 key
distribution protocol into the original 80211-based FMIPv6In particular the domino effect should be suppressed in caseof the L3 key compromise Namely the compromise of thecurrent L3 key should not induce that of the future L3 keyOn the other hand the 8021x-EAP authentication (f inFigure 1) is for the MN to share a new L2 key with the newAP attached to the target AR through AAA The L2 key isused for mutual authentication between theMN and the newAP However the authentication delay caused by the 8021x-EAP is amajor source of the handover delay since 8messagesshould be exchanged between the MN and AAA in case ofusing EAP-Transport Layer Security (TLS) method Henceif the 8021x-EAP can be skipped on each L3 handover of theIEEE 80211-based FMIPv6 the overall handover delay can begreatly improved
23 Previous Works Several security schemes [11ndash13] havebeen investigated for sharing the L2 key to protect L2signaling messages which are based on a concept of ticket
key hiding technique and authentication server respectivelyOn the other hand a security scheme [8] based on Crypto-graphically Generated Address (CGA) has been proposed tosecure L3 signaling messages (sbquo in Figure 1) CGA is formedby taking the IPv6 subnet prefix for a nodersquos subnet andcombining it with an interface identifier suffix formed as thehash of the nodersquos public key The L3 key 119870
0 generated by
AR0is encrypted using the public encryption key of MN
119890119875119870MN and it is sent to the MN Both RtSolPr and PrRtAdvmessages are protected by the digital signature while the FBUmessage is protected by the symmetric key The definition ofthe notations is shown in Notations section Consider
MN 997888rarr AR0 119877119905119878119900119897119875119903 119875119870MN 119890119875119870MN 119873119900119899119888119890
119878119894119892 (119878119870MN)
MN larr997888 AR0 119875119903119877119905119860119889V 119875119903119890119891119894119909
1 [1198700] 119890119875119870MN 119873119900119899119888119890
119878119894119892 (119878119870AR0)
MN 997888rarr AR0 119865119861119880 119862119900119860
1119872119860119862 (119870
0)
(1)
However the security scheme does not provide a methodto establish a security association between the MN andthe target router AR
1 so that the UNA message cannot be
protected and can be forged to steal the traffic destined forthe legitimate MN Furthermore a variety of DoS (Denial ofService) attacks can be mounted using the unauthenticatedUNA message which has also been mentioned in [14]Another security scheme [9] has been proposed to protectL3 signaling messages including the UNA message Thesecurity schemes proposed in [8 9] are only for protectingL3 signaling messages (sbquo and in Figure 1)
Integrated handover authentication scheme [10] has beenproposed to integrate the L3 key with the L2 key namely theL2 key can be derived directly from the L3 key Before theMN handovers to the target AR the MN transports a new L3key 119870
1 to AR
1through the AAA as in (2) where MSK is a
secret key shared between the MN and AAA SubsequentlyAR1distributes the L2 key (PMK
1) derived from the L3 key
(1198701) to the new AP A current L3 key 119870
0 is used to secure
the L3 signalingmessages (sbquo in Figure 1) while a new L3 key1198701 is for securing the L3 signaling messages ( in Figure 1)
Consider
MN 997888rarr AR0
[1198701]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
AR0997888rarr AR
1 [1198701]119872119878119870
119877MN119872119860119862 (119872119878119870)
AR1997888rarr AAA [119870
1]119872119878119870
119877MN119872119860119862 (119872119878119870)
AR1larr997888 AAA [119870
1]119872119878119870
119877MN
(2)
As mentioned in Section 22 it is desirable for the interactionwith theAAA to be skipped in order to speed up the handoverprocess However it has not actually been skipped insteadit has been placed on the L3 protocol Furthermore it is notsecure against the L3 key compromise attack Namely the
4 Mobile Information Systems
domino effect occurs in that if 1198700is compromised then 119870
1
is also compromised The security weakness will be morediscussed in Section 44
3 The Proposed Key Management andSecurity Scheme
A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR
0and AR
1 AR and
AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection
31 Design Principles Suppose an MN handover from asubnet of AR
0to that of AR
1 Two L3 keys are required to
protect the L3 signaling messages the one (1198700) on the subnet
of AR0and the other (119870
1) on the subnet of AR
1 Unlike
the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870
1proactively to
AR1before it moves from AR
0to AR
1 Furthermore the L2
key (PMK1) can be derived from 119870
1on the subnet of AR
1
and pushed into new AP1attached to AR
1 so that the IEEE
8021x-EAP can be skippedSince a new L3 key (119870
1) to be used after handover is
predistributed to AR1by theMN it is important to guarantee
that a compromise of the current L3 key (1198700) does not induce
that of the future L3 key (1198701) namely the domino effect
should be suppressed For this purpose double public-keyencryptions are applied to 119870
1before distribution the one
with the public key of AR1and the other with that of AR
0
In our proposed protocol the authenticity of the public keyof AR
1is protected by 119870
0 However if 119870
0is compromised
1198701can also be exposed to an adversary Therefore it is also
protected by the public key of AR0which has been provided
to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR
119894is formed
as 119862119900119860119894(= 119875119903119890119891119894119909
119894 119868119868119863
119894) where 119868119868119863
119894is an 64-bit interface
identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863
119894= ℎ64(119903119894) based on a random
number 119903119894selected by the MN When moving from AR
119894to
AR119894+1
the MN should reveal the random number 119903119894to prove
that 119862119900119860119894was generated and owned by the MN So 119862119900119860
119894
plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised
32 Initial Network Access Protocol When the MN initiallyassociates with AP
0to access the network service (e in
Figure 2) it performs full IEEE 8021x-EAP authentication
with the AAA (f in Figure 2) As a result theMSK0is shared
between them and the information (AR0and 119890119875119870AR0) for the
default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870
0which are truncated
fromMSK0and transports them with119872119873NAI securely to the
default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK
0) is
also derived Then AR0pushes 119875119872119870
0= 119896119889119891(119870
0119872119873119860119875
0)
into AP0(g in Figure 2)
MN and AP0denote the L2 addresses of the MN and
AP0 while AR
0denotes the L3 addresses of AR
0 The 4-
way Handshake based on the PMK0is executed between the
MN and AP0in order for the MN to attach to a subnet of
AR0(subnet
0) through AP
0(h in Figure 2) Finally the MN
performs an L3 configuration to check whether its IPv6 care-of-address CoA
0 is duplicate on the subnet of AR
0
MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)
MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)
MN 997888rarr AR0 119862119900119899119891 119877
0 1198621199001198600119872119860119862 (119868119870)
(3)
TheMN sends an Router Solicitation (RtSol) message to AR0
Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR
0 Prefix
0 from which the MN configures CoA
0
(= 1198751199031198901198911198941199090 119868119868119863
0) and the MN then sends a Configuration
(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)
is computed based on a random number 1199030generated by
the MN If CoA0is verified to be unique on the subnet
the initial network access protocol is successfully terminatedEventually (CoA
0 1198700) is stored into the neighbor cache of
AR0
33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP
0to
AP1 A sequence of signaling messages is shown in Figure 3
where the L3 key 1198700 at the subnet
0has already been
shared between the MN and AR0as a result of a previous
handover process or an initial network access After receivingthe RtSolPr message AR
0responds by sending a PrRtAdv
message with a subnet prefix of AR1(Prefix
1) and the public
key of AR1(119890119875119870AR1)
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (4)
MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(5)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(6)
After configuring CoA1(= 119875119903119890119891119894119909
1 119868119868119863
1) where 119868119868119863
1=
ℎ64(1199031) is computed based on a random number 119903
1 the MN
generates a new L3 key 1198701 and sends an FBU message
Mobile Information Systems 5
(
(L2 connection)
(L3 configuration)
AAA
MNL3 configuration
AP0
❶
❷
❹
❸
❶ (L2) association with AP0
❷ (L2) 8021x-EAP authentication with AAA
❹ (L2) 4-way handshake with AP0
❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA
IKand K0 are shared between MN and AR0
MN larr AR0 MN rarr AR0
AR0
PMK0
K0
= Connected to AP0 =
(i) (AR0 ) is passed to MN
MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)
ePKAR0
Figure 2 Proposed initial network access protocol
MN c Associationauthentication
Traffic for MN
Subnet0 Subnet1
AP1
AP0
AR1
PMK1a d
b
K1
= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =
❶ (L2) reassociation with AP1
❷ (L2) 4-way handshake with AP1
