- Email: [email protected]
An access authentication protocol for trusted handoff in wireless mesh networks
An Access Authentication Protocol for Trusted Handoff in Wireless Mesh Networks Peng Xiao, Jingsha He, Yingfang Fu PII: DOI: Reference:
S0920-5489(13)00095-0 doi: 10.1016/j.csi.2013.08.016 CSI 2923
To appear in:
Computer Standards & Interfaces
Received date: Revised date: Accepted date:
15 January 2013 22 August 2013 24 August 2013
Please cite this article as: Peng Xiao, Jingsha He, Yingfang Fu, An Access Authentication Protocol for Trusted Handoff in Wireless Mesh Networks, Computer Standards & Interfaces (2013), doi: 10.1016/j.csi.2013.08.016
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT An Access Authentication Protocol for Trusted Handoff in Wireless Mesh Networks Peng Xiao1, Jingsha He2* and Yingfang Fu1 College of Computer Science and Technology Beijing University of Technology, Beijing 100124, China [email protected], [email protected] 2 School of Software Engineering Beijing University of Technology, Beijing 100124, China [email protected], +86-10-67396061
SC R
IP
T
1
MA
NU
Abstract: WMNs (Wireless Mesh Networks) are a new wireless broadband network structure based completely on IP technologies and has rapidly become a broadband access measure to offer high capacity, high speed and wide coverage. Trusted handoff in WMNs requires that mobile nodes complete access authentication not only with a short delay, but also with the security protection for the mobile nodes as well as the handoff network. In this paper, we propose a trusted handoff protocol based on several technologies, such as hierarchical network model, ECC (Elliptic Curve Cryptography), trust evaluation and grey relevance analysis. In the protocol, the mobile platform’s configuration must be measured before access to the handoff network can proceed and only those platforms whose configuration meets the security requirements can be allowed to access the network. We also verify the security properties through formal analysis based on an enhanced Strand model and evaluate the performance of the proposed protocol through simulation to show that our protocol is more advantageous than the EMSA (Efficient Mesh Security Association) authentication scheme in terms of success rate and average delay.
I. INTRODUCTION
TE
D
Key words: wireless mesh network; seamless handoff; security; access authentication; trusted network connect.
AC
CE P
WMNs are a new wireless network structure that is expected to set free the restrictions of Ad Hoc networks, WLANs (Wireless Local Area Networks), WPANs (Wireless Personal Area Networks) and WMANs (Wireless Metropolitan Area Networks), and will be used to establish commercial wireless mobile networks. Combining the advantages that WLANs and Ad Hoc networks can offer, WMNs are a wireless broadband network structure based completely on IP technologies, and becomes a growing effective broadband access measure that can provide high capacity, high speed and wide coverage. To some extent, WMNs are mainly a network design idea with features including no-center, selforganization, multi-hops, best routing-judgment, etc. [1] Since a WMN doesn’t rely on fixed infrastructure and is operated in an open space, any user within the coverage area of the radio waves can access the network. Therefore, secure access authentication is the first provision to prevent unauthorized users from accessing the network. [2,3,4] For handoff in WMNs, it is required that mobile nodes complete access authentication not only with a short delay, but also with the protection for the mobile nodes as well as the handoff network. Past practice in the areas of information security has shown that most security problems just come from the network but more from terminal nodes. [5,6,7] Thus, the original idea of trusted computing was proposed to ensure the security of network terminals. Moreover, trusted computing is relied upon to secure the entire computer system through successive steps. First, a root of trust is established to construct a chain of trust, namely, from the root to the hardware platform to the operating system and finally to applications. Thus, trust can spread to the entire system through graded trusted authentications. For handoff in a WMN, the platform’s configuration must be measured before access to the network can proceed and only those platforms whose configuration meets the security demands of the network can be allowed to access the network. Consequently, a terminal with potential threat cannot gain access to the network directly. Moreover, the terminal can verify the security of the AP (Access Point) with which it is associated and will only connect to the network when it satisfies the terminal’s security demands. [8] Based on the current 802.1x authentication scheme and trusted computing technologies, we present a trusted handoff protocol in this paper to ensure security and trust in WMNs. Our goal in the design of the protocol presented in this paper is to ensure that only a legitimate user operated on a trusted platform can complete handoff to a new secure network without too much sacrifice on performance. In addition to proposing a trust-based authentication protocol to achieve the above goal for secure handoff from one
ACCEPTED MANUSCRIPT
SC R
IP
T
network zone to another, our other contributions in this paper include the following. We propose a trust model for the trust evaluation of both starting and runtime system states, prove the security properties of the protocol through formal analysis based on an enhanced Strand model, evaluate the performance of the protocol in terms of success rate and handoff delay using simulation, and compare our protocol to a comparable scheme to demonstrate the advantages of our protocol over the other scheme. The rest of this paper is organized as follows. Section II reviews some related work on handoff protocols in WMNs. Section III provides some background information on TPM (Trusted Platform Module) and TNC (Trusted Network Connect). Section IV contains a zone-based hierarchical network model for hybrid WMNs and a universal handoff model in WMNs. Section V describes the method for evaluating the trust degrees of both the starting and the runtime states in a trusted system. Section VI presents our handoff protocol, which is based on several technologies such as the hierarchical network model, ECC, trust evaluation and grey relevance analysis. Then, a formal analysis of the security properties of the protocol based on the strand space model and a demonstration of the security performance based on experiment results are provided in Sections VII and VIII, respectively. Finally, Section IX concludes the paper, which also contains a description of our future work.
