Research ArticleA Cross-Layer Key Management Scheme for MIPv6 FastHandover over IEEE 80211 Wireless LAN

Chang-Seop Park1 Hyun-Sun Kang2 and Jaijin Jung3

1Department of Software Dankook University Jukjeon 16980 Republic of Korea2Department of General Education Namseoul University Cheonan 31020 Republic of Korea3Department of Applied Computer Engineering Dankook University Jukjeon 16980 Republic of Korea

Correspondence should be addressed to Chang-Seop Park csp0dankookackr

Received 21 June 2015 Accepted 29 October 2015

Academic Editor Francesco Gringoli

Copyright copy 2015 Chang-Seop Park et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

A new key management and security scheme is proposed to integrate Layer Two (L2) and Layer Three (L3) keys for secureand fast Mobile IPv6 handover over IEEE 80211 Wireless Local Area Network (WLAN) Unlike the original IEEE 80211-basedMobile IPv6 Fast Handover (FMIPv6) that requires time-consuming IEEE 8021x-based Extensible Authentication Protocol (EAP)authentication on each L3 handover the newly proposed key management and security scheme requires only one 8021x-EAPregardless of how many L3 handovers occur Therefore the proposed scheme reduces the handover latency that results from alengthy 8021x-based EAP The proposed key management and security scheme is extensively analyzed in terms of security andperformance and the proposed security scheme is shown to be more secure than those that were previously proposed

1 Introduction

Mobile IPv6 Fast Handover (FMIPv6) [1] has been proposedin order to minimize the delay induced by handover opera-tions ofMobile IPv6 [2] When a wireless Mobile Node (MN)changes its attachment point to a new Access Router (AR) itis possible to provide IP connectivity in advance of the actualregistration of the mobile IP by tunneling data between thecurrent and the target access routers The basic idea behindFMIPv6 which is a kind of Layer Three (L3) handover isto leverage information from Layer Two (L2) technologiessuch as IEEE 80211 [3] to either predict or rapidly respondto a handover event On the other hand a wireless MNattached to an AR via an Access Point (AP) can move to anew AP without changing its attachment to the AR In thiscase an L2 handover occurs and the MN must reassociateand authenticate with the new AP using IEEE 8021x-basedExtensible Authentication Protocol (8021x-EAP) [4] Giventhat an L2 handover is also induced when an L3 handoveroccurs IEEE 80211-based FMIPv6 [5] has been proposed andhas been analyzed in terms of its handover latency [6 7]

There are two security issues associated with IEEE 80211-based FMIPv6 One issue is that of establishing an L3 keybetween an MN and a new AR on each L3 handover Basedon the L3 key the L3 signaling messages used to establishthe tunnel between the current AR and the target AR can beauthenticated in particular a compromise of the current L3key should not induce that of the future L3 key to suppress thedomino effect Several security mechanisms [8ndash10] have beenpreviously proposed to establish the L3 key However theyhave several weaknesses in terms of security and efficiencyThe other issue is to reduce the authentication delay causedby the L3 handoverTheMNwould perform a lengthy 8021x-EAP authentication with AAA (Authentication Authoriza-tion and Auditing) server on each L3 handover inducing theL2 handover As a result of successful 8021x-EAP authentica-tion the L2 key is shared and used for mutual authenticationbetween theMN and a new AP Since both L2 and L3 keys aregenerated and managed independently key management forIEEE 80211-based FMIPv6 becomes complex A simplifiedkey management scheme [10] to derive the L2 key from theL3 key has been proposed to reduce the authentication delay

Hindawi Publishing CorporationMobile Information SystemsVolume 2015 Article ID 708064 11 pageshttpdxdoiorg1011552015708064

2 Mobile Information Systems

L3 handover

L2 handover

AR0

AP0

AP1

AR2

AR1

(a)

AAA

MNc Associationauthentication

Traffic for MN

L3 signaling messages

L2 signaling messages

d forwardtoRequesta tunneltoRequest

Tunnel establishment

AR0

AP0

AR1

AP1

Subnet0 Subnet1

b

(b)

(L3) request to tunnel

(L2) associationauthentication❶ Re-association ❷ 8021x-EAP with AAA❸ L2 key distribution ❹ 4-way handshake

(L3) request to forward

with AP1

with AP1

MN larr AR0 FBackAR0 larr AR1 Hack

(L3) tunnel establishmentMN rarr AR0 MN larr AR0 PrRtAdv

RtSolPrPrefix1

FBUCoA1

MN rarr AR0

AR0 rarr AR1 HICoA0CoA1

= Disconnected from AP0 =

= Connected to AP1 =

MN rarr AR1 UNA

(c)

Figure 1 L3 handover procedure of IEEE 80211-based FMIPv6

However it is still required for the MN to be interconnectedwith the AAA on each L3 handover and it has a securityproblem in that a session hijacking attack is feasible whichwill be shown in this paper

A new key management and security scheme is proposedto secure IEEE 80211-based FMIPv6 signaling messages Acontribution of this paper is twofold first a new L3 keyestablishment scheme is proposed which is secure againsta variety of session hijacking and redirection attacks in caseof an L3 key compromise Second unlike the original IEEE80211-based FMIPv6 where the MN would perform a fullIEEE 8021x-EAP authentication with the AAA on each L3handover the newly proposed scheme requires only oneIEEE 8021x-EAP authentication regardless of how many L3handovers occur Therefore the proposed scheme reducesthe handover latency that results from the lengthy IEEE8021x-EAP authentication In particular the proposed keymanagement scheme is of a cross-layer type in the sensethat the L2 keys are derived from the L3 key In Section 2the background of FMIPv6 over IEEE 80211 WLAN isintroduced along with related works A new keymanagementand security scheme is proposed in Section 3 The newscheme is analyzed and compared with previous schemes

in terms of security and performance in Sections 4 and 5Finally concluding remarks are given in Section 6

2 FMIPv6 over IEEE 80211 WLAN andRelated Works

21 FMIPv6 over IEEE 80211WLAN We consider a networkenvironment of Figure 1(a) where each subnet of the AR iscomprised of one or more APs When the MN moves fromAP0to AP

1 then both L3 and L2 handovers occur Namely

the MNrsquos subnet changes from subnet0to subnet

1

Suppose an L2 handover from AP0to AP

1is anticipated

as in Figure 1(b) By exchanging both the Router Solicitationfor Proxy Advertisement (RtSolPr) and the Proxy RouterAdvertisement (PrRtAdv)messages theMNconfigures a newcare-of-address (CoA) CoA

1 according to the subnet prefix

Prefix1 of AR

1 Then the MN sends a Fast Binding Update

(FBU) message to request AR0to forward packets destined

for theMN to AR1 (sbquo in Figure 1(c)) A tunnel is established

between AR0and AR

1by exchanging Handover Initiate

(HI) andHandover Acknowledgment (Hack) messages (ƒ inFigure 1(c)) where the HI message carries the current CoAof the MN CoA

0 and a new CoA CoA

1 to be used on

Mobile Information Systems 3

a subnet of AR1 The packets for the MN start to flow to and

are buffered at AR1 Then a Fast Binding Acknowledgment

(FBack)message is sent to theMN to notify of the completionof the tunnel establishment

When finally disconnected from AP0 namely when the

L2 handover occurs the MN reassociates with AP1(e in

Figure 1(c)) and performs a full IEEE 8021x-EAP authenti-cation with the AAA (f in Figure 1(c)) If it is successful L2key distribution starts based on the MSK

1shared between

the MN and AAA The PMK1truncated from the MSK

1is

securely distributed to AP1(g in Figure 1(c)) Subsequently

a 4-way Handshake (h in Figure 1(c)) based on PMK1is

performed between the MN and AP1 At this point the

MN is successfully attached to a subnet of AR1(subnet

1)

through AP1 Finally the MN sends an Unsolicited Neighbor

Advertisement (UNA) message to request AR1to deliver the

buffered packets forwarded from AR0( in Figure 1(c)) The

fields inherent to the L3 signaling messages (eg RtSolPr)are intentionally omitted for the sake of providing a simpleexplanation Instead they will be padded with the security-related fields when discussing the mechanism used to securethem

22 Threat Models and Problem Statements Without properprotection for L3 signaling messages in FMIPv6 (sbquo and inFigure 1) an adversary can forge or modify them to mount avariety of redirection attacks Unless the previous AR (AR

0

in Figure 1) can verify that the FBU message comes froman authorized MN legitimate traffic for the MN might beredirected to the adversary Furthermore the packets for theMN can be redirected to any other host to execute a floodingattack against it or against the subnet to which it belongsTheadversary can also forge the UNAmessage to steal the trafficdestined for the legitimate MN In order to avoid the aboveattacks security associations should be established betweenthe MN and ARs An L3 key shared between the MN andAR0is used to authenticate the L3 signaling messages of sbquo

in Figure 1 while the L3 signaling messages of in Figure 1can be authenticated based on another L3 key shared betweenthe MN and AR

1 Therefore it is necessary to embed L3 key

distribution protocol into the original 80211-based FMIPv6In particular the domino effect should be suppressed in caseof the L3 key compromise Namely the compromise of thecurrent L3 key should not induce that of the future L3 keyOn the other hand the 8021x-EAP authentication (f inFigure 1) is for the MN to share a new L2 key with the newAP attached to the target AR through AAA The L2 key isused for mutual authentication between theMN and the newAP However the authentication delay caused by the 8021x-EAP is amajor source of the handover delay since 8messagesshould be exchanged between the MN and AAA in case ofusing EAP-Transport Layer Security (TLS) method Henceif the 8021x-EAP can be skipped on each L3 handover of theIEEE 80211-based FMIPv6 the overall handover delay can begreatly improved

23 Previous Works Several security schemes [11ndash13] havebeen investigated for sharing the L2 key to protect L2signaling messages which are based on a concept of ticket

key hiding technique and authentication server respectivelyOn the other hand a security scheme [8] based on Crypto-graphically Generated Address (CGA) has been proposed tosecure L3 signaling messages (sbquo in Figure 1) CGA is formedby taking the IPv6 subnet prefix for a nodersquos subnet andcombining it with an interface identifier suffix formed as thehash of the nodersquos public key The L3 key 119870

0 generated by

AR0is encrypted using the public encryption key of MN

119890119875119870MN and it is sent to the MN Both RtSolPr and PrRtAdvmessages are protected by the digital signature while the FBUmessage is protected by the symmetric key The definition ofthe notations is shown in Notations section Consider

MN 997888rarr AR0 119877119905119878119900119897119875119903 119875119870MN 119890119875119870MN 119873119900119899119888119890

119878119894119892 (119878119870MN)

MN larr997888 AR0 119875119903119877119905119860119889V 119875119903119890119891119894119909

1 [1198700] 119890119875119870MN 119873119900119899119888119890

119878119894119892 (119878119870AR0)

MN 997888rarr AR0 119865119861119880 119862119900119860

1119872119860119862 (119870

0)

(1)

However the security scheme does not provide a methodto establish a security association between the MN andthe target router AR

1 so that the UNA message cannot be

protected and can be forged to steal the traffic destined forthe legitimate MN Furthermore a variety of DoS (Denial ofService) attacks can be mounted using the unauthenticatedUNA message which has also been mentioned in [14]Another security scheme [9] has been proposed to protectL3 signaling messages including the UNA message Thesecurity schemes proposed in [8 9] are only for protectingL3 signaling messages (sbquo and in Figure 1)