MN rarr AR0 MN larr AR0 PrRtAdv
RtSolPr
FBU
MN rarr AR0
AR0
AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack
MN rarr AR1 UNA
= Connected to AP1 =
= Disconnected from AP0 =
(L3) request to tunnel
(L2) associationauthentication
(L3) request to forward
(L3) tunnel establishment
Figure 3 Proposed secure handover protocol
to AR0(sbquo in Figure 3) Since 119870
1is to be shared with
AR1 it is first encrypted with the public key of AR
1
119890119875119870AR1 subsequently encrypted with the public key of AR0
119890119875119870AR0 When receiving the FBU message AR0first obtains
1199030 [119862119900119860
1 1198701]119890119875119870AR1 after decryption in order to check if
ℎ64(1199030) is equal to IID
0of CoA
0 If not the message is proven
to be not sent from the MN whose IPv6 address is CoA0and
the handover protocol is abortedOtherwise the L3 key1198700 is
eventually passed to the target AR1for the purpose of sharing
it with the MN at the subnet1 A reason to encrypt 119870
1twice
is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider
A secure channel between AR0and AR
1
119867119868 1198621199001198600 1198621199001198601 [119862119900119860
1 1198701] 119890119875119870AR1
119867119886119888119896
MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870
0)
MN 997888rarr AR1 119880119873119860119872119860119862 (119870
1)
(7)
The target router AR1obtains 119870
1through the HI message
after decryption and 1198701will be used to derive the L2 key
1198751198721198701
= 119896119889119891(1198701119872119873119860119875
1) and to secure the future L3
handover AR1pushes PMK
1into AP
1
After reassociating with AP1(e in Figure 3) the MN
performs a 4-wayHandshake (f in Figure 3) based on PMK1
without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR
1
to deliver the buffered packets forwarded from AR0( in
Figure 3) (CoA11198701) is finally stored into the neighbor cache
of AR1
4 Security Analysis and Comparisons
41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR
1 it requests the AAA to transport a
new L3 key (1198701) to AR
1 and then a new L2 key (PMK
1)
6 Mobile Information Systems
d
b
c
AP0
AR0 AR1
AP1
MN
AAAa
PMK1
(a) Scheme 1
AP0
AP1
AAA
MN
AR1AR0
a d
b
PMK1
K1
c
(b) Scheme 2
AP0
AP1
MN
AR1AR0
a d
b
c
PMK1K1
(c) Scheme 3
Figure 4 Comparison of key management schemes
derived from it is pushed into AP1(permil in Figure 4(b)) But
the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR
0to AR
1 a new L3 key
is sent to AR1via AR
0Therefore both theMN andAR
1share
1198701 which can be used to secure L3 signaling messages and
to derive a new L2 key (PMK1) in the target subnet Since
1198701is proactively distributed to AR
1before the MN moves
from AR0to AR
1 the MN can perform a 4-way Handshake
immediately after reassociating with AP1(D in Figure 4(c))
42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877
0) is employed for
our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR
0at
handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has
moved to AR1during the handover session 119895 and plans now
tomove to AR2during the handover session 119894 In this case an
adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session
43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870
0 of (5) and (6) is exposed to an adversary
To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)
TheMNobtains the public key of AR0(119890119875119870AR0) as a result
of an initial network access or a previous L3 handover whilethe public key of AR
1(119890119875119870AR1) is passed to the MN by AR
0
431 Session Hijacking by Redirection Attack Suppose anadversary A
(MN) disguising a victim MN knows the currentL3 key 119870
0and starts an L3 handover as follows
A(MN) 997888rarr AR
0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870
0) (11
1015840)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091
119890119875119870AR1 119872119860119862 (1198700)
(121015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1
[119903lowast
0 [119862119900119860
lowast
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(131015840)
119877lowast
MN 119862119900119860lowast
1 and 119903
lowast
0are generated by A
(MN) that tries tohijack the current traffic for the MN (CoA
0) and forward
it to A(MN) (119862119900119860
lowast
1) When receiving the FBU message AR
0
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 2: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/2.jpg)
2 Mobile Information Systems
L3 handover
L2 handover
AR0
AP0
AP1
AR2
AR1
(a)
AAA
MNc Associationauthentication
Traffic for MN
L3 signaling messages
L2 signaling messages
d forwardtoRequesta tunneltoRequest
Tunnel establishment
AR0
AP0
AR1
AP1
Subnet0 Subnet1
b
(b)
(L3) request to tunnel
(L2) associationauthentication❶ Re-association ❷ 8021x-EAP with AAA❸ L2 key distribution ❹ 4-way handshake
(L3) request to forward
with AP1
with AP1
MN larr AR0 FBackAR0 larr AR1 Hack
(L3) tunnel establishmentMN rarr AR0 MN larr AR0 PrRtAdv
RtSolPrPrefix1
FBUCoA1
MN rarr AR0
AR0 rarr AR1 HICoA0CoA1
= Disconnected from AP0 =
= Connected to AP1 =
MN rarr AR1 UNA
(c)
Figure 1 L3 handover procedure of IEEE 80211-based FMIPv6
However it is still required for the MN to be interconnectedwith the AAA on each L3 handover and it has a securityproblem in that a session hijacking attack is feasible whichwill be shown in this paper
A new key management and security scheme is proposedto secure IEEE 80211-based FMIPv6 signaling messages Acontribution of this paper is twofold first a new L3 keyestablishment scheme is proposed which is secure againsta variety of session hijacking and redirection attacks in caseof an L3 key compromise Second unlike the original IEEE80211-based FMIPv6 where the MN would perform a fullIEEE 8021x-EAP authentication with the AAA on each L3handover the newly proposed scheme requires only oneIEEE 8021x-EAP authentication regardless of how many L3handovers occur Therefore the proposed scheme reducesthe handover latency that results from the lengthy IEEE8021x-EAP authentication In particular the proposed keymanagement scheme is of a cross-layer type in the sensethat the L2 keys are derived from the L3 key In Section 2the background of FMIPv6 over IEEE 80211 WLAN isintroduced along with related works A new keymanagementand security scheme is proposed in Section 3 The newscheme is analyzed and compared with previous schemes
in terms of security and performance in Sections 4 and 5Finally concluding remarks are given in Section 6
2 FMIPv6 over IEEE 80211 WLAN andRelated Works
21 FMIPv6 over IEEE 80211WLAN We consider a networkenvironment of Figure 1(a) where each subnet of the AR iscomprised of one or more APs When the MN moves fromAP0to AP
1 then both L3 and L2 handovers occur Namely
the MNrsquos subnet changes from subnet0to subnet
1
Suppose an L2 handover from AP0to AP
1is anticipated
as in Figure 1(b) By exchanging both the Router Solicitationfor Proxy Advertisement (RtSolPr) and the Proxy RouterAdvertisement (PrRtAdv)messages theMNconfigures a newcare-of-address (CoA) CoA
1 according to the subnet prefix
Prefix1 of AR
1 Then the MN sends a Fast Binding Update
(FBU) message to request AR0to forward packets destined
for theMN to AR1 (sbquo in Figure 1(c)) A tunnel is established
between AR0and AR
1by exchanging Handover Initiate
(HI) andHandover Acknowledgment (Hack) messages (ƒ inFigure 1(c)) where the HI message carries the current CoAof the MN CoA
0 and a new CoA CoA
1 to be used on
Mobile Information Systems 3
a subnet of AR1 The packets for the MN start to flow to and
are buffered at AR1 Then a Fast Binding Acknowledgment
(FBack)message is sent to theMN to notify of the completionof the tunnel establishment
When finally disconnected from AP0 namely when the
L2 handover occurs the MN reassociates with AP1(e in
Figure 1(c)) and performs a full IEEE 8021x-EAP authenti-cation with the AAA (f in Figure 1(c)) If it is successful L2key distribution starts based on the MSK
1shared between
the MN and AAA The PMK1truncated from the MSK
1is
securely distributed to AP1(g in Figure 1(c)) Subsequently
a 4-way Handshake (h in Figure 1(c)) based on PMK1is
performed between the MN and AP1 At this point the
MN is successfully attached to a subnet of AR1(subnet
1)
through AP1 Finally the MN sends an Unsolicited Neighbor
Advertisement (UNA) message to request AR1to deliver the
buffered packets forwarded from AR0( in Figure 1(c)) The
fields inherent to the L3 signaling messages (eg RtSolPr)are intentionally omitted for the sake of providing a simpleexplanation Instead they will be padded with the security-related fields when discussing the mechanism used to securethem
22 Threat Models and Problem Statements Without properprotection for L3 signaling messages in FMIPv6 (sbquo and inFigure 1) an adversary can forge or modify them to mount avariety of redirection attacks Unless the previous AR (AR
0
in Figure 1) can verify that the FBU message comes froman authorized MN legitimate traffic for the MN might beredirected to the adversary Furthermore the packets for theMN can be redirected to any other host to execute a floodingattack against it or against the subnet to which it belongsTheadversary can also forge the UNAmessage to steal the trafficdestined for the legitimate MN In order to avoid the aboveattacks security associations should be established betweenthe MN and ARs An L3 key shared between the MN andAR0is used to authenticate the L3 signaling messages of sbquo