NU
II. RELATED WORK
AC
CE P
TE
D
MA
The IEEE 802.11 [9] protocol outlines the basic steps of the handoff process. Unfortunately, the handoff latency of the original protocol is several hundred milliseconds [10] while real-time applications require that MAC layer handoff latency be 50 ms or lower. As the result, a lot of work has been done to reduce the handoff latency in recent years. However, most of the work has failed to consider a complete authentication process which is useful in real scenarios. MIP (Mobile IP) is the most widely known mobility management proposal and has, thus, become the most common solution that can offer seamless handoff to mobile devices on the Internet. [11] Essentially, MIP uses two addresses to handle the movement of the user. Every time the MN (Mobile Node) connects to a foreign network, it obtains a temporary address called CoA (Care-of-Address) from a mobile agent called FA (Foreign Agent) through the exchange of ASAA (Agent Solicitation and Agent Advertisement) messages. However, MIP is originally designed to operate at L3 (Layer 3) only regardless of the underlying link layer (L2). This approach thus implies a clear separation between L2 and L3 handoff functionality, which may lead to unacceptable handoff latency. Actually, the messages generated by the registration process need some time to propagate through the network and the MN is unable to send or receive packets during that time. [12] IEEE P802.11s™/D1.01 [13] provides an EMSA (Efficient Mesh Security Association) authentication scheme based on the IEEE 802.11i standard where the 802.1x scheme and four handshakes are adopted to implement access authentication and key establishment. EMSA can be used to achieve efficient establishment of link security between two MNs in a WMN. It relies on a mesh key hierarchy in which keys are derived through the use of a PSK or when a MN performs IEEE 802.1X authentication. EMSA makes use of EAP (Extended Authentication Protocol) just like EAP-SIM (Subscriber Identity Module), EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol). However, handoff in WMNs is not adequately addressed in EMSA due primarily to the reason that EMSA cannot meet the requirement of performance and identity protection in handoff. A predictive authentication scheme is proposed in [14] using FHR (Frequent Handoff Region). In the scheme, a statistical method is used to modulate the mobility pattern of the mobile terminal. A set of access points are selected as the FHR access points with which the mobile terminal may be associated in the near future. Before handoff, the mobile terminal sends an authentication request to the authentication server and the authentication server sends the authentication response to the FHR access points with authentication information. During handoff, the mobile terminal only needs to exchange a few messages with the new access point. However, how to select an appropriate FHR member and establish a secure connection with the FHR is not adequately addressed in the paper. A scheme for efficient mobility management in WMNs was presented in [15]. In the scheme, a new model of location service is proposed based on several design principles. First, the proposal distinguishes between an allotted address, which changes according to the geographical location of the node, and a persistent identifier, which remains unchangeable despite the movement. This requirement thus needs the presence of a mapping service to locate each station and can be carried out by installing “Distributed Location Service”, resulting in additional centralized equipment in the network. In addition, the scheme causes additional resource consumption and great computation latency. An efficient and robust identity-based handoff authentication in wireless networks was proposed in [16] in which a special double-trapdoor chameleon hash function is the key. Compared to other
ACCEPTED MANUSCRIPT existing identity-based handoff schemes, the main advantage of this scheme is to remove the assumption that PKG (Private Key Generator) must be fully trusted, which could result in high security and simply deployment. However, this scheme is more suitable for WLAN since in a multi-hop WMN, there may not be any PKG in a more complicated environment.