Integrated handover authentication scheme [10] has beenproposed to integrate the L3 key with the L2 key namely theL2 key can be derived directly from the L3 key Before theMN handovers to the target AR the MN transports a new L3key 119870

1 to AR

1through the AAA as in (2) where MSK is a

secret key shared between the MN and AAA SubsequentlyAR1distributes the L2 key (PMK

1) derived from the L3 key

(1198701) to the new AP A current L3 key 119870

0 is used to secure

the L3 signalingmessages (sbquo in Figure 1) while a new L3 key1198701 is for securing the L3 signaling messages ( in Figure 1)

Consider

MN 997888rarr AR0

[1198701]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

AR0997888rarr AR

1 [1198701]119872119878119870

119877MN119872119860119862 (119872119878119870)

AR1997888rarr AAA [119870

1]119872119878119870

119877MN119872119860119862 (119872119878119870)

AR1larr997888 AAA [119870

1]119872119878119870

119877MN

(2)

As mentioned in Section 22 it is desirable for the interactionwith theAAA to be skipped in order to speed up the handoverprocess However it has not actually been skipped insteadit has been placed on the L3 protocol Furthermore it is notsecure against the L3 key compromise attack Namely the

4 Mobile Information Systems

domino effect occurs in that if 1198700is compromised then 119870

1

is also compromised The security weakness will be morediscussed in Section 44

3 The Proposed Key Management andSecurity Scheme

A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR

0and AR

1 AR and

AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection

31 Design Principles Suppose an MN handover from asubnet of AR

0to that of AR

1 Two L3 keys are required to

protect the L3 signaling messages the one (1198700) on the subnet

of AR0and the other (119870

1) on the subnet of AR

1 Unlike

the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870

1proactively to

AR1before it moves from AR

0to AR

1 Furthermore the L2

key (PMK1) can be derived from 119870

1on the subnet of AR

1

and pushed into new AP1attached to AR

1 so that the IEEE

8021x-EAP can be skippedSince a new L3 key (119870

1) to be used after handover is

predistributed to AR1by theMN it is important to guarantee

that a compromise of the current L3 key (1198700) does not induce

that of the future L3 key (1198701) namely the domino effect

should be suppressed For this purpose double public-keyencryptions are applied to 119870

1before distribution the one

with the public key of AR1and the other with that of AR

0

In our proposed protocol the authenticity of the public keyof AR

1is protected by 119870

0 However if 119870

0is compromised

1198701can also be exposed to an adversary Therefore it is also

protected by the public key of AR0which has been provided

to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR

119894is formed

as 119862119900119860119894(= 119875119903119890119891119894119909

119894 119868119868119863

119894) where 119868119868119863

119894is an 64-bit interface

identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863

119894= ℎ64(119903119894) based on a random

number 119903119894selected by the MN When moving from AR

119894to

AR119894+1

the MN should reveal the random number 119903119894to prove

that 119862119900119860119894was generated and owned by the MN So 119862119900119860

119894

plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised

32 Initial Network Access Protocol When the MN initiallyassociates with AP

0to access the network service (e in

Figure 2) it performs full IEEE 8021x-EAP authentication

with the AAA (f in Figure 2) As a result theMSK0is shared

between them and the information (AR0and 119890119875119870AR0) for the

default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870

0which are truncated

fromMSK0and transports them with119872119873NAI securely to the

default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK

0) is

also derived Then AR0pushes 119875119872119870

0= 119896119889119891(119870

0119872119873119860119875

0)

into AP0(g in Figure 2)

MN and AP0denote the L2 addresses of the MN and

AP0 while AR

0denotes the L3 addresses of AR

0 The 4-

way Handshake based on the PMK0is executed between the

MN and AP0in order for the MN to attach to a subnet of

AR0(subnet

0) through AP

0(h in Figure 2) Finally the MN

performs an L3 configuration to check whether its IPv6 care-of-address CoA

0 is duplicate on the subnet of AR

0

MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)

MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)

MN 997888rarr AR0 119862119900119899119891 119877

0 1198621199001198600119872119860119862 (119868119870)

(3)

TheMN sends an Router Solicitation (RtSol) message to AR0

Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR

0 Prefix

0 from which the MN configures CoA

0

(= 1198751199031198901198911198941199090 119868119868119863

0) and the MN then sends a Configuration

(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)

is computed based on a random number 1199030generated by

the MN If CoA0is verified to be unique on the subnet

the initial network access protocol is successfully terminatedEventually (CoA

0 1198700) is stored into the neighbor cache of

AR0

33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP

0to

AP1 A sequence of signaling messages is shown in Figure 3

where the L3 key 1198700 at the subnet

0has already been

shared between the MN and AR0as a result of a previous

handover process or an initial network access After receivingthe RtSolPr message AR

0responds by sending a PrRtAdv

message with a subnet prefix of AR1(Prefix

1) and the public

key of AR1(119890119875119870AR1)

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (4)

MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(5)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(6)

After configuring CoA1(= 119875119903119890119891119894119909

1 119868119868119863

1) where 119868119868119863

1=

ℎ64(1199031) is computed based on a random number 119903

1 the MN

generates a new L3 key 1198701 and sends an FBU message

Mobile Information Systems 5

(

(L2 connection)

(L3 configuration)

AAA

MNL3 configuration

AP0

❶

❷

❹

❸

❶ (L2) association with AP0

❷ (L2) 8021x-EAP authentication with AAA

❹ (L2) 4-way handshake with AP0

❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA

IKand K0 are shared between MN and AR0

MN larr AR0 MN rarr AR0

AR0

PMK0

K0

= Connected to AP0 =

(i) (AR0 ) is passed to MN

MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)

ePKAR0

Figure 2 Proposed initial network access protocol

MN c Associationauthentication

Traffic for MN

Subnet0 Subnet1

AP1

AP0

AR1

PMK1a d

b

K1

= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =

❶ (L2) reassociation with AP1

❷ (L2) 4-way handshake with AP1

MN rarr AR0 MN larr AR0 PrRtAdv

RtSolPr

FBU

MN rarr AR0

AR0

AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack

MN rarr AR1 UNA

= Connected to AP1 =

= Disconnected from AP0 =

(L3) request to tunnel

(L2) associationauthentication

(L3) request to forward

(L3) tunnel establishment

Figure 3 Proposed secure handover protocol

to AR0(sbquo in Figure 3) Since 119870

1is to be shared with

AR1 it is first encrypted with the public key of AR

1

119890119875119870AR1 subsequently encrypted with the public key of AR0

119890119875119870AR0 When receiving the FBU message AR0first obtains

1199030 [119862119900119860

1 1198701]119890119875119870AR1 after decryption in order to check if

ℎ64(1199030) is equal to IID

0of CoA

0 If not the message is proven

to be not sent from the MN whose IPv6 address is CoA0and

the handover protocol is abortedOtherwise the L3 key1198700 is

eventually passed to the target AR1for the purpose of sharing

it with the MN at the subnet1 A reason to encrypt 119870

1twice

is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider

A secure channel between AR0and AR

1

119867119868 1198621199001198600 1198621199001198601 [119862119900119860

1 1198701] 119890119875119870AR1

119867119886119888119896

MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870

0)

MN 997888rarr AR1 119880119873119860119872119860119862 (119870

1)

(7)

The target router AR1obtains 119870

1through the HI message

after decryption and 1198701will be used to derive the L2 key

1198751198721198701

= 119896119889119891(1198701119872119873119860119875

1) and to secure the future L3

handover AR1pushes PMK

1into AP

1

After reassociating with AP1(e in Figure 3) the MN

performs a 4-wayHandshake (f in Figure 3) based on PMK1

without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR

1

to deliver the buffered packets forwarded from AR0( in

Figure 3) (CoA11198701) is finally stored into the neighbor cache

of AR1

4 Security Analysis and Comparisons

41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR

1 it requests the AAA to transport a

new L3 key (1198701) to AR

1 and then a new L2 key (PMK

1)

6 Mobile Information Systems

d

b

c

AP0

AR0 AR1

AP1

MN

AAAa

PMK1

(a) Scheme 1

AP0

AP1

AAA

MN

AR1AR0

a d

b

PMK1

K1

c

(b) Scheme 2

AP0

AP1

MN

AR1AR0

a d

b

c

PMK1K1

(c) Scheme 3

Figure 4 Comparison of key management schemes

derived from it is pushed into AP1(permil in Figure 4(b)) But

the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR

0to AR

1 a new L3 key

is sent to AR1via AR

0Therefore both theMN andAR

1share

1198701 which can be used to secure L3 signaling messages and

to derive a new L2 key (PMK1) in the target subnet Since

1198701is proactively distributed to AR

1before the MN moves

from AR0to AR

1 the MN can perform a 4-way Handshake

immediately after reassociating with AP1(D in Figure 4(c))

42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877

0) is employed for

our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR

0at

handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has

moved to AR1during the handover session 119895 and plans now

tomove to AR2during the handover session 119894 In this case an

adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session

43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870

0 of (5) and (6) is exposed to an adversary

To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)

TheMNobtains the public key of AR0(119890119875119870AR0) as a result

of an initial network access or a previous L3 handover whilethe public key of AR

1(119890119875119870AR1) is passed to the MN by AR

0

431 Session Hijacking by Redirection Attack Suppose anadversary A

(MN) disguising a victim MN knows the currentL3 key 119870

0and starts an L3 handover as follows

A(MN) 997888rarr AR

0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870

0) (11

1015840)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091

119890119875119870AR1 119872119860119862 (1198700)

(121015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1

[119903lowast

0 [119862119900119860

lowast

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(131015840)

119877lowast

MN 119862119900119860lowast

1 and 119903

lowast

0are generated by A

(MN) that tries tohijack the current traffic for the MN (CoA

0) and forward

it to A(MN) (119862119900119860

lowast

1) When receiving the FBU message AR

0

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

2 Mobile Information Systems

L3 handover

L2 handover

AR0

AP0

AP1

AR2

AR1

(a)

AAA

MNc Associationauthentication

Traffic for MN

L3 signaling messages

L2 signaling messages

d forwardtoRequesta tunneltoRequest

Tunnel establishment

AR0

AP0

AR1

AP1

Subnet0 Subnet1

b

(b)

(L3) request to tunnel

(L2) associationauthentication❶ Re-association ❷ 8021x-EAP with AAA❸ L2 key distribution ❹ 4-way handshake

(L3) request to forward

with AP1

with AP1

MN larr AR0 FBackAR0 larr AR1 Hack

(L3) tunnel establishmentMN rarr AR0 MN larr AR0 PrRtAdv

RtSolPrPrefix1

FBUCoA1

MN rarr AR0

AR0 rarr AR1 HICoA0CoA1

= Disconnected from AP0 =

= Connected to AP1 =

MN rarr AR1 UNA

(c)

Figure 1 L3 handover procedure of IEEE 80211-based FMIPv6

However it is still required for the MN to be interconnectedwith the AAA on each L3 handover and it has a securityproblem in that a session hijacking attack is feasible whichwill be shown in this paper