in Figure 1 while the L3 signaling messages of in Figure 1can be authenticated based on another L3 key shared betweenthe MN and AR
1 Therefore it is necessary to embed L3 key
distribution protocol into the original 80211-based FMIPv6In particular the domino effect should be suppressed in caseof the L3 key compromise Namely the compromise of thecurrent L3 key should not induce that of the future L3 keyOn the other hand the 8021x-EAP authentication (f inFigure 1) is for the MN to share a new L2 key with the newAP attached to the target AR through AAA The L2 key isused for mutual authentication between theMN and the newAP However the authentication delay caused by the 8021x-EAP is amajor source of the handover delay since 8messagesshould be exchanged between the MN and AAA in case ofusing EAP-Transport Layer Security (TLS) method Henceif the 8021x-EAP can be skipped on each L3 handover of theIEEE 80211-based FMIPv6 the overall handover delay can begreatly improved
23 Previous Works Several security schemes [11ndash13] havebeen investigated for sharing the L2 key to protect L2signaling messages which are based on a concept of ticket
key hiding technique and authentication server respectivelyOn the other hand a security scheme [8] based on Crypto-graphically Generated Address (CGA) has been proposed tosecure L3 signaling messages (sbquo in Figure 1) CGA is formedby taking the IPv6 subnet prefix for a nodersquos subnet andcombining it with an interface identifier suffix formed as thehash of the nodersquos public key The L3 key 119870
0 generated by
AR0is encrypted using the public encryption key of MN
119890119875119870MN and it is sent to the MN Both RtSolPr and PrRtAdvmessages are protected by the digital signature while the FBUmessage is protected by the symmetric key The definition ofthe notations is shown in Notations section Consider
MN 997888rarr AR0 119877119905119878119900119897119875119903 119875119870MN 119890119875119870MN 119873119900119899119888119890
119878119894119892 (119878119870MN)
MN larr997888 AR0 119875119903119877119905119860119889V 119875119903119890119891119894119909
1 [1198700] 119890119875119870MN 119873119900119899119888119890
119878119894119892 (119878119870AR0)
MN 997888rarr AR0 119865119861119880 119862119900119860
1119872119860119862 (119870
0)
(1)
However the security scheme does not provide a methodto establish a security association between the MN andthe target router AR
1 so that the UNA message cannot be
protected and can be forged to steal the traffic destined forthe legitimate MN Furthermore a variety of DoS (Denial ofService) attacks can be mounted using the unauthenticatedUNA message which has also been mentioned in [14]Another security scheme [9] has been proposed to protectL3 signaling messages including the UNA message Thesecurity schemes proposed in [8 9] are only for protectingL3 signaling messages (sbquo and in Figure 1)
Integrated handover authentication scheme [10] has beenproposed to integrate the L3 key with the L2 key namely theL2 key can be derived directly from the L3 key Before theMN handovers to the target AR the MN transports a new L3key 119870
1 to AR
1through the AAA as in (2) where MSK is a
secret key shared between the MN and AAA SubsequentlyAR1distributes the L2 key (PMK
1) derived from the L3 key
(1198701) to the new AP A current L3 key 119870
0 is used to secure
the L3 signalingmessages (sbquo in Figure 1) while a new L3 key1198701 is for securing the L3 signaling messages ( in Figure 1)
Consider
MN 997888rarr AR0
[1198701]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
AR0997888rarr AR
1 [1198701]119872119878119870
119877MN119872119860119862 (119872119878119870)
AR1997888rarr AAA [119870
1]119872119878119870
119877MN119872119860119862 (119872119878119870)
AR1larr997888 AAA [119870
1]119872119878119870
119877MN
(2)
As mentioned in Section 22 it is desirable for the interactionwith theAAA to be skipped in order to speed up the handoverprocess However it has not actually been skipped insteadit has been placed on the L3 protocol Furthermore it is notsecure against the L3 key compromise attack Namely the
4 Mobile Information Systems
domino effect occurs in that if 1198700is compromised then 119870
1
is also compromised The security weakness will be morediscussed in Section 44
3 The Proposed Key Management andSecurity Scheme
A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR
0and AR
1 AR and
AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection
31 Design Principles Suppose an MN handover from asubnet of AR
0to that of AR
1 Two L3 keys are required to
protect the L3 signaling messages the one (1198700) on the subnet
of AR0and the other (119870
1) on the subnet of AR
1 Unlike
the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870
1proactively to
AR1before it moves from AR
0to AR
1 Furthermore the L2
key (PMK1) can be derived from 119870
1on the subnet of AR
1
and pushed into new AP1attached to AR
1 so that the IEEE
8021x-EAP can be skippedSince a new L3 key (119870
1) to be used after handover is
predistributed to AR1by theMN it is important to guarantee
that a compromise of the current L3 key (1198700) does not induce
that of the future L3 key (1198701) namely the domino effect
should be suppressed For this purpose double public-keyencryptions are applied to 119870
1before distribution the one
with the public key of AR1and the other with that of AR
0
In our proposed protocol the authenticity of the public keyof AR
1is protected by 119870
0 However if 119870
0is compromised
1198701can also be exposed to an adversary Therefore it is also
protected by the public key of AR0which has been provided
to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR
119894is formed
as 119862119900119860119894(= 119875119903119890119891119894119909
119894 119868119868119863
119894) where 119868119868119863
119894is an 64-bit interface
identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863
119894= ℎ64(119903119894) based on a random
number 119903119894selected by the MN When moving from AR
119894to
AR119894+1
the MN should reveal the random number 119903119894to prove
that 119862119900119860119894was generated and owned by the MN So 119862119900119860
119894
plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised
32 Initial Network Access Protocol When the MN initiallyassociates with AP
0to access the network service (e in
Figure 2) it performs full IEEE 8021x-EAP authentication
with the AAA (f in Figure 2) As a result theMSK0is shared
between them and the information (AR0and 119890119875119870AR0) for the
default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870
0which are truncated
fromMSK0and transports them with119872119873NAI securely to the
default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK
0) is
also derived Then AR0pushes 119875119872119870
0= 119896119889119891(119870
0119872119873119860119875
0)
into AP0(g in Figure 2)
MN and AP0denote the L2 addresses of the MN and
AP0 while AR
0denotes the L3 addresses of AR
0 The 4-
way Handshake based on the PMK0is executed between the
MN and AP0in order for the MN to attach to a subnet of
AR0(subnet
0) through AP
0(h in Figure 2) Finally the MN
performs an L3 configuration to check whether its IPv6 care-of-address CoA
0 is duplicate on the subnet of AR
0
MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)
MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)
MN 997888rarr AR0 119862119900119899119891 119877
0 1198621199001198600119872119860119862 (119868119870)
(3)
TheMN sends an Router Solicitation (RtSol) message to AR0
Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR
0 Prefix
0 from which the MN configures CoA
0
(= 1198751199031198901198911198941199090 119868119868119863
0) and the MN then sends a Configuration
(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)
is computed based on a random number 1199030generated by
the MN If CoA0is verified to be unique on the subnet
the initial network access protocol is successfully terminatedEventually (CoA
0 1198700) is stored into the neighbor cache of
AR0
33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP
0to
AP1 A sequence of signaling messages is shown in Figure 3
where the L3 key 1198700 at the subnet
0has already been
shared between the MN and AR0as a result of a previous
handover process or an initial network access After receivingthe RtSolPr message AR
0responds by sending a PrRtAdv
message with a subnet prefix of AR1(Prefix
1) and the public
key of AR1(119890119875119870AR1)
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (4)
MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(5)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(6)
After configuring CoA1(= 119875119903119890119891119894119909
1 119868119868119863
1) where 119868119868119863
1=
ℎ64(1199031) is computed based on a random number 119903
1 the MN
generates a new L3 key 1198701 and sends an FBU message
Mobile Information Systems 5
(
(L2 connection)
(L3 configuration)
AAA
MNL3 configuration
AP0
❶
❷
❹
❸
❶ (L2) association with AP0
❷ (L2) 8021x-EAP authentication with AAA
❹ (L2) 4-way handshake with AP0
❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA
IKand K0 are shared between MN and AR0
MN larr AR0 MN rarr AR0
AR0
PMK0
K0
= Connected to AP0 =
(i) (AR0 ) is passed to MN
MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)
ePKAR0
Figure 2 Proposed initial network access protocol
MN c Associationauthentication
Traffic for MN