T
III. TPM and TNC
CE P
TE
D
MA
NU
SC R
IP
A TPM (Trusted Platform Module) is usually implemented on a chip and is hence integrated into the hardware of a platform, such as a PC, a laptop, a PDA or a mobile phone. A property of TPM is that it owns shielded locations, meaning that only TPM itself can access the storage inside the TPM, as well as protected functionality, meaning that the functions computed inside the TPM cannot be tampered with and can only be accessed directly via TPM commands or via higher layer application interfaces TSS (TCG Software Stack). In order to verify the configuration of a platform, all parts engaged in the boot process of the platform, e.g. BIOS and master boot record, are measured using some integrity measurement hash values and the final result of the accumulated hash values is stored inside the TPM in an area called PCR (Platform Configuration Registers). An entity that needs to verify if the platform is in a certain configuration will require TPM to sign the content of the PCR using its AIK (Attestation Identity Key) that is generated specifically for this purpose. Then, the verifier would check the signature, compare the PCR values with some reference values to verify that the platform is indeed in a desired state and to verify the trustworthiness of an AIK’s signature through the certificate Cert AIK . Note that Cert AIK doesn’t prove the identity of the TPM owner, but only the identity of the TPM device. [17] As shown in Figure 1, the TNC architecture based on trusted computing technologies establishes connections from the viewpoint of the integrity of the terminals in which there are three types of entities: AR (access requestor), PEP (policy enforcement point) and PDP (policy decision point). [18] The basic concept is that the platform’s configuration must be measured before access to the network can proceed and only those platforms whose configurations meet the security requirements of the network are allowed to access the network. Thus, a terminal with potential threat cannot access the network directly. Moreover, the terminal can verify the security of the AP with which it is associated and will only connect to the network when it satisfies its own security requirements. TNC is an active pre-alerted mutual network access measure. Integrity Measurement Controller
IF-M
Integrity Measurement Verifier
Integrity Estimate Layer
TNC Client
IF-TNCCS
TNC Server
Network Access Requestor
IF-T Policy Enforcement Point
Network Access Authority
AC
Integrity Measurement Layer
Network Access Layer
Policy Decision Point
Access Requestor
Figure 1. The TNC Architecture IV. HANDOFF MODEL IN HIERARCHICAL WMNs Figure 2 shows a zone-based hierarchical network model for hybrid WMNs, where dash and solid lines indicate wireless and wired links, respectively. [19] The whole network consists of one backbone network, one or more local area networks called zones and some scattered wired or wireless terminals. In the backbone network, the mesh routers form a mesh infrastructure with self-configuring, selfhealing and self-organizing links among which there are at least two backbone routers connected to the Internet. All backbone routers share a single database that stores authorized certificates (not explicitly shown in the figure). There is an offline CA (Certificate Authority) supported by an ISP (Internet Service Provider) or a network carrier. The CA connects to the network only when it is notified of the introduction of a new terminal user, a new zone router or a new backbone router. The backbone network can be built using various types of radio technologies including the IEEE 802.11 technologies. Zones are connected to the backbone network through border mesh routers called gateways, which enables the integration of existing wireless networks such as multi-hop networks, Wi-Fi networks, sensor networks and cellular networks. In each zone, there is at least one mobile node called AP (Access Point) that is connected to the backbone. APs can be MAPs (Mesh Access Point) in multi-hop networks
ACCEPTED MANUSCRIPT
T
and microwave towers in cellular networks which may use different radio technologies. It is therefore required that the backbone border routers support various radio technologies. There is also a database that stores user information like user ID, zone ID, authorized key, etc. in each zone. Terminal nodes can roam from one zone to another or handoff from one AP to another in the same or different zones.