A new key management and security scheme is proposedto secure IEEE 80211-based FMIPv6 signaling messages Acontribution of this paper is twofold first a new L3 keyestablishment scheme is proposed which is secure againsta variety of session hijacking and redirection attacks in caseof an L3 key compromise Second unlike the original IEEE80211-based FMIPv6 where the MN would perform a fullIEEE 8021x-EAP authentication with the AAA on each L3handover the newly proposed scheme requires only oneIEEE 8021x-EAP authentication regardless of how many L3handovers occur Therefore the proposed scheme reducesthe handover latency that results from the lengthy IEEE8021x-EAP authentication In particular the proposed keymanagement scheme is of a cross-layer type in the sensethat the L2 keys are derived from the L3 key In Section 2the background of FMIPv6 over IEEE 80211 WLAN isintroduced along with related works A new keymanagementand security scheme is proposed in Section 3 The newscheme is analyzed and compared with previous schemes

in terms of security and performance in Sections 4 and 5Finally concluding remarks are given in Section 6

2 FMIPv6 over IEEE 80211 WLAN andRelated Works

21 FMIPv6 over IEEE 80211WLAN We consider a networkenvironment of Figure 1(a) where each subnet of the AR iscomprised of one or more APs When the MN moves fromAP0to AP

1 then both L3 and L2 handovers occur Namely

the MNrsquos subnet changes from subnet0to subnet

1

Suppose an L2 handover from AP0to AP

1is anticipated

as in Figure 1(b) By exchanging both the Router Solicitationfor Proxy Advertisement (RtSolPr) and the Proxy RouterAdvertisement (PrRtAdv)messages theMNconfigures a newcare-of-address (CoA) CoA

1 according to the subnet prefix

Prefix1 of AR

1 Then the MN sends a Fast Binding Update

(FBU) message to request AR0to forward packets destined

for theMN to AR1 (sbquo in Figure 1(c)) A tunnel is established

between AR0and AR

1by exchanging Handover Initiate

(HI) andHandover Acknowledgment (Hack) messages (ƒ inFigure 1(c)) where the HI message carries the current CoAof the MN CoA

0 and a new CoA CoA

1 to be used on

Mobile Information Systems 3

a subnet of AR1 The packets for the MN start to flow to and

are buffered at AR1 Then a Fast Binding Acknowledgment

(FBack)message is sent to theMN to notify of the completionof the tunnel establishment

When finally disconnected from AP0 namely when the

L2 handover occurs the MN reassociates with AP1(e in

Figure 1(c)) and performs a full IEEE 8021x-EAP authenti-cation with the AAA (f in Figure 1(c)) If it is successful L2key distribution starts based on the MSK

1shared between

the MN and AAA The PMK1truncated from the MSK

1is

securely distributed to AP1(g in Figure 1(c)) Subsequently

a 4-way Handshake (h in Figure 1(c)) based on PMK1is

performed between the MN and AP1 At this point the

MN is successfully attached to a subnet of AR1(subnet

1)

through AP1 Finally the MN sends an Unsolicited Neighbor

Advertisement (UNA) message to request AR1to deliver the

buffered packets forwarded from AR0( in Figure 1(c)) The

fields inherent to the L3 signaling messages (eg RtSolPr)are intentionally omitted for the sake of providing a simpleexplanation Instead they will be padded with the security-related fields when discussing the mechanism used to securethem

22 Threat Models and Problem Statements Without properprotection for L3 signaling messages in FMIPv6 (sbquo and inFigure 1) an adversary can forge or modify them to mount avariety of redirection attacks Unless the previous AR (AR

0

in Figure 1) can verify that the FBU message comes froman authorized MN legitimate traffic for the MN might beredirected to the adversary Furthermore the packets for theMN can be redirected to any other host to execute a floodingattack against it or against the subnet to which it belongsTheadversary can also forge the UNAmessage to steal the trafficdestined for the legitimate MN In order to avoid the aboveattacks security associations should be established betweenthe MN and ARs An L3 key shared between the MN andAR0is used to authenticate the L3 signaling messages of sbquo

in Figure 1 while the L3 signaling messages of in Figure 1can be authenticated based on another L3 key shared betweenthe MN and AR

1 Therefore it is necessary to embed L3 key

distribution protocol into the original 80211-based FMIPv6In particular the domino effect should be suppressed in caseof the L3 key compromise Namely the compromise of thecurrent L3 key should not induce that of the future L3 keyOn the other hand the 8021x-EAP authentication (f inFigure 1) is for the MN to share a new L2 key with the newAP attached to the target AR through AAA The L2 key isused for mutual authentication between theMN and the newAP However the authentication delay caused by the 8021x-EAP is amajor source of the handover delay since 8messagesshould be exchanged between the MN and AAA in case ofusing EAP-Transport Layer Security (TLS) method Henceif the 8021x-EAP can be skipped on each L3 handover of theIEEE 80211-based FMIPv6 the overall handover delay can begreatly improved

23 Previous Works Several security schemes [11ndash13] havebeen investigated for sharing the L2 key to protect L2signaling messages which are based on a concept of ticket

key hiding technique and authentication server respectivelyOn the other hand a security scheme [8] based on Crypto-graphically Generated Address (CGA) has been proposed tosecure L3 signaling messages (sbquo in Figure 1) CGA is formedby taking the IPv6 subnet prefix for a nodersquos subnet andcombining it with an interface identifier suffix formed as thehash of the nodersquos public key The L3 key 119870

0 generated by

AR0is encrypted using the public encryption key of MN

119890119875119870MN and it is sent to the MN Both RtSolPr and PrRtAdvmessages are protected by the digital signature while the FBUmessage is protected by the symmetric key The definition ofthe notations is shown in Notations section Consider

MN 997888rarr AR0 119877119905119878119900119897119875119903 119875119870MN 119890119875119870MN 119873119900119899119888119890

119878119894119892 (119878119870MN)

MN larr997888 AR0 119875119903119877119905119860119889V 119875119903119890119891119894119909

1 [1198700] 119890119875119870MN 119873119900119899119888119890

119878119894119892 (119878119870AR0)

MN 997888rarr AR0 119865119861119880 119862119900119860

1119872119860119862 (119870

0)

(1)

However the security scheme does not provide a methodto establish a security association between the MN andthe target router AR

1 so that the UNA message cannot be

protected and can be forged to steal the traffic destined forthe legitimate MN Furthermore a variety of DoS (Denial ofService) attacks can be mounted using the unauthenticatedUNA message which has also been mentioned in [14]Another security scheme [9] has been proposed to protectL3 signaling messages including the UNA message Thesecurity schemes proposed in [8 9] are only for protectingL3 signaling messages (sbquo and in Figure 1)

Integrated handover authentication scheme [10] has beenproposed to integrate the L3 key with the L2 key namely theL2 key can be derived directly from the L3 key Before theMN handovers to the target AR the MN transports a new L3key 119870

1 to AR

1through the AAA as in (2) where MSK is a

secret key shared between the MN and AAA SubsequentlyAR1distributes the L2 key (PMK

1) derived from the L3 key

(1198701) to the new AP A current L3 key 119870

0 is used to secure

the L3 signalingmessages (sbquo in Figure 1) while a new L3 key1198701 is for securing the L3 signaling messages ( in Figure 1)

Consider

MN 997888rarr AR0

[1198701]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

AR0997888rarr AR

1 [1198701]119872119878119870

119877MN119872119860119862 (119872119878119870)

AR1997888rarr AAA [119870

1]119872119878119870

119877MN119872119860119862 (119872119878119870)

AR1larr997888 AAA [119870

1]119872119878119870

119877MN

(2)

As mentioned in Section 22 it is desirable for the interactionwith theAAA to be skipped in order to speed up the handoverprocess However it has not actually been skipped insteadit has been placed on the L3 protocol Furthermore it is notsecure against the L3 key compromise attack Namely the

4 Mobile Information Systems

domino effect occurs in that if 1198700is compromised then 119870

1

is also compromised The security weakness will be morediscussed in Section 44

3 The Proposed Key Management andSecurity Scheme

A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR

0and AR

1 AR and

AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection

31 Design Principles Suppose an MN handover from asubnet of AR

0to that of AR

1 Two L3 keys are required to

protect the L3 signaling messages the one (1198700) on the subnet

of AR0and the other (119870

1) on the subnet of AR

1 Unlike

the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870

1proactively to

AR1before it moves from AR

0to AR

1 Furthermore the L2

key (PMK1) can be derived from 119870

1on the subnet of AR

1

and pushed into new AP1attached to AR

1 so that the IEEE

8021x-EAP can be skippedSince a new L3 key (119870

1) to be used after handover is

predistributed to AR1by theMN it is important to guarantee

that a compromise of the current L3 key (1198700) does not induce

that of the future L3 key (1198701) namely the domino effect

should be suppressed For this purpose double public-keyencryptions are applied to 119870

1before distribution the one

with the public key of AR1and the other with that of AR

0

In our proposed protocol the authenticity of the public keyof AR

1is protected by 119870

0 However if 119870

0is compromised

1198701can also be exposed to an adversary Therefore it is also

protected by the public key of AR0which has been provided

to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR

119894is formed

as 119862119900119860119894(= 119875119903119890119891119894119909

119894 119868119868119863

119894) where 119868119868119863

119894is an 64-bit interface

identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863

119894= ℎ64(119903119894) based on a random

number 119903119894selected by the MN When moving from AR

119894to

AR119894+1

the MN should reveal the random number 119903119894to prove

that 119862119900119860119894was generated and owned by the MN So 119862119900119860

119894

plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised

32 Initial Network Access Protocol When the MN initiallyassociates with AP

0to access the network service (e in

Figure 2) it performs full IEEE 8021x-EAP authentication

with the AAA (f in Figure 2) As a result theMSK0is shared

between them and the information (AR0and 119890119875119870AR0) for the

default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870

0which are truncated

fromMSK0and transports them with119872119873NAI securely to the

default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK

0) is

also derived Then AR0pushes 119875119872119870

0= 119896119889119891(119870

0119872119873119860119875

0)

into AP0(g in Figure 2)

MN and AP0denote the L2 addresses of the MN and

AP0 while AR

0denotes the L3 addresses of AR

0 The 4-

way Handshake based on the PMK0is executed between the

MN and AP0in order for the MN to attach to a subnet of

AR0(subnet

0) through AP

0(h in Figure 2) Finally the MN

performs an L3 configuration to check whether its IPv6 care-of-address CoA

0 is duplicate on the subnet of AR

0

MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)

MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)

MN 997888rarr AR0 119862119900119899119891 119877

0 1198621199001198600119872119860119862 (119868119870)

(3)

TheMN sends an Router Solicitation (RtSol) message to AR0

Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR

0 Prefix

0 from which the MN configures CoA

0

(= 1198751199031198901198911198941199090 119868119868119863

0) and the MN then sends a Configuration

(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)

is computed based on a random number 1199030generated by

the MN If CoA0is verified to be unique on the subnet

the initial network access protocol is successfully terminatedEventually (CoA

0 1198700) is stored into the neighbor cache of

AR0

33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP

0to

AP1 A sequence of signaling messages is shown in Figure 3

where the L3 key 1198700 at the subnet

0has already been

shared between the MN and AR0as a result of a previous

handover process or an initial network access After receivingthe RtSolPr message AR

0responds by sending a PrRtAdv

message with a subnet prefix of AR1(Prefix

1) and the public

key of AR1(119890119875119870AR1)

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (4)

MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(5)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(6)

After configuring CoA1(= 119875119903119890119891119894119909

1 119868119868119863

1) where 119868119868119863

1=

ℎ64(1199031) is computed based on a random number 119903

1 the MN

generates a new L3 key 1198701 and sends an FBU message

Mobile Information Systems 5

(

(L2 connection)