Subnet0 Subnet1
AP1
AP0
AR1
PMK1a d
b
K1
= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =
❶ (L2) reassociation with AP1
❷ (L2) 4-way handshake with AP1
MN rarr AR0 MN larr AR0 PrRtAdv
RtSolPr
FBU
MN rarr AR0
AR0
AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack
MN rarr AR1 UNA
= Connected to AP1 =
= Disconnected from AP0 =
(L3) request to tunnel
(L2) associationauthentication
(L3) request to forward
(L3) tunnel establishment
Figure 3 Proposed secure handover protocol
to AR0(sbquo in Figure 3) Since 119870
1is to be shared with
AR1 it is first encrypted with the public key of AR
1
119890119875119870AR1 subsequently encrypted with the public key of AR0
119890119875119870AR0 When receiving the FBU message AR0first obtains
1199030 [119862119900119860
1 1198701]119890119875119870AR1 after decryption in order to check if
ℎ64(1199030) is equal to IID
0of CoA
0 If not the message is proven
to be not sent from the MN whose IPv6 address is CoA0and
the handover protocol is abortedOtherwise the L3 key1198700 is
eventually passed to the target AR1for the purpose of sharing
it with the MN at the subnet1 A reason to encrypt 119870
1twice
is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider
A secure channel between AR0and AR
1
119867119868 1198621199001198600 1198621199001198601 [119862119900119860
1 1198701] 119890119875119870AR1
119867119886119888119896
MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870
0)
MN 997888rarr AR1 119880119873119860119872119860119862 (119870
1)
(7)
The target router AR1obtains 119870
1through the HI message
after decryption and 1198701will be used to derive the L2 key
1198751198721198701
= 119896119889119891(1198701119872119873119860119875
1) and to secure the future L3
handover AR1pushes PMK
1into AP
1
After reassociating with AP1(e in Figure 3) the MN
performs a 4-wayHandshake (f in Figure 3) based on PMK1
without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR
1
to deliver the buffered packets forwarded from AR0( in
Figure 3) (CoA11198701) is finally stored into the neighbor cache
of AR1
4 Security Analysis and Comparisons
41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR
1 it requests the AAA to transport a
new L3 key (1198701) to AR
1 and then a new L2 key (PMK
1)
6 Mobile Information Systems
d
b
c
AP0
AR0 AR1
AP1
MN
AAAa
PMK1
(a) Scheme 1
AP0
AP1
AAA
MN
AR1AR0
a d
b
PMK1
K1
c
(b) Scheme 2
AP0
AP1
MN
AR1AR0
a d
b
c
PMK1K1
(c) Scheme 3
Figure 4 Comparison of key management schemes
derived from it is pushed into AP1(permil in Figure 4(b)) But
the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR
0to AR
1 a new L3 key
is sent to AR1via AR
0Therefore both theMN andAR
1share
1198701 which can be used to secure L3 signaling messages and
to derive a new L2 key (PMK1) in the target subnet Since
1198701is proactively distributed to AR
1before the MN moves
from AR0to AR
1 the MN can perform a 4-way Handshake
immediately after reassociating with AP1(D in Figure 4(c))
42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877
0) is employed for
our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR
0at
handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has
moved to AR1during the handover session 119895 and plans now
tomove to AR2during the handover session 119894 In this case an
adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session
43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870
0 of (5) and (6) is exposed to an adversary
To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)
TheMNobtains the public key of AR0(119890119875119870AR0) as a result
of an initial network access or a previous L3 handover whilethe public key of AR
1(119890119875119870AR1) is passed to the MN by AR
0
431 Session Hijacking by Redirection Attack Suppose anadversary A
(MN) disguising a victim MN knows the currentL3 key 119870
0and starts an L3 handover as follows
A(MN) 997888rarr AR
0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870
0) (11
1015840)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091
119890119875119870AR1 119872119860119862 (1198700)
(121015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1
[119903lowast
0 [119862119900119860
lowast
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(131015840)
119877lowast
MN 119862119900119860lowast
1 and 119903
lowast
0are generated by A
(MN) that tries tohijack the current traffic for the MN (CoA
0) and forward
it to A(MN) (119862119900119860
lowast
1) When receiving the FBU message AR
0
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 3: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/3.jpg)
Mobile Information Systems 3
a subnet of AR1 The packets for the MN start to flow to and
are buffered at AR1 Then a Fast Binding Acknowledgment
(FBack)message is sent to theMN to notify of the completionof the tunnel establishment
When finally disconnected from AP0 namely when the
L2 handover occurs the MN reassociates with AP1(e in
Figure 1(c)) and performs a full IEEE 8021x-EAP authenti-cation with the AAA (f in Figure 1(c)) If it is successful L2key distribution starts based on the MSK
1shared between
the MN and AAA The PMK1truncated from the MSK
1is
securely distributed to AP1(g in Figure 1(c)) Subsequently
a 4-way Handshake (h in Figure 1(c)) based on PMK1is
performed between the MN and AP1 At this point the
MN is successfully attached to a subnet of AR1(subnet
1)
through AP1 Finally the MN sends an Unsolicited Neighbor
Advertisement (UNA) message to request AR1to deliver the
buffered packets forwarded from AR0( in Figure 1(c)) The
fields inherent to the L3 signaling messages (eg RtSolPr)are intentionally omitted for the sake of providing a simpleexplanation Instead they will be padded with the security-related fields when discussing the mechanism used to securethem
22 Threat Models and Problem Statements Without properprotection for L3 signaling messages in FMIPv6 (sbquo and inFigure 1) an adversary can forge or modify them to mount avariety of redirection attacks Unless the previous AR (AR
0
in Figure 1) can verify that the FBU message comes froman authorized MN legitimate traffic for the MN might beredirected to the adversary Furthermore the packets for theMN can be redirected to any other host to execute a floodingattack against it or against the subnet to which it belongsTheadversary can also forge the UNAmessage to steal the trafficdestined for the legitimate MN In order to avoid the aboveattacks security associations should be established betweenthe MN and ARs An L3 key shared between the MN andAR0is used to authenticate the L3 signaling messages of sbquo
in Figure 1 while the L3 signaling messages of in Figure 1can be authenticated based on another L3 key shared betweenthe MN and AR
1 Therefore it is necessary to embed L3 key
distribution protocol into the original 80211-based FMIPv6In particular the domino effect should be suppressed in caseof the L3 key compromise Namely the compromise of thecurrent L3 key should not induce that of the future L3 keyOn the other hand the 8021x-EAP authentication (f inFigure 1) is for the MN to share a new L2 key with the newAP attached to the target AR through AAA The L2 key isused for mutual authentication between theMN and the newAP However the authentication delay caused by the 8021x-EAP is amajor source of the handover delay since 8messagesshould be exchanged between the MN and AAA in case ofusing EAP-Transport Layer Security (TLS) method Henceif the 8021x-EAP can be skipped on each L3 handover of theIEEE 80211-based FMIPv6 the overall handover delay can begreatly improved
23 Previous Works Several security schemes [11ndash13] havebeen investigated for sharing the L2 key to protect L2signaling messages which are based on a concept of ticket
key hiding technique and authentication server respectivelyOn the other hand a security scheme [8] based on Crypto-graphically Generated Address (CGA) has been proposed tosecure L3 signaling messages (sbquo in Figure 1) CGA is formedby taking the IPv6 subnet prefix for a nodersquos subnet andcombining it with an interface identifier suffix formed as thehash of the nodersquos public key The L3 key 119870
0 generated by
AR0is encrypted using the public encryption key of MN
119890119875119870MN and it is sent to the MN Both RtSolPr and PrRtAdvmessages are protected by the digital signature while the FBUmessage is protected by the symmetric key The definition ofthe notations is shown in Notations section Consider
MN 997888rarr AR0 119877119905119878119900119897119875119903 119875119870MN 119890119875119870MN 119873119900119899119888119890
119878119894119892 (119878119870MN)
MN larr997888 AR0 119875119903119877119905119860119889V 119875119903119890119891119894119909
1 [1198700] 119890119875119870MN 119873119900119899119888119890
119878119894119892 (119878119870AR0)
MN 997888rarr AR0 119865119861119880 119862119900119860
1119872119860119862 (119870
0)
(1)
However the security scheme does not provide a methodto establish a security association between the MN andthe target router AR
1 so that the UNA message cannot be
protected and can be forged to steal the traffic destined forthe legitimate MN Furthermore a variety of DoS (Denial ofService) attacks can be mounted using the unauthenticatedUNA message which has also been mentioned in [14]Another security scheme [9] has been proposed to protectL3 signaling messages including the UNA message Thesecurity schemes proposed in [8 9] are only for protectingL3 signaling messages (sbquo and in Figure 1)