IP
Internet Mesh Routers
Wired Terminals
Multi-hop Networks
Wi-Fi Networks
Cellular Networks
NU
Offline CA
SC R
Wireless Terminals
Sensor Networks
MA
Figure 2. The Network Model
AC
CE P
TE
D
Conventional terminals with an Ethernet interface can be connected to mesh routers via Ethernet links, whether wired or wireless. For conventional terminals with the same radio technologies as mesh routers, they can directly communicate with the mesh routers. If a different radio technology is used, a terminal must communicate with the AP of a zone that has Ethernet connections to the mesh routers. Especially, mesh terminals can access the network through mesh routers or directly meshing with other mesh terminals in multi-hop networks whose routing capabilities can provide improved connectivity and coverage. When a user wants to access a trusted WMN, the network administrator needs to measure its platform configuration information and compare the measured value with some reference values of the network to verify its security under the current network security policies. [20] Figure 3 shows that an MT (Mobile Terminal) first connects to the OAP (Old Access Point) at point A and moves along route A→B→C. When it moves to point B, it needs to handoff from the OAP to the NAP (New Access Point) since it is about to get out of the radio coverage of the OAP. After successful trusted authentication, the terminal will connect to the NAP at point C. According to the framework of the network model shown in Figure 2, both the OAP and the NAP are connected to the backbone network while the terminal completes handoff from the old zone network to the new one. It is assumed that a predefined security association and a secure connection already exist between the OAP and the NAP, i.e., they can get each other’s public-key certificate securely. [21,22]
Backbone
Old AP
A
New AP
B
C
Figure 3. The Handoff Model V. TRUST EVALUATION Integrity measurement is a basic mechanism for the establishment of the trust of a system. The basic concept is that any entity that wants to gain control must be measured in terms of trust and validated in terms of integrity, which includes hardware, operating system, shared libraries,
ACCEPTED MANUSCRIPT
IP
T
configuration documents, etc. From the power supply to the platform to the establishment of the operation environment, all the applications loaded as well as related data must be measured and validated. The standards of TCG (Trusted Computing Group) specify in details a series of trust measurement about the starting process of the operating system that can be easily implemented in a defined sequence. But the integrity of a running software or application has not specified by TCG and can thus be different from one system to another. [23] The trust evaluation of states relies mostly on the current integrity message and trust measurement collected by the trusted group administrator. In this paper, we define three ranks of trust: extremely trusted, critically trusted and untrusted. Suppose X {x1 , x2 ,..., xn } is a trusted group, x is one entity in X , and S : x [0,1] is the trust evaluation function of the entity x . Then,
SC R
1) x is untrusted if 0 S ( x) E0 ; 2) x is critically trusted if E0 S ( x) E1 ;
3) x is extremely trusted if E1 S ( x) E2 . where E0 , E1 , E2 are predefined thresholds by the administrator and 0 E0 E1 E2 1 .
NU
5.1 Trust Evaluation of the Starting States
MA
Suppose BAC { , , ,[1].........[n]} is the basic value of the user’s trust measurement in which , and are the measured hash values of the BIOS, the OS (Operation System) Loader and the OS Kernel, respectively, and [1].........[n] are the measure hash values of the extended security applications. Also, suppose P { ', ', ',[1]'.........[n]'} is the measured value expected and stored by the administrator. The administrator will then compute the result R ( ') ( ') ( ') . If R 0 , the user
D
n
is totally untrusted and not allowed to access the network. Otherwise, define S ( x) [i] [i]' and
TE
i 1
determine x ’s trust degree following the rules described above.
CE P
5.2 Trust Evaluation of the Runtime States
It is infeasible to collect all the integrity messages at runtime. So, a parameter T is defined by the administrator to define the cycle time for trust measurement and evaluation of the runtime states. In addition, current trust evaluation always takes into consideration of the previous trust evaluations. Therefore, we use grey relevance analysis [24] to relate S : x [0,1] to former trust measurements.
AC
Suppose there are n applications A1 , A2 ,..., An running in member x and the trust measurements in cycle k for all the applications are denoted as P(k ) {A1 (k ), A2 (k ),..., An (k )} . The collected integrity measurement for all the m cycles is defined as: P(1) A1 (1) A2 (1) ... An (1) P(2) A1 (2) A2 (2) ... An (2) P ... ... ... ... ... P(m) A1 (m) A2 (m) ... An (m) where 0 Ai ( j ) 1 . The optimal reference data is set as P(0) {1,1,...,1} , which is the highest trust in the design and should never be reached in theory. Then, the correlation coefficient between application Ai in each cycle k and the optimal data is calculated as:
min i min k | A0 (k ) Ai (k ) | max i max k | A0 (k ) Ai (k ) | | A0 (k ) Ai (k ) | max i max k | A0 (k ) Ai (k ) | where is the relative parameter which is usually assigned with value 0.5 without specific orientation. The trust evaluation function then becomes:
i ( k )
n
S ( x)
m
(k ) i 1 k 1
i
. im Furthermore, if each application has a different weigh Wi that is determined by the administrator, then:
ACCEPTED MANUSCRIPT n
S ( x)
m
(W (k )) i 1 k 1
i
i
T
. im Lastly, the administrator can determine whether member x ’s current state can be trusted using the value S ( x) and the thresholds E0 , E1 , E2 .