(L3 configuration)

AAA

MNL3 configuration

AP0

❶

❷

❹

❸

❶ (L2) association with AP0

❷ (L2) 8021x-EAP authentication with AAA

❹ (L2) 4-way handshake with AP0

❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA

IKand K0 are shared between MN and AR0

MN larr AR0 MN rarr AR0

AR0

PMK0

K0

= Connected to AP0 =

(i) (AR0 ) is passed to MN

MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)

ePKAR0

Figure 2 Proposed initial network access protocol

MN c Associationauthentication

Traffic for MN

Subnet0 Subnet1

AP1

AP0

AR1

PMK1a d

b

K1

= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =

❶ (L2) reassociation with AP1

❷ (L2) 4-way handshake with AP1

MN rarr AR0 MN larr AR0 PrRtAdv

RtSolPr

FBU

MN rarr AR0

AR0

AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack

MN rarr AR1 UNA

= Connected to AP1 =

= Disconnected from AP0 =

(L3) request to tunnel

(L2) associationauthentication

(L3) request to forward

(L3) tunnel establishment

Figure 3 Proposed secure handover protocol

to AR0(sbquo in Figure 3) Since 119870

1is to be shared with

AR1 it is first encrypted with the public key of AR

1

119890119875119870AR1 subsequently encrypted with the public key of AR0

119890119875119870AR0 When receiving the FBU message AR0first obtains

1199030 [119862119900119860

1 1198701]119890119875119870AR1 after decryption in order to check if

ℎ64(1199030) is equal to IID

0of CoA

0 If not the message is proven

to be not sent from the MN whose IPv6 address is CoA0and

the handover protocol is abortedOtherwise the L3 key1198700 is

eventually passed to the target AR1for the purpose of sharing

it with the MN at the subnet1 A reason to encrypt 119870

1twice

is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider

A secure channel between AR0and AR

1

119867119868 1198621199001198600 1198621199001198601 [119862119900119860

1 1198701] 119890119875119870AR1

119867119886119888119896

MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870

0)

MN 997888rarr AR1 119880119873119860119872119860119862 (119870

1)

(7)

The target router AR1obtains 119870

1through the HI message

after decryption and 1198701will be used to derive the L2 key

1198751198721198701

= 119896119889119891(1198701119872119873119860119875

1) and to secure the future L3

handover AR1pushes PMK

1into AP

1

After reassociating with AP1(e in Figure 3) the MN

performs a 4-wayHandshake (f in Figure 3) based on PMK1

without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR

1

to deliver the buffered packets forwarded from AR0( in

Figure 3) (CoA11198701) is finally stored into the neighbor cache

of AR1

4 Security Analysis and Comparisons

41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR

1 it requests the AAA to transport a

new L3 key (1198701) to AR

1 and then a new L2 key (PMK

1)

6 Mobile Information Systems

d

b

c

AP0

AR0 AR1

AP1

MN

AAAa

PMK1

(a) Scheme 1

AP0

AP1

AAA

MN

AR1AR0

a d

b

PMK1

K1

c

(b) Scheme 2

AP0

AP1

MN

AR1AR0

a d

b

c

PMK1K1

(c) Scheme 3

Figure 4 Comparison of key management schemes

derived from it is pushed into AP1(permil in Figure 4(b)) But

the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR

0to AR

1 a new L3 key

is sent to AR1via AR

0Therefore both theMN andAR

1share

1198701 which can be used to secure L3 signaling messages and

to derive a new L2 key (PMK1) in the target subnet Since

1198701is proactively distributed to AR

1before the MN moves

from AR0to AR

1 the MN can perform a 4-way Handshake

immediately after reassociating with AP1(D in Figure 4(c))

42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877

0) is employed for

our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR

0at

handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has

moved to AR1during the handover session 119895 and plans now

tomove to AR2during the handover session 119894 In this case an

adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session

43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870

0 of (5) and (6) is exposed to an adversary

To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)

TheMNobtains the public key of AR0(119890119875119870AR0) as a result

of an initial network access or a previous L3 handover whilethe public key of AR

1(119890119875119870AR1) is passed to the MN by AR

0

431 Session Hijacking by Redirection Attack Suppose anadversary A

(MN) disguising a victim MN knows the currentL3 key 119870

0and starts an L3 handover as follows

A(MN) 997888rarr AR

0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870

0) (11

1015840)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091

119890119875119870AR1 119872119860119862 (1198700)

(121015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1

[119903lowast

0 [119862119900119860

lowast

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(131015840)

119877lowast

MN 119862119900119860lowast

1 and 119903

lowast

0are generated by A

(MN) that tries tohijack the current traffic for the MN (CoA

0) and forward

it to A(MN) (119862119900119860

lowast

1) When receiving the FBU message AR

0

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mobile Information Systems 3

a subnet of AR1 The packets for the MN start to flow to and

are buffered at AR1 Then a Fast Binding Acknowledgment

(FBack)message is sent to theMN to notify of the completionof the tunnel establishment

When finally disconnected from AP0 namely when the

L2 handover occurs the MN reassociates with AP1(e in

Figure 1(c)) and performs a full IEEE 8021x-EAP authenti-cation with the AAA (f in Figure 1(c)) If it is successful L2key distribution starts based on the MSK

1shared between

the MN and AAA The PMK1truncated from the MSK

1is

securely distributed to AP1(g in Figure 1(c)) Subsequently

a 4-way Handshake (h in Figure 1(c)) based on PMK1is

performed between the MN and AP1 At this point the

MN is successfully attached to a subnet of AR1(subnet

1)

through AP1 Finally the MN sends an Unsolicited Neighbor

Advertisement (UNA) message to request AR1to deliver the

buffered packets forwarded from AR0( in Figure 1(c)) The

fields inherent to the L3 signaling messages (eg RtSolPr)are intentionally omitted for the sake of providing a simpleexplanation Instead they will be padded with the security-related fields when discussing the mechanism used to securethem

22 Threat Models and Problem Statements Without properprotection for L3 signaling messages in FMIPv6 (sbquo and inFigure 1) an adversary can forge or modify them to mount avariety of redirection attacks Unless the previous AR (AR

0

in Figure 1) can verify that the FBU message comes froman authorized MN legitimate traffic for the MN might beredirected to the adversary Furthermore the packets for theMN can be redirected to any other host to execute a floodingattack against it or against the subnet to which it belongsTheadversary can also forge the UNAmessage to steal the trafficdestined for the legitimate MN In order to avoid the aboveattacks security associations should be established betweenthe MN and ARs An L3 key shared between the MN andAR0is used to authenticate the L3 signaling messages of sbquo

in Figure 1 while the L3 signaling messages of in Figure 1can be authenticated based on another L3 key shared betweenthe MN and AR

1 Therefore it is necessary to embed L3 key

distribution protocol into the original 80211-based FMIPv6In particular the domino effect should be suppressed in caseof the L3 key compromise Namely the compromise of thecurrent L3 key should not induce that of the future L3 keyOn the other hand the 8021x-EAP authentication (f inFigure 1) is for the MN to share a new L2 key with the newAP attached to the target AR through AAA The L2 key isused for mutual authentication between theMN and the newAP However the authentication delay caused by the 8021x-EAP is amajor source of the handover delay since 8messagesshould be exchanged between the MN and AAA in case ofusing EAP-Transport Layer Security (TLS) method Henceif the 8021x-EAP can be skipped on each L3 handover of theIEEE 80211-based FMIPv6 the overall handover delay can begreatly improved

23 Previous Works Several security schemes [11ndash13] havebeen investigated for sharing the L2 key to protect L2signaling messages which are based on a concept of ticket

key hiding technique and authentication server respectivelyOn the other hand a security scheme [8] based on Crypto-graphically Generated Address (CGA) has been proposed tosecure L3 signaling messages (sbquo in Figure 1) CGA is formedby taking the IPv6 subnet prefix for a nodersquos subnet andcombining it with an interface identifier suffix formed as thehash of the nodersquos public key The L3 key 119870

0 generated by

AR0is encrypted using the public encryption key of MN

119890119875119870MN and it is sent to the MN Both RtSolPr and PrRtAdvmessages are protected by the digital signature while the FBUmessage is protected by the symmetric key The definition ofthe notations is shown in Notations section Consider

MN 997888rarr AR0 119877119905119878119900119897119875119903 119875119870MN 119890119875119870MN 119873119900119899119888119890

119878119894119892 (119878119870MN)

MN larr997888 AR0 119875119903119877119905119860119889V 119875119903119890119891119894119909

1 [1198700] 119890119875119870MN 119873119900119899119888119890

119878119894119892 (119878119870AR0)

MN 997888rarr AR0 119865119861119880 119862119900119860

1119872119860119862 (119870

0)

(1)

However the security scheme does not provide a methodto establish a security association between the MN andthe target router AR

1 so that the UNA message cannot be

protected and can be forged to steal the traffic destined forthe legitimate MN Furthermore a variety of DoS (Denial ofService) attacks can be mounted using the unauthenticatedUNA message which has also been mentioned in [14]Another security scheme [9] has been proposed to protectL3 signaling messages including the UNA message Thesecurity schemes proposed in [8 9] are only for protectingL3 signaling messages (sbquo and in Figure 1)

Integrated handover authentication scheme [10] has beenproposed to integrate the L3 key with the L2 key namely theL2 key can be derived directly from the L3 key Before theMN handovers to the target AR the MN transports a new L3key 119870

1 to AR

1through the AAA as in (2) where MSK is a

secret key shared between the MN and AAA SubsequentlyAR1distributes the L2 key (PMK

1) derived from the L3 key

(1198701) to the new AP A current L3 key 119870

0 is used to secure

the L3 signalingmessages (sbquo in Figure 1) while a new L3 key1198701 is for securing the L3 signaling messages ( in Figure 1)

Consider

MN 997888rarr AR0

[1198701]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

AR0997888rarr AR

1 [1198701]119872119878119870

119877MN119872119860119862 (119872119878119870)

AR1997888rarr AAA [119870

1]119872119878119870

119877MN119872119860119862 (119872119878119870)

AR1larr997888 AAA [119870

1]119872119878119870

119877MN

(2)

As mentioned in Section 22 it is desirable for the interactionwith theAAA to be skipped in order to speed up the handoverprocess However it has not actually been skipped insteadit has been placed on the L3 protocol Furthermore it is notsecure against the L3 key compromise attack Namely the

4 Mobile Information Systems

domino effect occurs in that if 1198700is compromised then 119870

1

is also compromised The security weakness will be morediscussed in Section 44

3 The Proposed Key Management andSecurity Scheme

A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR

0and AR

1 AR and

AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection

31 Design Principles Suppose an MN handover from asubnet of AR

0to that of AR

1 Two L3 keys are required to

protect the L3 signaling messages the one (1198700) on the subnet

of AR0and the other (119870

1) on the subnet of AR

1 Unlike

the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870

1proactively to

AR1before it moves from AR

0to AR

1 Furthermore the L2

key (PMK1) can be derived from 119870

1on the subnet of AR

1

and pushed into new AP1attached to AR

1 so that the IEEE

8021x-EAP can be skippedSince a new L3 key (119870

1) to be used after handover is

predistributed to AR1by theMN it is important to guarantee

that a compromise of the current L3 key (1198700) does not induce

that of the future L3 key (1198701) namely the domino effect

should be suppressed For this purpose double public-keyencryptions are applied to 119870