Integrated handover authentication scheme [10] has beenproposed to integrate the L3 key with the L2 key namely theL2 key can be derived directly from the L3 key Before theMN handovers to the target AR the MN transports a new L3key 119870
1 to AR
1through the AAA as in (2) where MSK is a
secret key shared between the MN and AAA SubsequentlyAR1distributes the L2 key (PMK
1) derived from the L3 key
(1198701) to the new AP A current L3 key 119870
0 is used to secure
the L3 signalingmessages (sbquo in Figure 1) while a new L3 key1198701 is for securing the L3 signaling messages ( in Figure 1)
Consider
MN 997888rarr AR0
[1198701]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
AR0997888rarr AR
1 [1198701]119872119878119870
119877MN119872119860119862 (119872119878119870)
AR1997888rarr AAA [119870
1]119872119878119870
119877MN119872119860119862 (119872119878119870)
AR1larr997888 AAA [119870
1]119872119878119870
119877MN
(2)
As mentioned in Section 22 it is desirable for the interactionwith theAAA to be skipped in order to speed up the handoverprocess However it has not actually been skipped insteadit has been placed on the L3 protocol Furthermore it is notsecure against the L3 key compromise attack Namely the
4 Mobile Information Systems
domino effect occurs in that if 1198700is compromised then 119870
1
is also compromised The security weakness will be morediscussed in Section 44
3 The Proposed Key Management andSecurity Scheme
A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR
0and AR
1 AR and
AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection
31 Design Principles Suppose an MN handover from asubnet of AR
0to that of AR
1 Two L3 keys are required to
protect the L3 signaling messages the one (1198700) on the subnet
of AR0and the other (119870
1) on the subnet of AR
1 Unlike
the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870
1proactively to
AR1before it moves from AR
0to AR
1 Furthermore the L2
key (PMK1) can be derived from 119870
1on the subnet of AR
1
and pushed into new AP1attached to AR
1 so that the IEEE
8021x-EAP can be skippedSince a new L3 key (119870
1) to be used after handover is
predistributed to AR1by theMN it is important to guarantee
that a compromise of the current L3 key (1198700) does not induce
that of the future L3 key (1198701) namely the domino effect
should be suppressed For this purpose double public-keyencryptions are applied to 119870
1before distribution the one
with the public key of AR1and the other with that of AR
0
In our proposed protocol the authenticity of the public keyof AR
1is protected by 119870
0 However if 119870
0is compromised
1198701can also be exposed to an adversary Therefore it is also
protected by the public key of AR0which has been provided
to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR
119894is formed
as 119862119900119860119894(= 119875119903119890119891119894119909
119894 119868119868119863
119894) where 119868119868119863
119894is an 64-bit interface
identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863
119894= ℎ64(119903119894) based on a random
number 119903119894selected by the MN When moving from AR
119894to
AR119894+1
the MN should reveal the random number 119903119894to prove
that 119862119900119860119894was generated and owned by the MN So 119862119900119860
119894
plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised
32 Initial Network Access Protocol When the MN initiallyassociates with AP
0to access the network service (e in
Figure 2) it performs full IEEE 8021x-EAP authentication
with the AAA (f in Figure 2) As a result theMSK0is shared
between them and the information (AR0and 119890119875119870AR0) for the
default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870
0which are truncated
fromMSK0and transports them with119872119873NAI securely to the
default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK
0) is
also derived Then AR0pushes 119875119872119870
0= 119896119889119891(119870
0119872119873119860119875
0)
into AP0(g in Figure 2)
MN and AP0denote the L2 addresses of the MN and
AP0 while AR
0denotes the L3 addresses of AR
0 The 4-
way Handshake based on the PMK0is executed between the
MN and AP0in order for the MN to attach to a subnet of
AR0(subnet
0) through AP
0(h in Figure 2) Finally the MN
performs an L3 configuration to check whether its IPv6 care-of-address CoA
0 is duplicate on the subnet of AR
0
MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)
MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)
MN 997888rarr AR0 119862119900119899119891 119877
0 1198621199001198600119872119860119862 (119868119870)
(3)
TheMN sends an Router Solicitation (RtSol) message to AR0
Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR
0 Prefix
0 from which the MN configures CoA
0
(= 1198751199031198901198911198941199090 119868119868119863
0) and the MN then sends a Configuration
(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)
is computed based on a random number 1199030generated by
the MN If CoA0is verified to be unique on the subnet
the initial network access protocol is successfully terminatedEventually (CoA
0 1198700) is stored into the neighbor cache of
AR0
33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP
0to
AP1 A sequence of signaling messages is shown in Figure 3
where the L3 key 1198700 at the subnet
0has already been
shared between the MN and AR0as a result of a previous
handover process or an initial network access After receivingthe RtSolPr message AR
0responds by sending a PrRtAdv
message with a subnet prefix of AR1(Prefix
1) and the public
key of AR1(119890119875119870AR1)
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (4)
MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(5)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(6)
After configuring CoA1(= 119875119903119890119891119894119909
1 119868119868119863
1) where 119868119868119863
1=
ℎ64(1199031) is computed based on a random number 119903
1 the MN
generates a new L3 key 1198701 and sends an FBU message
Mobile Information Systems 5
(
(L2 connection)
(L3 configuration)
AAA
MNL3 configuration
AP0
❶
❷
❹
❸
❶ (L2) association with AP0
❷ (L2) 8021x-EAP authentication with AAA
❹ (L2) 4-way handshake with AP0
❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA
IKand K0 are shared between MN and AR0
MN larr AR0 MN rarr AR0
AR0
PMK0
K0
= Connected to AP0 =
(i) (AR0 ) is passed to MN
MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)
ePKAR0
Figure 2 Proposed initial network access protocol
MN c Associationauthentication
Traffic for MN
Subnet0 Subnet1
AP1
AP0
AR1
PMK1a d
b
K1
= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =
❶ (L2) reassociation with AP1
❷ (L2) 4-way handshake with AP1
MN rarr AR0 MN larr AR0 PrRtAdv
RtSolPr
FBU
MN rarr AR0
AR0
AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack
MN rarr AR1 UNA
= Connected to AP1 =
= Disconnected from AP0 =
(L3) request to tunnel
(L2) associationauthentication
(L3) request to forward
(L3) tunnel establishment
Figure 3 Proposed secure handover protocol
to AR0(sbquo in Figure 3) Since 119870
1is to be shared with
AR1 it is first encrypted with the public key of AR
1
119890119875119870AR1 subsequently encrypted with the public key of AR0
119890119875119870AR0 When receiving the FBU message AR0first obtains
1199030 [119862119900119860
1 1198701]119890119875119870AR1 after decryption in order to check if
ℎ64(1199030) is equal to IID
0of CoA
0 If not the message is proven
to be not sent from the MN whose IPv6 address is CoA0and
the handover protocol is abortedOtherwise the L3 key1198700 is
eventually passed to the target AR1for the purpose of sharing
it with the MN at the subnet1 A reason to encrypt 119870
1twice
is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider
A secure channel between AR0and AR
1
119867119868 1198621199001198600 1198621199001198601 [119862119900119860
1 1198701] 119890119875119870AR1
119867119886119888119896
MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870
0)
MN 997888rarr AR1 119880119873119860119872119860119862 (119870
1)
(7)
The target router AR1obtains 119870
1through the HI message
after decryption and 1198701will be used to derive the L2 key
1198751198721198701
= 119896119889119891(1198701119872119873119860119875
1) and to secure the future L3
handover AR1pushes PMK
1into AP
1
After reassociating with AP1(e in Figure 3) the MN
performs a 4-wayHandshake (f in Figure 3) based on PMK1
without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR
1
to deliver the buffered packets forwarded from AR0( in
Figure 3) (CoA11198701) is finally stored into the neighbor cache
of AR1
4 Security Analysis and Comparisons
41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR
1 it requests the AAA to transport a
new L3 key (1198701) to AR
1 and then a new L2 key (PMK
1)
6 Mobile Information Systems
d
b
c
AP0
AR0 AR1
AP1
MN
AAAa
PMK1
(a) Scheme 1
AP0
AP1
AAA
MN
AR1AR0
a d
b
PMK1
K1
c
(b) Scheme 2
AP0
AP1
MN
AR1AR0
a d
b
c
PMK1K1
(c) Scheme 3
Figure 4 Comparison of key management schemes
derived from it is pushed into AP1(permil in Figure 4(b)) But
the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR
0to AR
1 a new L3 key
is sent to AR1via AR
0Therefore both theMN andAR
1share
1198701 which can be used to secure L3 signaling messages and
to derive a new L2 key (PMK1) in the target subnet Since
1198701is proactively distributed to AR
1before the MN moves