1before distribution the one

with the public key of AR1and the other with that of AR

0

In our proposed protocol the authenticity of the public keyof AR

1is protected by 119870

0 However if 119870

0is compromised

1198701can also be exposed to an adversary Therefore it is also

protected by the public key of AR0which has been provided

to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR

119894is formed

as 119862119900119860119894(= 119875119903119890119891119894119909

119894 119868119868119863

119894) where 119868119868119863

119894is an 64-bit interface

identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863

119894= ℎ64(119903119894) based on a random

number 119903119894selected by the MN When moving from AR

119894to

AR119894+1

the MN should reveal the random number 119903119894to prove

that 119862119900119860119894was generated and owned by the MN So 119862119900119860

119894

plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised

32 Initial Network Access Protocol When the MN initiallyassociates with AP

0to access the network service (e in

Figure 2) it performs full IEEE 8021x-EAP authentication

with the AAA (f in Figure 2) As a result theMSK0is shared

between them and the information (AR0and 119890119875119870AR0) for the

default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870

0which are truncated

fromMSK0and transports them with119872119873NAI securely to the

default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK

0) is

also derived Then AR0pushes 119875119872119870

0= 119896119889119891(119870

0119872119873119860119875

0)

into AP0(g in Figure 2)

MN and AP0denote the L2 addresses of the MN and

AP0 while AR

0denotes the L3 addresses of AR

0 The 4-

way Handshake based on the PMK0is executed between the

MN and AP0in order for the MN to attach to a subnet of

AR0(subnet

0) through AP

0(h in Figure 2) Finally the MN

performs an L3 configuration to check whether its IPv6 care-of-address CoA

0 is duplicate on the subnet of AR

0

MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)

MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)

MN 997888rarr AR0 119862119900119899119891 119877

0 1198621199001198600119872119860119862 (119868119870)

(3)

TheMN sends an Router Solicitation (RtSol) message to AR0

Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR

0 Prefix

0 from which the MN configures CoA

0

(= 1198751199031198901198911198941199090 119868119868119863

0) and the MN then sends a Configuration

(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)

is computed based on a random number 1199030generated by

the MN If CoA0is verified to be unique on the subnet

the initial network access protocol is successfully terminatedEventually (CoA

0 1198700) is stored into the neighbor cache of

AR0

33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP

0to

AP1 A sequence of signaling messages is shown in Figure 3

where the L3 key 1198700 at the subnet

0has already been

shared between the MN and AR0as a result of a previous

handover process or an initial network access After receivingthe RtSolPr message AR

0responds by sending a PrRtAdv

message with a subnet prefix of AR1(Prefix

1) and the public

key of AR1(119890119875119870AR1)

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (4)

MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(5)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(6)

After configuring CoA1(= 119875119903119890119891119894119909

1 119868119868119863

1) where 119868119868119863

1=

ℎ64(1199031) is computed based on a random number 119903

1 the MN

generates a new L3 key 1198701 and sends an FBU message

Mobile Information Systems 5

(

(L2 connection)

(L3 configuration)

AAA

MNL3 configuration

AP0

❶

❷

❹

❸

❶ (L2) association with AP0

❷ (L2) 8021x-EAP authentication with AAA

❹ (L2) 4-way handshake with AP0

❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA

IKand K0 are shared between MN and AR0

MN larr AR0 MN rarr AR0

AR0

PMK0

K0

= Connected to AP0 =

(i) (AR0 ) is passed to MN

MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)

ePKAR0

Figure 2 Proposed initial network access protocol

MN c Associationauthentication

Traffic for MN

Subnet0 Subnet1

AP1

AP0

AR1

PMK1a d

b

K1

= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =

❶ (L2) reassociation with AP1

❷ (L2) 4-way handshake with AP1

MN rarr AR0 MN larr AR0 PrRtAdv

RtSolPr

FBU

MN rarr AR0

AR0

AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack

MN rarr AR1 UNA

= Connected to AP1 =

= Disconnected from AP0 =

(L3) request to tunnel

(L2) associationauthentication

(L3) request to forward

(L3) tunnel establishment

Figure 3 Proposed secure handover protocol

to AR0(sbquo in Figure 3) Since 119870

1is to be shared with

AR1 it is first encrypted with the public key of AR

1

119890119875119870AR1 subsequently encrypted with the public key of AR0

119890119875119870AR0 When receiving the FBU message AR0first obtains

1199030 [119862119900119860

1 1198701]119890119875119870AR1 after decryption in order to check if

ℎ64(1199030) is equal to IID

0of CoA

0 If not the message is proven

to be not sent from the MN whose IPv6 address is CoA0and

the handover protocol is abortedOtherwise the L3 key1198700 is

eventually passed to the target AR1for the purpose of sharing

it with the MN at the subnet1 A reason to encrypt 119870

1twice

is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider

A secure channel between AR0and AR

1

119867119868 1198621199001198600 1198621199001198601 [119862119900119860

1 1198701] 119890119875119870AR1

119867119886119888119896

MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870

0)

MN 997888rarr AR1 119880119873119860119872119860119862 (119870

1)

(7)

The target router AR1obtains 119870

1through the HI message

after decryption and 1198701will be used to derive the L2 key

1198751198721198701

= 119896119889119891(1198701119872119873119860119875

1) and to secure the future L3

handover AR1pushes PMK

1into AP

1

After reassociating with AP1(e in Figure 3) the MN

performs a 4-wayHandshake (f in Figure 3) based on PMK1

without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR

1

to deliver the buffered packets forwarded from AR0( in

Figure 3) (CoA11198701) is finally stored into the neighbor cache

of AR1

4 Security Analysis and Comparisons

41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR

1 it requests the AAA to transport a

new L3 key (1198701) to AR

1 and then a new L2 key (PMK

1)

6 Mobile Information Systems

d

b

c

AP0

AR0 AR1

AP1

MN

AAAa

PMK1

(a) Scheme 1

AP0

AP1

AAA

MN

AR1AR0

a d

b

PMK1

K1

c

(b) Scheme 2

AP0

AP1

MN

AR1AR0

a d

b

c

PMK1K1

(c) Scheme 3

Figure 4 Comparison of key management schemes

derived from it is pushed into AP1(permil in Figure 4(b)) But

the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR

0to AR

1 a new L3 key

is sent to AR1via AR

0Therefore both theMN andAR

1share

1198701 which can be used to secure L3 signaling messages and

to derive a new L2 key (PMK1) in the target subnet Since

1198701is proactively distributed to AR

1before the MN moves

from AR0to AR

1 the MN can perform a 4-way Handshake

immediately after reassociating with AP1(D in Figure 4(c))

42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877

0) is employed for

our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR

0at

handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has

moved to AR1during the handover session 119895 and plans now

tomove to AR2during the handover session 119894 In this case an

adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session

43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870

0 of (5) and (6) is exposed to an adversary

To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)

TheMNobtains the public key of AR0(119890119875119870AR0) as a result

of an initial network access or a previous L3 handover whilethe public key of AR

1(119890119875119870AR1) is passed to the MN by AR

0

431 Session Hijacking by Redirection Attack Suppose anadversary A

(MN) disguising a victim MN knows the currentL3 key 119870

0and starts an L3 handover as follows

A(MN) 997888rarr AR

0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870

0) (11

1015840)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091

119890119875119870AR1 119872119860119862 (1198700)

(121015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1

[119903lowast

0 [119862119900119860

lowast

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(131015840)

119877lowast

MN 119862119900119860lowast

1 and 119903

lowast

0are generated by A

(MN) that tries tohijack the current traffic for the MN (CoA

0) and forward

it to A(MN) (119862119900119860

lowast

1) When receiving the FBU message AR

0

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

4 Mobile Information Systems

domino effect occurs in that if 1198700is compromised then 119870

1

is also compromised The security weakness will be morediscussed in Section 44

3 The Proposed Key Management andSecurity Scheme

A new cross-layer scheme for key management and associ-ated security is proposed where an L2 key is derived from anL3 key to speed up the L3 handover procedure accompanyingthe L2 handover so that it is similar to the one in [10]However there is much difference between them in termsof security and efficiency It is assumed that preestablishedsecurity associations exist between AR

0and AR

1 AR and

AP A security association between the MN and AAA is alsoassumed to exist for the initial access of MN to the networkThe notations used in this paper are shown in Notationssection

31 Design Principles Suppose an MN handover from asubnet of AR

0to that of AR

1 Two L3 keys are required to

protect the L3 signaling messages the one (1198700) on the subnet

of AR0and the other (119870

1) on the subnet of AR

1 Unlike

the previous schemes [8ndash10] based on the interaction withAAA the MN generates and distributes 119870

1proactively to

AR1before it moves from AR

0to AR

1 Furthermore the L2

key (PMK1) can be derived from 119870

1on the subnet of AR

1

and pushed into new AP1attached to AR

1 so that the IEEE

8021x-EAP can be skippedSince a new L3 key (119870

1) to be used after handover is

predistributed to AR1by theMN it is important to guarantee

that a compromise of the current L3 key (1198700) does not induce

that of the future L3 key (1198701) namely the domino effect

should be suppressed For this purpose double public-keyencryptions are applied to 119870

1before distribution the one

with the public key of AR1and the other with that of AR

0

In our proposed protocol the authenticity of the public keyof AR

1is protected by 119870

0 However if 119870

0is compromised

1198701can also be exposed to an adversary Therefore it is also

protected by the public key of AR0which has been provided

to the MN during the previous handover sessionAn IPv6 address of theMNon the subnet ofAR

119894is formed

as 119862119900119860119894(= 119875119903119890119891119894119909

119894 119868119868119863

119894) where 119868119868119863

119894is an 64-bit interface

identifier There are two ways of configuring IID the typicalone is based on the L2 address of the MN and the other isusing a random number as IID In our proposed protocol wealso use the random number but in a slightly different wayIt is derived as follows 119868119868119863

119894= ℎ64(119903119894) based on a random

number 119903119894selected by the MN When moving from AR

119894to

AR119894+1

the MN should reveal the random number 119903119894to prove

that 119862119900119860119894was generated and owned by the MN So 119862119900119860

119894

plays a role of a commitment A main reason to use thismechanism is to defend against a session hijacking attackwhen the current L3 key is compromised

32 Initial Network Access Protocol When the MN initiallyassociates with AP

0to access the network service (e in

Figure 2) it performs full IEEE 8021x-EAP authentication

with the AAA (f in Figure 2) As a result theMSK0is shared

between them and the information (AR0and 119890119875119870AR0) for the

default router of the MN is passed to the MN Subsequentlythe AAA derives two L3 keys IK and 119870

0which are truncated

fromMSK0and transports them with119872119873NAI securely to the

default router where119872119873NAI is the Network Access Identifier(NAI) of the MN IK is an initial L3 configuration key while1198700is an L3 handover key based onwhich an L2 key (PMK

0) is

also derived Then AR0pushes 119875119872119870

0= 119896119889119891(119870

0119872119873119860119875

0)

into AP0(g in Figure 2)

MN and AP0denote the L2 addresses of the MN and

AP0 while AR

0denotes the L3 addresses of AR

0 The 4-

way Handshake based on the PMK0is executed between the

MN and AP0in order for the MN to attach to a subnet of

AR0(subnet

0) through AP

0(h in Figure 2) Finally the MN

performs an L3 configuration to check whether its IPv6 care-of-address CoA

0 is duplicate on the subnet of AR

0

MN 997888rarr AR0 119877119905119878119900119897 119877MN119872119873NAI119872119860119862 (119868119870)

MN larr997888 AR0 119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199090119872119860119862 (119868119870)

MN 997888rarr AR0 119862119900119899119891 119877

0 1198621199001198600119872119860119862 (119868119870)

(3)

TheMN sends an Router Solicitation (RtSol) message to AR0

Based on 119872119873NAI AR0 can retrieve IK and can respondto the RtSol message by sending a Router Advertisement(RtAdv) message The RtAdv message contains the subnetprefix of AR

0 Prefix

0 from which the MN configures CoA

0

(= 1198751199031198901198911198941199090 119868119868119863

0) and the MN then sends a Configuration

(Conf ) message where the interface identifier 1198681198681198630= ℎ64(1199030)

is computed based on a random number 1199030generated by

the MN If CoA0is verified to be unique on the subnet

the initial network access protocol is successfully terminatedEventually (CoA

0 1198700) is stored into the neighbor cache of

AR0

33 Proposed Secure Handover Procedure Suppose an L2handover accompanying an L3 handover occurs from AP

0to

AP1 A sequence of signaling messages is shown in Figure 3

where the L3 key 1198700 at the subnet

0has already been

shared between the MN and AR0as a result of a previous

handover process or an initial network access After receivingthe RtSolPr message AR

0responds by sending a PrRtAdv

message with a subnet prefix of AR1(Prefix

1) and the public

key of AR1(119890119875119870AR1)

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (4)

MN larr997888 AR0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(5)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(6)

After configuring CoA1(= 119875119903119890119891119894119909

1 119868119868119863

1) where 119868119868119863

1=

ℎ64(1199031) is computed based on a random number 119903

1 the MN

generates a new L3 key 1198701 and sends an FBU message

Mobile Information Systems 5

(

(L2 connection)

(L3 configuration)

AAA

MNL3 configuration

AP0

❶

❷

❹

❸

❶ (L2) association with AP0

❷ (L2) 8021x-EAP authentication with AAA

❹ (L2) 4-way handshake with AP0

❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA

IKand K0 are shared between MN and AR0

MN larr AR0 MN rarr AR0

AR0

PMK0

K0

= Connected to AP0 =

(i) (AR0 ) is passed to MN

MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)

ePKAR0

Figure 2 Proposed initial network access protocol

MN c Associationauthentication

Traffic for MN

Subnet0 Subnet1

AP1

AP0

AR1

PMK1a d

b

K1

= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =

❶ (L2) reassociation with AP1

❷ (L2) 4-way handshake with AP1

MN rarr AR0 MN larr AR0 PrRtAdv

RtSolPr

FBU

MN rarr AR0

AR0

AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack

MN rarr AR1 UNA

= Connected to AP1 =

= Disconnected from AP0 =

(L3) request to tunnel

(L2) associationauthentication

(L3) request to forward

(L3) tunnel establishment

Figure 3 Proposed secure handover protocol

to AR0(sbquo in Figure 3) Since 119870

1is to be shared with

AR1 it is first encrypted with the public key of AR

1

119890119875119870AR1 subsequently encrypted with the public key of AR0

119890119875119870AR0 When receiving the FBU message AR0first obtains

1199030 [119862119900119860

1 1198701]119890119875119870AR1 after decryption in order to check if

ℎ64(1199030) is equal to IID

0of CoA

0 If not the message is proven

to be not sent from the MN whose IPv6 address is CoA0and

the handover protocol is abortedOtherwise the L3 key1198700 is

eventually passed to the target AR1for the purpose of sharing

it with the MN at the subnet1 A reason to encrypt 119870

1twice

is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider

A secure channel between AR0and AR

1

119867119868 1198621199001198600 1198621199001198601 [119862119900119860

1 1198701] 119890119875119870AR1

119867119886119888119896

MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870

0)

MN 997888rarr AR1 119880119873119860119872119860119862 (119870

1)

(7)

The target router AR1obtains 119870

1through the HI message

after decryption and 1198701will be used to derive the L2 key

1198751198721198701

= 119896119889119891(1198701119872119873119860119875

1) and to secure the future L3

handover AR1pushes PMK

1into AP

1

After reassociating with AP1(e in Figure 3) the MN

performs a 4-wayHandshake (f in Figure 3) based on PMK1

without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR

1

to deliver the buffered packets forwarded from AR0( in

Figure 3) (CoA11198701) is finally stored into the neighbor cache

of AR1

4 Security Analysis and Comparisons

41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR

1 it requests the AAA to transport a

new L3 key (1198701) to AR

1 and then a new L2 key (PMK

1)

6 Mobile Information Systems

d

b

c

AP0

AR0 AR1

AP1

MN

AAAa

PMK1

(a) Scheme 1

AP0

AP1

AAA

MN

AR1AR0

a d

b

PMK1

K1

c

(b) Scheme 2

AP0

AP1

MN

AR1AR0

a d

b

c

PMK1K1

(c) Scheme 3

Figure 4 Comparison of key management schemes

derived from it is pushed into AP1(permil in Figure 4(b)) But

the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR

0to AR

1 a new L3 key

is sent to AR1via AR

0Therefore both theMN andAR

1share

1198701 which can be used to secure L3 signaling messages and

to derive a new L2 key (PMK1) in the target subnet Since

1198701is proactively distributed to AR

1before the MN moves

from AR0to AR

1 the MN can perform a 4-way Handshake

immediately after reassociating with AP1(D in Figure 4(c))

42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877

0) is employed for

our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR

0at

handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has

moved to AR1during the handover session 119895 and plans now

tomove to AR2during the handover session 119894 In this case an

adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session

43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870

0 of (5) and (6) is exposed to an adversary

To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)

TheMNobtains the public key of AR0(119890119875119870AR0) as a result

of an initial network access or a previous L3 handover whilethe public key of AR

1(119890119875119870AR1) is passed to the MN by AR

0

431 Session Hijacking by Redirection Attack Suppose anadversary A

(MN) disguising a victim MN knows the currentL3 key 119870

0and starts an L3 handover as follows

A(MN) 997888rarr AR

0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870

0) (11

1015840)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091

119890119875119870AR1 119872119860119862 (1198700)

(121015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1

[119903lowast

0 [119862119900119860

lowast

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(131015840)

119877lowast

MN 119862119900119860lowast

1 and 119903

lowast

0are generated by A

(MN) that tries tohijack the current traffic for the MN (CoA

0) and forward

it to A(MN) (119862119900119860

lowast

1) When receiving the FBU message AR

0

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mobile Information Systems 5

(

(L2 connection)

(L3 configuration)

AAA

MNL3 configuration

AP0

❶

❷

❹

❸

❶ (L2) association with AP0

❷ (L2) 8021x-EAP authentication with AAA

❹ (L2) 4-way handshake with AP0

❸ distribution(L2) L2 key PMK0)(iii)(ii) MSK0 is shared between MN and AAA

IKand K0 are shared between MN and AR0

MN larr AR0 MN rarr AR0

AR0

PMK0

K0

= Connected to AP0 =

(i) (AR0 ) is passed to MN

MN rarr AR0 RtSolRMNMNNAIMAC(IK)RtAdvRMN R0 Prefix0MAC(IK)ConfR0 CoA0 MAC(IK)

ePKAR0

Figure 2 Proposed initial network access protocol

MN c Associationauthentication

Traffic for MN

Subnet0 Subnet1

AP1

AP0

AR1

PMK1a d

b

K1

= K1 is shared between MN and AR1 == L2 key distribution (PMK1) =

❶ (L2) reassociation with AP1

❷ (L2) 4-way handshake with AP1

MN rarr AR0 MN larr AR0 PrRtAdv

RtSolPr

FBU

MN rarr AR0

AR0

AR0 rarr AR1 HIAR0 larr AR1 HackMN larr AR0 FBack

MN rarr AR1 UNA

= Connected to AP1 =

= Disconnected from AP0 =

(L3) request to tunnel

(L2) associationauthentication

(L3) request to forward

(L3) tunnel establishment

Figure 3 Proposed secure handover protocol

to AR0(sbquo in Figure 3) Since 119870

1is to be shared with

AR1 it is first encrypted with the public key of AR

1

119890119875119870AR1 subsequently encrypted with the public key of AR0

119890119875119870AR0 When receiving the FBU message AR0first obtains

1199030 [119862119900119860

1 1198701]119890119875119870AR1 after decryption in order to check if

ℎ64(1199030) is equal to IID

0of CoA

0 If not the message is proven

to be not sent from the MN whose IPv6 address is CoA0and

the handover protocol is abortedOtherwise the L3 key1198700 is

eventually passed to the target AR1for the purpose of sharing

it with the MN at the subnet1 A reason to encrypt 119870

1twice

is to defend against an L3 key compromise attack which willbe more discussed in Section 43 Consider

A secure channel between AR0and AR

1

119867119868 1198621199001198600 1198621199001198601 [119862119900119860

1 1198701] 119890119875119870AR1

119867119886119888119896

MN larr997888 AR0 119865119861119886119888119896 119872119860119862 (119870

0)

MN 997888rarr AR1 119880119873119860119872119860119862 (119870

1)

(7)

The target router AR1obtains 119870

1through the HI message

after decryption and 1198701will be used to derive the L2 key

1198751198721198701

= 119896119889119891(1198701119872119873119860119875

1) and to secure the future L3

handover AR1pushes PMK

1into AP

1

After reassociating with AP1(e in Figure 3) the MN

performs a 4-wayHandshake (f in Figure 3) based on PMK1

without IEEE 8021x-EAP authentication with the AAASubsequently theMN sends anUNAmessage to request AR

1

to deliver the buffered packets forwarded from AR0( in

Figure 3) (CoA11198701) is finally stored into the neighbor cache

of AR1

4 Security Analysis and Comparisons

41 Comparison of KeyManagement Schemes In this Sectionthree key management schemes are compared security-enhanced IEEE 80211-based FMIPv6 [8 9] IntegratedScheme [10] and our proposed scheme which are denotedas Schemes 1 2 and 3 respectively In case of Scheme 1the security mechanisms [8 9] to secure the L3 signalingmessages are added to the original IEEE 80211-based FMIPv6[5] However there are no key management in that both L3and L2 keys are separately generated and maintained mean-ing that IEEE 8021x-EAP authentication (D in Figure 4(a))should be performed on each L3 handover A method tointegrate the L3 key with the L2 key has been proposed inScheme 2 Before the MN moves to a new AP attached tothe target subnet AR

1 it requests the AAA to transport a

new L3 key (1198701) to AR

1 and then a new L2 key (PMK

1)

6 Mobile Information Systems

d

b

c

AP0

AR0 AR1

AP1

MN

AAAa

PMK1

(a) Scheme 1

AP0

AP1

AAA

MN

AR1AR0

a d

b

PMK1

K1

c

(b) Scheme 2

AP0

AP1

MN

AR1AR0

a d

b

c

PMK1K1

(c) Scheme 3

Figure 4 Comparison of key management schemes

derived from it is pushed into AP1(permil in Figure 4(b)) But

the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR

0to AR

1 a new L3 key

is sent to AR1via AR

0Therefore both theMN andAR

1share

1198701 which can be used to secure L3 signaling messages and

to derive a new L2 key (PMK1) in the target subnet Since

1198701is proactively distributed to AR

1before the MN moves

from AR0to AR

1 the MN can perform a 4-way Handshake

immediately after reassociating with AP1(D in Figure 4(c))