from AR0to AR
1 the MN can perform a 4-way Handshake
immediately after reassociating with AP1(D in Figure 4(c))
42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877
0) is employed for
our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR
0at
handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has
moved to AR1during the handover session 119895 and plans now
tomove to AR2during the handover session 119894 In this case an
adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session
43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870
0 of (5) and (6) is exposed to an adversary
To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)
TheMNobtains the public key of AR0(119890119875119870AR0) as a result
of an initial network access or a previous L3 handover whilethe public key of AR
1(119890119875119870AR1) is passed to the MN by AR
0
431 Session Hijacking by Redirection Attack Suppose anadversary A
(MN) disguising a victim MN knows the currentL3 key 119870
0and starts an L3 handover as follows
A(MN) 997888rarr AR
0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870
0) (11
1015840)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091
119890119875119870AR1 119872119860119862 (1198700)
(121015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1
[119903lowast
0 [119862119900119860
lowast
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(131015840)
119877lowast
MN 119862119900119860lowast
1 and 119903
lowast
0are generated by A
(MN) that tries tohijack the current traffic for the MN (CoA
0) and forward
it to A(MN) (119862119900119860
lowast
1) When receiving the FBU message AR
0
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 4: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/4.jpg)
4 Mobile Information Systems
domino effect occurs in that if 1198700is compromised then 119870
1
is also compromised The security weakness will be morediscussed in Section 44
3 The Proposed Key Management andSecurity Scheme
A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR
0and AR
1 AR and
AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection
31 Design Principles Suppose an MN handover from asubnet of AR
0to that of AR
1 Two L3 keys are required to
protect the L3 signaling messages the one (1198700) on the subnet
of AR0and the other (119870
1) on the subnet of AR
1 Unlike
the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870
1proactively to
AR1before it moves from AR
0to AR
1 Furthermore the L2
key (PMK1) can be derived from 119870
1on the subnet of AR
1
and pushed into new AP1attached to AR
1 so that the IEEE
8021x-EAP can be skippedSince a new L3 key (119870
1) to be used after handover is
predistributed to AR1by theMN it is important to guarantee
that a compromise of the current L3 key (1198700) does not induce
that of the future L3 key (1198701) namely the domino effect
should be suppressed For this purpose double public-keyencryptions are applied to 119870
1before distribution the one
with the public key of AR1and the other with that of AR
0
In our proposed protocol the authenticity of the public keyof AR
1is protected by 119870
0 However if 119870
0is compromised
1198701can also be exposed to an adversary Therefore it is also
protected by the public key of AR0which has been provided
to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR
119894is formed
as 119862119900119860119894(= 119875119903119890119891119894119909
119894 119868119868119863
119894) where 119868119868119863
119894is an 64-bit interface
identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863
119894= ℎ64(119903119894) based on a random
number 119903119894selected by the MN When moving from AR
119894to
AR119894+1
the MN should reveal the random number 119903119894to prove
that 119862119900119860119894was generated and owned by the MN So 119862119900119860
119894
plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised
32 Initial Network Access Protocol When the MN initiallyassociates with AP
0to access the network service (e in
Figure 2) it performs full IEEE 8021x-EAP authentication
with the AAA (f in Figure 2) As a result theMSK0is shared
between them and the information (AR0and 119890119875119870AR0) for the
default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870
0which are truncated
fromMSK0and transports them with119872119873NAI securely to the
default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK
0) is
also derived Then AR0pushes 119875119872119870
0= 119896119889119891(119870
0119872119873119860119875
0)
into AP0(g in Figure 2)
MN and AP0denote the L2 addresses of the MN and
AP0 while AR
0denotes the L3 addresses of AR
0 The 4-
way Handshake based on the PMK0is executed between the
MN and AP0in order for the MN to attach to a subnet of
AR0(subnet
0) through AP
0(h in Figure 2) Finally the MN
performs an L3 configuration to check whether its IPv6 care-of-address CoA
0 is duplicate on the subnet of AR
0
MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)
MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)
MN 997888rarr AR0 119862119900119899119891 119877
0 1198621199001198600119872119860119862 (119868119870)
(3)
TheMN sends an Router Solicitation (RtSol) message to AR0
Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR
0 Prefix
0 from which the MN configures CoA
0
(= 1198751199031198901198911198941199090 119868119868119863
0) and the MN then sends a Configuration
(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)
is computed based on a random number 1199030generated by
the MN If CoA0is verified to be unique on the subnet
the initial network access protocol is successfully terminatedEventually (CoA
0 1198700) is stored into the neighbor cache of
AR0
33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP
0to
AP1 A sequence of signaling messages is shown in Figure 3
where the L3 key 1198700 at the subnet
0has already been
shared between the MN and AR0as a result of a previous
handover process or an initial network access After receivingthe RtSolPr message AR
0responds by sending a PrRtAdv
message with a subnet prefix of AR1(Prefix
1) and the public
key of AR1(119890119875119870AR1)
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (4)
MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(5)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(6)
After configuring CoA1(= 119875119903119890119891119894119909
1 119868119868119863
1) where 119868119868119863
1=
ℎ64(1199031) is computed based on a random number 119903
1 the MN
generates a new L3 key 1198701 and sends an FBU message
Mobile Information Systems 5
(
(L2 connection)
(L3 configuration)
AAA
MNL3 configuration
AP0
❶
❷
❹
❸
❶ (L2) association with AP0
❷ (L2) 8021x-EAP authentication with AAA
❹ (L2) 4-way handshake with AP0
❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA
IKand K0 are shared between MN and AR0
MN larr AR0 MN rarr AR0
AR0
PMK0
K0
= Connected to AP0 =
(i) (AR0 ) is passed to MN
MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)
ePKAR0
Figure 2 Proposed initial network access protocol
MN c Associationauthentication
Traffic for MN
Subnet0 Subnet1
AP1
AP0
AR1
PMK1a d
b
K1
= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =
❶ (L2) reassociation with AP1
❷ (L2) 4-way handshake with AP1
MN rarr AR0 MN larr AR0 PrRtAdv
RtSolPr
FBU
MN rarr AR0
AR0
AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack
MN rarr AR1 UNA
= Connected to AP1 =
= Disconnected from AP0 =
(L3) request to tunnel
(L2) associationauthentication
(L3) request to forward
(L3) tunnel establishment
Figure 3 Proposed secure handover protocol
to AR0(sbquo in Figure 3) Since 119870
1is to be shared with
AR1 it is first encrypted with the public key of AR
1
119890119875119870AR1 subsequently encrypted with the public key of AR0
119890119875119870AR0 When receiving the FBU message AR0first obtains
1199030 [119862119900119860
1 1198701]119890119875119870AR1 after decryption in order to check if
ℎ64(1199030) is equal to IID
0of CoA
0 If not the message is proven
to be not sent from the MN whose IPv6 address is CoA0and
the handover protocol is abortedOtherwise the L3 key1198700 is
eventually passed to the target AR1for the purpose of sharing
it with the MN at the subnet1 A reason to encrypt 119870
1twice
is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider
A secure channel between AR0and AR
1
119867119868 1198621199001198600 1198621199001198601 [119862119900119860
1 1198701] 119890119875119870AR1
119867119886119888119896
MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870
0)
MN 997888rarr AR1 119880119873119860119872119860119862 (119870
1)
(7)
The target router AR1obtains 119870
1through the HI message
after decryption and 1198701will be used to derive the L2 key
1198751198721198701
= 119896119889119891(1198701119872119873119860119875
1) and to secure the future L3
handover AR1pushes PMK
1into AP
1
After reassociating with AP1(e in Figure 3) the MN
performs a 4-wayHandshake (f in Figure 3) based on PMK1
without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR
1
to deliver the buffered packets forwarded from AR0( in
Figure 3) (CoA11198701) is finally stored into the neighbor cache
of AR1
4 Security Analysis and Comparisons
41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR
1 it requests the AAA to transport a
new L3 key (1198701) to AR
1 and then a new L2 key (PMK
1)
6 Mobile Information Systems
d
b
c
AP0
AR0 AR1
AP1
MN
AAAa
PMK1
(a) Scheme 1
AP0
AP1
AAA
MN
AR1AR0
a d
b
PMK1
K1