42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877

0) is employed for

our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR

0at

handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has

moved to AR1during the handover session 119895 and plans now

tomove to AR2during the handover session 119894 In this case an

adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session

43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870

0 of (5) and (6) is exposed to an adversary

To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)

TheMNobtains the public key of AR0(119890119875119870AR0) as a result

of an initial network access or a previous L3 handover whilethe public key of AR

1(119890119875119870AR1) is passed to the MN by AR

0

431 Session Hijacking by Redirection Attack Suppose anadversary A

(MN) disguising a victim MN knows the currentL3 key 119870

0and starts an L3 handover as follows

A(MN) 997888rarr AR

0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870

0) (11

1015840)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091

119890119875119870AR1 119872119860119862 (1198700)

(121015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1

[119903lowast

0 [119862119900119860

lowast

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(131015840)

119877lowast

MN 119862119900119860lowast

1 and 119903

lowast

0are generated by A

(MN) that tries tohijack the current traffic for the MN (CoA

0) and forward

it to A(MN) (119862119900119860

lowast

1) When receiving the FBU message AR

0

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

6 Mobile Information Systems

d

b

c

AP0

AR0 AR1

AP1

MN

AAAa

PMK1

(a) Scheme 1

AP0

AP1

AAA

MN

AR1AR0

a d

b

PMK1

K1

c

(b) Scheme 2

AP0

AP1

MN

AR1AR0

a d

b

c

PMK1K1

(c) Scheme 3

Figure 4 Comparison of key management schemes

derived from it is pushed into AP1(permil in Figure 4(b)) But

the interactionwith theAAA cannot be skipped either duringthe L3 handover On the other hand in the proposed scheme(Scheme 3) of Figure 4(c) IEEE 8021x-EAP authenticationis performed only once during the initial network access inFigure 1 During a handover from AR

0to AR

1 a new L3 key

is sent to AR1via AR

0Therefore both theMN andAR

1share

1198701 which can be used to secure L3 signaling messages and

to derive a new L2 key (PMK1) in the target subnet Since

1198701is proactively distributed to AR

1before the MN moves

from AR0to AR

1 the MN can perform a 4-way Handshake

immediately after reassociating with AP1(D in Figure 4(c))

42 Replay and Redirection Attacks In order to guarantee thefreshness of FMIPv6 signalingmessages to be precise to pro-tect from a replay attack challenge-response authenticationbased on the random numbers (119877MN and 119877

0) is employed for

our proposed scheme A scenario to which the replay attackis applied is as follows the MN is attached again to AR

0at

handover session 119894 while it has been attached to the sameAR0at handover session 119895 (119894 gt 119895) Suppose the MN has

moved to AR1during the handover session 119895 and plans now

tomove to AR2during the handover session 119894 In this case an

adversary can try to replay the FMIPv6 signaling messagesused during the handover session 119895 to redirect the traffic forthe MN However the replay attack is not successful due toboth nonce values and the L3 key which is unique for eachhandover session

43 Compromised L3 Key and Session Hijacking Attack Acase of the L3 key compromise is considered in this sectionWe show that our proposed scheme is secure against asession hijacking attack through redirection even though thecurrent L3 key 119870

0 of (5) and (6) is exposed to an adversary

To protect the FBU message in Section 33 our proposedsecurity scheme employs two public-key encryptions with119890119875119870AR0 and 119890119875119870AR1 as in (5) and (6)

TheMNobtains the public key of AR0(119890119875119870AR0) as a result

of an initial network access or a previous L3 handover whilethe public key of AR

1(119890119875119870AR1) is passed to the MN by AR

0

431 Session Hijacking by Redirection Attack Suppose anadversary A

(MN) disguising a victim MN knows the currentL3 key 119870

0and starts an L3 handover as follows

A(MN) 997888rarr AR

0 119877119905119878119900119897119875119903 119877lowastMN119872119860119862 (119870

0) (11

1015840)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877lowastMN 1198770 1198751199031198901198911198941199091

119890119875119870AR1 119872119860119862 (1198700)

(121015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1

[119903lowast

0 [119862119900119860

lowast

1 1198701] 119890119875119870AR1] 119890119875119870AR0 119872119860119862 (119870

0)

(131015840)

119877lowast

MN 119862119900119860lowast

1 and 119903

lowast

0are generated by A

(MN) that tries tohijack the current traffic for the MN (CoA

0) and forward

it to A(MN) (119862119900119860

lowast

1) When receiving the FBU message AR

0

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mobile Information Systems 7

obtains 119903lowast0after decryption and verifies if IID

0of the source

IPv6 address (CoA0) is identical to ℎ

64(119903lowast

0) If the verification

is not successful the protocol stops Since ℎ64(sdot) is based on

a one-way hash function and the 1199030used to derive IID

0is

known only to the MN all the adversary can do is attemptto guess 119903

0(the probability of 119903

0= 119903lowast

0is 2minus64) Since CoA

0

is valid only on the subnet0and keeps changing as the MN

moves the probability is negligible enough to defend againstsuch an attack

432 Session Hijacking by Man-in-the-Middle Attack Sup-pose an adversary A

(MN) knows the current L3 key1198700 and thevictim MN starts an L3 handover to request AR

0to forward

its traffic to CoA1 To see why the public-key encryption with

119890119875119870AR0 is required (6) is modified into (1310158401015840)

MN 997888rarr AR0 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(1310158401015840)

Then the adversary can mount a man-in-the-middle attackas follows

MN 997888rarr AR0 119877119905119878119900119897119875119903 119877MN119872119860119862 (119870

0) (8)

A(MN) larr997888 AR

0 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870AR1

119872119860119862 (1198700)

(9)

MN larr997888 A(MN) 119875119903119877119905119860119889V 119877MN 1198770 1198751199031198901198911198941199091 119890119875119870

lowast

AR1

119872119860119862 (1198700)

(10)

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601 1199030

[1198621199001198601 1198701] 119890119875119870

lowast

AR1 119872119860119862 (1198700)

(11)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 119862119900119860lowast

1 1199030

[119862119900119860lowast

1 1198701] 119890119875119870AR1 119872119860119862 (119870

0)

(12)

Namely A(MN) observing between the MN and AR

0modifies

119890119875119870AR1 of (9) into 119890119875119870lowast

AR1 of (10) generated by A(MN) so thatA(MN) can obtain a new L3 key 119870

1and hijack the traffic for

CoA1for the purpose of forwarding it to 119862119900119860

lowast

1 Eventually

the connection with AR1is turned over to A

(MN) On theother hand if (6) is used instead of (131015840) (11) and (12) arechanged into (19

1015840) and (20

1015840) respectively

MN 997888rarr A(MN) 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(191015840)

A(MN) 997888rarr AR

0 119865119861119880 119877

0 1198621199001198601

[1199030 [119862119900119860

1 1198701] 119890119875119870

lowast

AR1] 119890119875119870AR0 119872119860119862 (1198700)

(201015840)

When intercepting (191015840) A(MN) cannot modify CoA

1or

obtain 1198701since they are encrypted with 119890119875119870AR0 Therefore

when receiving [1198621199001198601 1198701]119890119875119870lowast

AR1 through the 119867119868 messageAR1aborts the current protocol since it cannot be decrypted

with 119890119875119870AR1 Therefore a compromise of the current L3 keydoes not induce that of the future L3 key

44 Security Comparisons Table 1 shows security compar-isons (Schemes 1 2 and 3) including the key managementcomparisons discussed in Section 41 It has been shown thatour proposed scheme is secure against the session hijackingattack in case of the L3 key compromise Scheme 1 is alsosecure since the L3 key is always generated and shared asa result of 8021x-EAP protocol However Scheme 2 ((2) inSection 23) is not secure when the L3 key is compromisedSuppose119870

0is exposed to an adversary A

(MN) and (13) can beobserved from the previous handover session

previous handover session with L3 key 119870119883

MN 997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (119870119883)

(13)

current handover session with L3 key 1198700(compromised)

A(MN)

997888rarr AR0 [1198700]119872119878119870

119877MN119872119860119862 (119872119878119870) 119872119860119862 (1198700)

(14)

In this case if the adversary replays a part of (13) as in (14)with the compromised L3 key 119870

0 then the adversary can

share the same L3 key with a new AR so that the adversarycan hijack the current session

45 AAA Issues for Security and Billing FMIPv6 can sup-port handover across different administrative domains Asmentioned before if the two ARs belong to two differentadministrative domains there should be a prior roamingagreement between them for security and billing Typicallythe accounting data (information about MNrsquos resource con-sumption) collected by the network devices in the visitingdomain is carried by the accounting protocol to the homedomain FMIPv6 over IEEE 80211 is followed by the MIPv6BU (Binding Update) protocol whose role is to inform MNrsquosHA (Home Agent) of the current AR There are two ser-vice providers Network Access Service Provider (NSP) andMobility Service Provider (MSP) in MIPv6 bootstrappingenvironment [15] The IEEE 80211-based FMIPv6 servicecan be provided by the NSP offering a basic network accessservice to MN while the MIPv6 BU service is provided bythe MSP So when the MIPv6 BU protocol is initiated MSPrsquosauthorizer (AAA) will be interacted with the MN and ARwhich is beyond the scope of this paper

5 Performance Analysis and Comparison

In this section the three handover latencies from the previousschemes (Schemes 1 and 2) and from the proposed scheme(Scheme 3) are compared We first describe the analyticalmobility model for the performance evaluation and then we

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

8 Mobile Information Systems

Table 1 Security comparisons

Scheme 1 Scheme 2 Scheme 3[8] [9] [10] [proposed one]

L3L2 key management None None Yes YesInteraction with AAA Required Required Required Not requiredL3 key generation by AR by MN by MN by MNL2 key generation 8021x-EAP 8021x-EAP from L3 key from L3 keyProtection for UNA None Provided Provided ProvidedSecurity attack due to L3 key compromise Secure Secure Insecure Secure

analyze and compare the handover costs and the numericresults of the analysis

51 Analytical Mobility Model For the sake of simplicity asquare-shapednetworkmodel is used to analyze and comparethe performance of the protocol under the three differentschemes In the square-shaped network model coverage ofthe entire administrative domain and that of each AP areall square-shaped and119873 APs are uniformly distributed overthe area of the administrative FMIPv6 domain Figure 5shows the square-shapedmobilitymodel where the bold linesindicate the boundary of the subnet consisting of 4APs (AP

01

AP02 AP03 and AP

04) connected to AR

0

The handover procedure is performed by the MNbetween ARs and APs Hence the handover rate is closelyrelated to the mobility pattern of MN The Fluid Flow (FF)model is widely used to analyze issues related to cell boundarycrossing such as a handover [16]The FFmodel is suitable forMNs with a static speed and direction of motion We adaptthe FFmodel for use as themobilitymodel Let 119897 and 119871 denotethe perimeter of each AP and AR while V and 119901 respectivelydenote the average velocity and density of MN The MNsare uniformly distributed with a density 119901 and they moveat an average velocity of V in directions that are uniformlydistributed over [0 2120587] In the next analysis V is varied from01ms to 5ms and 119901 is set to 00002MNsm2 (200MNs perKm2) Let 119877

119888and 119877

119889be the crossing rates over the coverage

of each AP and AR respectively They are then defined asfollows

119877119888=

119901V119897120587

119877119889=

119901V119871120587

(where 119871 = 119897radic119873)

(15)

52 Handover Cost Analysis and Numerical Results In IEEE80211-based FMIPv6 an MN performs L2 and L3 handoverprocedures When an MN changes its current address to anew AR the MN performs an L3 handover procedure Onthe other hand if an MN changes its current AP to anotherone connected to the same AR then MN performs an L2handover procedure In this section the average handovercost per MN is defined as the sum of the cost of the L3handover and the cost of the L2 handover per unit time in

APs (L2 handover occurs)

ARs (L2 L3 handover occurs)

AP01

AP03 AP04

AP02

AR0

Figure 5 Square-shaped mobility model (119873 = 4)

order to provide results for the performance comparison Let119860119895be the average handover cost per MN in unit of time and

119868119895and119867

119895are the L3 handover cost and the L2 handover cost

for Scheme 119895 (= 1 2 3) respectively 119868119895and 119867

119895are defined

as the sum of the signaling cost 119878119895and the processing cost

119875119895for the L3 and L2 handovers respectively Based on (15)

the average handover cost per MN 119860119895 can be calculated as

follows [16] where119882AR is the area of an AR domain

119860119895=

(119877119889sdot 119868119895+ (119873 sdot 119877

119888minus 119877119889) sdot 119867119895)

(119901 sdot 119882AR)

(where 119868119895(119867119895) = 119878119895+ 119875119895)

(16)

The parameter descriptions and values for the performancecomparison referenced from [16] are defined in Table 2Note that the values other than 119901 V 119897 and119873 are defined ldquorel-ativelyrdquo for the purpose of this comparison so the handovercost does not indicate the actual authentication delay for thecorresponding scheme

Using the parameters in Table 2 the L2 and L3 handovercosts and the average handover cost can be calculated basedon (17) The 119875

119895MN 119875119895AP 119875119895AR0 119875119895AR1 and 119875119895AAA indicate

the processing costs on MN AP AR0 AR1 and AAA

respectively of Scheme 119895 and each of them is also calculatedfrom the cost of cryptographic operations such as 119862key and119862hash Let the number of hops between any two relatively close

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mobile Information Systems 9

Table 2 Parameters for evaluation

Symbol Description Valuep Density in a cell (MNsm2) 00002MNsm2

v Average velocity of an MN (ms) 5ms (01sim5)l Perimeter of APrsquos coverage (m) 120mN Number of APs in an AR 5APs (1sim10)119862enc 119862dec Encryption costdecryption cost 1119862key Key generation cost 1119862int Message integrity code cost 025119862hash Hash cost 025119862kdf KDF cost 025119862rand Random number generation cost 025119862hop Transmission cost on the hop 10119862pub Public key operation cost 10119862wired Unit of transmission cost for a wired link 1119862wireless Unit of transmission cost for a wireless link 15119863AP-AAA Number of hops between AP and AAA 10119863AP-AR Number of hops between AP and AR 2

network devices (such as MN-to-AP AP-to-AP and AR-to-AR) be 1 119886

119895119894and 119887119895119896are specific coefficients of Scheme 119895

119875119895= sum

119894isin119876

119886119895119894119875119895119894

where 119876 = 1198721198731198601198751198601198770 1198601198771 119860119860119860

119878119895= 119862hop [119862wireless

+ 119862wired (1198871198951 + 1198871198952119863AP-AAA + 119887

1198953119863AP-AR)]

(17)

The handover cost of each scheme evaluated according toTable 2 is shown in Figure 6 Figure 6(a) compares the L3handover costs of the three schemes It can be observed thatthe main contributor to the handover cost is the signalingcost 119878

119895 and the handover cost of the previous schemes is

larger than that of the proposed scheme as a result in thedifference of when the interaction between theMN and AAAis required Figure 6(b) shows the average handover cost perMN as the average velocity of the MN increases The densityof MN 119901 is set to 00002 the number of APs in an AR119873 isset to 5 and the velocity of anMNvaries from01ms to 5msThe average handover cost for three schemes increases as thevelocity increases Figure 6(c) shows the impact the numberof APs in an AR has on the average handover cost per MNThe density of MN 119901 is set to 00002 and the velocity of anMN V is set to 5 The average handover cost decreases as thenumber of APs in an AR increases

As we can see from Figures 6(a) 6(b) and 6(c) theproposed scheme is much more or slightly efficient than theprevious schemes Figure 6(d) shows the impacts that thevelocity of MN and the number of APs in an AR have onthe average handover cost for the proposed scheme Theaverage handover cost increases rapidly as the velocity of

MN increases However the average handover cost decreasesgradually as the number of APs in anAR increasesThereforethe velocity of MN rather than the number of APs in an ARis a more important factor to consider in order to achieve anefficient handover

6 Conclusions

We have designed a key management and security scheme toenhance L2L3 handover security and to reduce the authen-tication delay induced by the L3 handover The proposedscheme is based on the original IEEE 80211-based FMIPv6where first based on the security assumptions an initialnetwork access protocol has been proposed to bootstrap thesecurity associations among the network entities Second across-layer key management process has been introduced tointegrate the L2 key with the L3 key Namely the L3 key canbe judiciously employed to derive the L2 key so that the time-consuming IEEE 8021x-EAP authentication with the AAAcan be skipped Third a method for protecting the seven L3signaling messages has been proposed as well as a scheme tosecurely transport the L3 key to the target AR In particularthe case of a compromised L3 key has been considered forwhich even though the L3 key at the subnet of the currentAR is compromised an adversary with the compromisedL3 key cannot perform any kind of redirection attack Inother words a domino effect can be suppressed FMIPv6 overIEEE 80211 is followed by the MIPv6 BU (Binding Update)protocol which involves an interaction with the AAA of theMSP In the integrated scenario of MIPv6 bootstrapping theMSPplays the role of theNSP while theMSP andNSP are twodistinct service providers in the split scenario As a follow-up to the current research the AAA issues for security andbilling will be more investigated considering both the splitand integrated scenarios for MIPv6 bootstrapping

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

10 Mobile Information Systems

0

500

1000

1500H

ando

ver c

ost

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

MN AP AAAEntities

AR0 AR1 Pj Sj

(a) L3 handover cost

0

50

100

150

200

05 1 15 2 25 3 35 4 45 5

Aver

age h

ando

ver c

ost

Velocity of MN (ms)

Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(b) Average handover cost (119873 = 5)

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10

Aver

age h

ando

ver c

ost

Number of APs in an AR (N)Scheme 1 [8 9]Scheme 2 [10]

Scheme 3 [proposed]

(c) Average handover cost (V = 5)

hand

over

cost

= 1

= 4

= 7 = 10

050

100150200

12345678910

Aver

age

Number of APs in an AR (N)0ndash5050ndash100(d) Average handover cost of proposed scheme

Figure 6 Numerical Results

Notations

119872119860119862(119870) Message authentication code computedover all preceding message fields using asymmetric key 119870

[119898]119870 Encryption of119898 using symmetric key119870

119896119889119891(sdot) Key derivation function119877119883 Random number generated by119883 (119883 =

MN 0 for AR0 1 for AR

1)

Nonce Nonce parameterℎ(sdot) One-way hash functionℎ64(sdot) 64-bit truncation from the output of ℎ(sdot)

119870119894 L3 key shared between MN and AR

119894

119875119872119870119894 L2 key shared between MN and AP

119894

119875119870119883 119878119870119883 A pair of public and private keys of119883 used

for the signature119890119875119870119883 119890119878119870119883 A pair of public and private keys of119883 usedfor the encryption

119878119894119892(119878119870119883) A digital signature based on the signingprivate key 119878119870

119883covering all preceding

message fields[119898]119890119875119870

119883 Encryption of119898 with the public key 119890119875119870

119883

of119883 (119883 = MN 0 for AR0 1 for AR

1)

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This research was supported by the Employment Contractbased Master Degree Program for Information Securitysupervised by the KISA (Korea Internet Security Agency)and also supported by the MSIP (Ministry of Science ICT

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mobile Information Systems 11

and Future Planning) Republic of Korea under the CPRC(Communications Policy Research Center) Support Programsupervised by the KCA (Korea Communications Agency)(KCA-2013-003)

References

[1] R Koodli ldquoMobile IPv6 fast handoversrdquo RFC 5268 2008[2] C PerkinsD Johnson and J Arkko ldquoMobility support in IPv6rdquo

RFC 6725 2011[3] IEEE 80211 Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications IEEE Standard 2012[4] B Aboba L Blunk J Vollbrecht J Carlson and H Levkowetz

ldquoExtensible authentication protocol (EAP)rdquo RFC 3748 2004[5] P McCann ldquoMobile IPv6 fast handovers for 80211 networksrdquo

RFC 4260 2005[6] Y SongM Liu Z Li andQ Li ldquoHandover latency of predictive

FMIPv6 in IEEE 80211 WLANs a cross layer perspectiverdquo inProceedings of the 18th International Conference on ComputerCommunications and Networks (ICCCN rsquo09) pp 1ndash6 SanFrancisco Calif USA August 2009

[7] M Alnas I Awan and R D W Holton ldquoPerformance eval-uation of fast handover in mobile IPv6 based on link-layerinformationrdquo Journal of Systems and Software vol 83 no 10pp 1644ndash1650 2010

[8] J Kempf and R Koodli ldquoDistributing a symmetric fast mobileIPv6 handover key using secure neighbor discoveryrdquo RFC 52692008

[9] C-S Park ldquoSecurity-enhanced fast mobile IPv6 handoverrdquoIEICE Transactions on Communications vol E93-B no 1 pp178ndash181 2010

[10] J Choi and S Jung ldquoAn integrated handover authentication forFMIPv6 over heterogeneous access link technologiesrdquoWirelessPersonal Communications vol 71 no 2 pp 839ndash856 2013

[11] L Xu Y He X Chen and X Huang ldquoTicket-based handoffauthentication for wireless mesh networksrdquo Computer Net-works vol 73 pp 185ndash194 2014

[12] R Singh and T P Sharma ldquoA key hiding communicationscheme for enhancing the wireless LAN securityrdquo WirelessPersonal Communications vol 77 no 2 pp 1145ndash1165 2014

[13] X Li F Bao S Li and J Ma ldquoFLAP An efficient WLAN initialaccess authentication protocolrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 488ndash497 2014

[14] I You K Sakurai and Y Hori ldquoA security analysis on Kempf-Koodlirsquos security scheme for fast Mobile IPv6rdquo IEICE Transac-tions on Communications vol 92 no 6 pp 2287ndash2290 2009

[15] K Chowdhury and A Yegin ldquoMobile IPv6 (MIPv6) bootstrap-ping for the integrated scenariordquo RFC 6621 2012

[16] G Li J Ma Q Jiang and X Chen ldquoA novel re-authenticationscheme based on tickets in wireless local area networksrdquo Journalof Parallel andDistributed Computing vol 71 no 7 pp 906ndash9142011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Distributed Sensor Networks

International Journal of

Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014

International Journal of

ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

ArtificialNeural Systems

Advances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Computational Intelligence and Neuroscience

Industrial EngineeringJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014