c
(b) Scheme 2
AP0
AP1
MN
AR1AR0
a d
b
c
PMK1K1
(c) Scheme 3
Figure 4 Comparison of key management schemes
derived from it is pushed into AP1(permil in Figure 4(b)) But
the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR
0to AR
1 a new L3 key
is sent to AR1via AR
0Therefore both theMN andAR
1share
1198701 which can be used to secure L3 signaling messages and
to derive a new L2 key (PMK1) in the target subnet Since
1198701is proactively distributed to AR
1before the MN moves
from AR0to AR
1 the MN can perform a 4-way Handshake
immediately after reassociating with AP1(D in Figure 4(c))
42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877
0) is employed for
our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR
0at
handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has
moved to AR1during the handover session 119895 and plans now
tomove to AR2during the handover session 119894 In this case an
adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session
43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870
0 of (5) and (6) is exposed to an adversary
To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)
TheMNobtains the public key of AR0(119890119875119870AR0) as a result
of an initial network access or a previous L3 handover whilethe public key of AR
1(119890119875119870AR1) is passed to the MN by AR
0
431 Session Hijacking by Redirection Attack Suppose anadversary A
(MN) disguising a victim MN knows the currentL3 key 119870
0and starts an L3 handover as follows
A(MN) 997888rarr AR
0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870
0) (11
1015840)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091
119890119875119870AR1 119872119860119862 (1198700)
(121015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1
[119903lowast
0 [119862119900119860
lowast
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(131015840)
119877lowast
MN 119862119900119860lowast
1 and 119903
lowast
0are generated by A
(MN) that tries tohijack the current traffic for the MN (CoA
0) and forward
it to A(MN) (119862119900119860
lowast
1) When receiving the FBU message AR
0
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 5: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/5.jpg)
Mobile Information Systems 5
(
(L2 connection)
(L3 configuration)
AAA
MNL3 configuration
AP0
❶
❷
❹
❸
❶ (L2) association with AP0
❷ (L2) 8021x-EAP authentication with AAA
❹ (L2) 4-way handshake with AP0
❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA
IKand K0 are shared between MN and AR0
MN larr AR0 MN rarr AR0
AR0
PMK0
K0
= Connected to AP0 =
(i) (AR0 ) is passed to MN
MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)
ePKAR0
Figure 2 Proposed initial network access protocol
MN c Associationauthentication
Traffic for MN
Subnet0 Subnet1
AP1
AP0
AR1
PMK1a d
b
K1
= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =
❶ (L2) reassociation with AP1
❷ (L2) 4-way handshake with AP1
MN rarr AR0 MN larr AR0 PrRtAdv
RtSolPr
FBU
MN rarr AR0
AR0
AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack
MN rarr AR1 UNA
= Connected to AP1 =
= Disconnected from AP0 =
(L3) request to tunnel
(L2) associationauthentication
(L3) request to forward
(L3) tunnel establishment
Figure 3 Proposed secure handover protocol
to AR0(sbquo in Figure 3) Since 119870
1is to be shared with
AR1 it is first encrypted with the public key of AR
1
119890119875119870AR1 subsequently encrypted with the public key of AR0
119890119875119870AR0 When receiving the FBU message AR0first obtains
1199030 [119862119900119860
1 1198701]119890119875119870AR1 after decryption in order to check if
ℎ64(1199030) is equal to IID
0of CoA
0 If not the message is proven
to be not sent from the MN whose IPv6 address is CoA0and
the handover protocol is abortedOtherwise the L3 key1198700 is
eventually passed to the target AR1for the purpose of sharing
it with the MN at the subnet1 A reason to encrypt 119870
1twice
is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider
A secure channel between AR0and AR
1
119867119868 1198621199001198600 1198621199001198601 [119862119900119860
1 1198701] 119890119875119870AR1
119867119886119888119896
MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870
0)
MN 997888rarr AR1 119880119873119860119872119860119862 (119870
1)
(7)
The target router AR1obtains 119870
1through the HI message
after decryption and 1198701will be used to derive the L2 key
1198751198721198701
= 119896119889119891(1198701119872119873119860119875
1) and to secure the future L3
handover AR1pushes PMK
1into AP
1
After reassociating with AP1(e in Figure 3) the MN
performs a 4-wayHandshake (f in Figure 3) based on PMK1
without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR
1
to deliver the buffered packets forwarded from AR0( in
Figure 3) (CoA11198701) is finally stored into the neighbor cache
of AR1
4 Security Analysis and Comparisons
41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR
1 it requests the AAA to transport a
new L3 key (1198701) to AR
1 and then a new L2 key (PMK
1)
6 Mobile Information Systems
d
b
c
AP0
AR0 AR1
AP1
MN
AAAa
PMK1
(a) Scheme 1
AP0
AP1
AAA
MN
AR1AR0
a d
b
PMK1
K1
c
(b) Scheme 2
AP0
AP1
MN
AR1AR0
a d
b
c
PMK1K1
(c) Scheme 3
Figure 4 Comparison of key management schemes
derived from it is pushed into AP1(permil in Figure 4(b)) But
the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR
0to AR
1 a new L3 key
is sent to AR1via AR
0Therefore both theMN andAR
1share
1198701 which can be used to secure L3 signaling messages and
to derive a new L2 key (PMK1) in the target subnet Since
1198701is proactively distributed to AR
1before the MN moves
from AR0to AR
1 the MN can perform a 4-way Handshake
immediately after reassociating with AP1(D in Figure 4(c))
42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877
0) is employed for
our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR
0at
handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has
moved to AR1during the handover session 119895 and plans now
tomove to AR2during the handover session 119894 In this case an
adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session
43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870
0 of (5) and (6) is exposed to an adversary
To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)
TheMNobtains the public key of AR0(119890119875119870AR0) as a result
of an initial network access or a previous L3 handover whilethe public key of AR
1(119890119875119870AR1) is passed to the MN by AR
0
431 Session Hijacking by Redirection Attack Suppose anadversary A
(MN) disguising a victim MN knows the currentL3 key 119870
0and starts an L3 handover as follows
A(MN) 997888rarr AR
0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870
0) (11
1015840)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091
119890119875119870AR1 119872119860119862 (1198700)
(121015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1
[119903lowast
0 [119862119900119860
lowast
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(131015840)
119877lowast
MN 119862119900119860lowast
1 and 119903
lowast
0are generated by A
(MN) that tries tohijack the current traffic for the MN (CoA
0) and forward
it to A(MN) (119862119900119860
lowast
1) When receiving the FBU message AR
0
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 6: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/6.jpg)
6 Mobile Information Systems
d
b
c
AP0
AR0 AR1
AP1
MN
AAAa
PMK1
(a) Scheme 1
AP0
AP1
AAA
MN
AR1AR0
a d
b
PMK1
K1
c
(b) Scheme 2
AP0
AP1
MN
AR1AR0
a d
b
c
PMK1K1
(c) Scheme 3
Figure 4 Comparison of key management schemes
derived from it is pushed into AP1(permil in Figure 4(b)) But
the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR
0to AR
1 a new L3 key
is sent to AR1via AR
0Therefore both theMN andAR
1share
1198701 which can be used to secure L3 signaling messages and
to derive a new L2 key (PMK1) in the target subnet Since
1198701is proactively distributed to AR
1before the MN moves
from AR0to AR
1 the MN can perform a 4-way Handshake
immediately after reassociating with AP1(D in Figure 4(c))
42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877
0) is employed for
our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR
0at
handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has
moved to AR1during the handover session 119895 and plans now
tomove to AR2during the handover session 119894 In this case an
adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session
43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870
0 of (5) and (6) is exposed to an adversary
To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)
TheMNobtains the public key of AR0(119890119875119870AR0) as a result
of an initial network access or a previous L3 handover whilethe public key of AR
1(119890119875119870AR1) is passed to the MN by AR
0
431 Session Hijacking by Redirection Attack Suppose anadversary A
(MN) disguising a victim MN knows the currentL3 key 119870
0and starts an L3 handover as follows
A(MN) 997888rarr AR
0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870
0) (11
1015840)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091
119890119875119870AR1 119872119860119862 (1198700)
(121015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1
[119903lowast
0 [119862119900119860
lowast
1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870
0)
(131015840)
119877lowast
MN 119862119900119860lowast
1 and 119903
lowast
0are generated by A
(MN) that tries tohijack the current traffic for the MN (CoA
0) and forward
it to A(MN) (119862119900119860
lowast
1) When receiving the FBU message AR
0
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 7: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/7.jpg)
Mobile Information Systems 7
obtains 119903lowast0after decryption and verifies if IID
0of the source
IPv6 address (CoA0) is identical to ℎ
64(119903lowast
0) If the verification
is not successful the protocol stops Since ℎ64(sdot) is based on
a one-way hash function and the 1199030used to derive IID
0is
known only to the MN all the adversary can do is attemptto guess 119903
0(the probability of 119903
0= 119903lowast
0is 2minus64) Since CoA
0
is valid only on the subnet0and keeps changing as the MN
moves the probability is negligible enough to defend againstsuch an attack
432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A
(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR
0to forward
its traffic to CoA1 To see why the public-key encryption with
119890119875119870AR0 is required (6) is modified into (1310158401015840)
MN 997888rarr AR0 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(1310158401015840)
Then the adversary can mount a man-in-the-middle attackas follows
MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870
0) (8)
A(MN) larr997888 AR
0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1
119872119860119862 (1198700)
(9)
MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870
lowast
AR1
119872119860119862 (1198700)
(10)
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601 1199030
[1198621199001198601 1198701] 119890119875119870
lowast
AR1 119872119860119862 (1198700)
(11)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 119862119900119860lowast
1 1199030
[119862119900119860lowast
1 1198701] 119890119875119870AR1 119872119860119862 (119870
0)
(12)
Namely A(MN) observing between the MN and AR
0modifies
119890119875119870AR1 of (9) into 119890119875119870lowast
AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870
1and hijack the traffic for
CoA1for the purpose of forwarding it to 119862119900119860
lowast
1 Eventually
the connection with AR1is turned over to A
(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19
1015840) and (20
1015840) respectively
MN 997888rarr A(MN) 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(191015840)
A(MN) 997888rarr AR
0 119865119861119880 119877
0 1198621199001198601
[1199030 [119862119900119860
1 1198701] 119890119875119870
lowast
AR1] 119890119875119870AR0 119872119860119862 (1198700)
(201015840)
When intercepting (191015840) A(MN) cannot modify CoA
1or
obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore
when receiving [1198621199001198601 1198701]119890119875119870lowast
AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted
with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key
44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870
0is exposed to an adversary A
(MN) and (13) can beobserved from the previous handover session
previous handover session with L3 key 119870119883
MN 997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)
(13)
current handover session with L3 key 1198700(compromised)
A(MN)
997888rarr AR0 [1198700]119872119878119870
119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)
(14)
In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870
0 then the adversary can
share the same L3 key with a new AR so that the adversarycan hijack the current session
45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper
5 Performance Analysis and Comparison
In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 8: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/8.jpg)
8 Mobile Information Systems
Table 1 Security comparisons
Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]
L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure
analyze and compare the handover costs and the numericresults of the analysis
51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP
01
AP02 AP03 and AP
04) connected to AR
0
The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877
119888and 119877
119889be the crossing rates over the coverage
of each AP and AR respectively They are then defined asfollows
119877119888=
119901V119897120587
119877119889=
119901V119871120587
(where 119871 = 119897radic119873)
(15)
52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in
APs (L2 handover occurs)
ARs (L2 L3 handover occurs)
AP01
AP03 AP04
AP02
AR0
Figure 5 Square-shaped mobility model (119873 = 4)
order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and
119868119895and119867
119895are the L3 handover cost and the L2 handover cost
for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867
119895are defined
as the sum of the signaling cost 119878119895and the processing cost
119875119895for the L3 and L2 handovers respectively Based on (15)
the average handover cost per MN 119860119895 can be calculated as
follows [16] where119882AR is the area of an AR domain
119860119895=
(119877119889sdot 119868119895+ (119873 sdot 119877
119888minus 119877119889) sdot 119867119895)
(119901 sdot 119882AR)
(where 119868119895(119867119895) = 119878119895+ 119875119895)
(16)
The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme
Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875
119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate
the processing costs on MN AP AR0 AR1 and AAA
respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 9: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/9.jpg)
Mobile Information Systems 9
Table 2 Parameters for evaluation
Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2
v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2
network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886
119895119894and 119887119895119896are specific coefficients of Scheme 119895
119875119895= sum
119894isin119876
119886119895119894119875119895119894
where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860
119878119895= 119862hop [119862wireless
+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887
1198953119863AP-AR)]
(17)
The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878
119895 and the handover cost of the previous schemes is
larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases
As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of
MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover
6 Conclusions
We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 10: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/10.jpg)
10 Mobile Information Systems
0
500
1000
1500H
ando
ver c
ost
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
MN AP AAAEntities
AR0 AR1 Pj Sj
(a) L3 handover cost
0
50
100
150
200
05 1 15 2 25 3 35 4 45 5
Aver
age h
ando
ver c
ost
Velocity of MN (ms)
Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(b) Average handover cost (119873 = 5)
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10
Aver
age h
ando
ver c
ost
Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]
Scheme 3 [proposed]
(c) Average handover cost (V = 5)
hand
over
cost
= 1
= 4
= 7 = 10
050
100150200
12345678910
Aver
age
Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme
Figure 6 Numerical Results
Notations
119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870
[119898]119870 Encryption of119898 using symmetric key119870
119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =
MN 0 for AR0 1 for AR
1)
Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)
119870119894 L3 key shared between MN and AR
119894
119875119872119870119894 L2 key shared between MN and AP
119894
119875119870119883 119878119870119883 A pair of public and private keys of119883 used
for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption
119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870
119883covering all preceding
message fields[119898]119890119875119870
119883 Encryption of119898 with the public key 119890119875119870
119883
of119883 (119883 = MN 0 for AR0 1 for AR
1)
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 11: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/11.jpg)
Mobile Information Systems 11
and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)
References
[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo
RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz
ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo
RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive
FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009
[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010
[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008
[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010
[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013
[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014
[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014
[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014
[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009
[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012
[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Page 12: Research Article A Cross-Layer Key Management Scheme for ...downloads.hindawi.com/journals/misy/2015/708064.pdf · Handover over IEEE 802.11 Wireless LAN Chang-SeopPark, 1 Hyun-SunKang,](https://reader033.fdocuments.us/reader033/viewer/2022060317/5f0c51607e708231d434cda4/html5/thumbnails/12.jpg)
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014