IP
5.3 Trust Evaluation in Handoff
SC R
Regarding handoff in WMNs, a terminal wants to access a new zone network by connecting to a new AP. Since the thresholds E0 , E1 , E2 defined in the old zone may be different from the thresholds
E0 , E1 , E2 defined in the new zone, some strategy may be used by an ISP or network carrier to handle the difference. A few such strategies are listed below: 1) Maximum Compatibility Strategy: E0 max( E0 , E0 ) , E1 max( E1 , E1 ) and E2 max( E2 , E2 ) .
NU
x, if x y . E0 , E1 , E2 are the new thresholds and max( x, y) y, if x y 2) Minimum Compatibility Strategy: E0 min( E0 , E0 ) , E1 min( E1 , E1 ) and E2 min( E2 , E2 ) .
MA
y, if x y . E0 , E1 , E2 are the new thresholds and min( x, y) x, if x y 3) Customization Strategy: E0 f ( E0 , E0 , E1 , E1 , E2 , E2 ) , E1 g ( E0 , E0 , E1 , E1 , E2 , E2 ) and
E2 h( E0 , E0 , E1 , E1 , E2 , E2 ) . E0 , E1 , E2 are the new thresholds and f , g , h are custom functions.
CE P
TE
D
After the thresholds E0 , E1 , E2 are negotiated between the old and the new APs, trust evaluation of the starting states and the runtime states can be carried out. 1) If the result is untrusted, the terminal is denied of access to the network. 2) If the result is critically trusted, the terminal will be allowed to only access an isolated region with limited capability while the terminal could ask for a trust repair. With a repair, the trust degree may increase to the extremely trusted and access to the network can be authorized accordingly. 3) If the result is extremely trusted, the terminal can access the network. VI. THE AUTHENTICATION PROTOCOL FOR TRUSTED HANDOFF
6.1 ECC
AC
Based on the TPM hardware and the TNC architecture, we propose an access authentication protocol for trusted handoff in WMNs in which several technologies are used, e.g., hierarchical topology, ECC public key cryptography, verifiable secret sharing, three-party key agreement, etc.
We adopt ECC-based key pair generation and key agreement protocol in this paper because ECC offers the same level of security with smaller key sizes and faster computation speed compared to other schemes such as RSA. All cryptography is built on a suitably chosen elliptic curve E defined over a finite field Fq of characteristic p as well as a base point P E ( Fq ) . The ECDLP (Elliptic Curve Discrete Logarithm Problem) on E ( Fq ) is to find an integer m that satisfies Q mP while P and Q are given. This is shown to be an NP- hard intractability problem. As described in [25], some domain parameters are defined as follows: 1) A field size q , where q is a prime power (in practice, either q p , or an odd prime, q 2m ). 2) An indication FR (field representation) of the representation used for the elements of Fq . 3) Two field elements a and b in Fq which define the equation of the elliptic curve E over Fq (e.g., y 2 x3 ax b in the case p 3 , and y 2 xy x3 ax2 b in the case p 2 ). 4) A finite point P ( xP , yP ) of prime order in E ( Fq ) and P O where O denotes the point at infinity.
ACCEPTED MANUSCRIPT 5) The order n of the point P with nP O and n 2160 as commonly recommended. 6) The cofactor h # E ( Fq ) / n where # E ( Fq ) denotes the number of Fq -rational points on E . Given a valid set of domain parameters (q, FR, a, b, P, n, h) , an entity A’s private key is an integer A R[1, n 1] while its public key is the point WA A P . A’s public-key certificate, represented as
NU
SC R
IP
T
CERTA , contains a string of information that uniquely identifies A, its public key WA , the domain parameters if these are not known from the context and a certifying authority CA’s signature over this information. Any other entity B can use his authentic copy of the CA’s public key obtained a priori to verify A’s certificate, therefore obtaining an authentic copy of A’s public key. In the protocol proposed in this paper, all entities should acquire an authorized certificate from the offline CA before accessing the network. Two entities A and B can complete key agreement as follows: 1) A selects x R [1, n 1] , computes point RA xP and sends RA to B. 2) B selects y R [1, n 1] , computes point RB yP and sends RB to A. The session key is then the point KS yRA xRB xyP . 6.2 Terms and Notations
MA
Table 1 lists some terms and notations used in this paper. Note that Cert AIK proves the identity of the TPM device while CERTi proves the identity of the user, and Cert AIK CERTi . Table 1. Terms and Notations A random integer generated by i . The random integers selected by MT and NAP to accomplish key agreement. The authentication message to verify i 's platform.
D
Ni x, y
TE
plat _ verti Cert AIK ,i ,
PCRi , SMLi
{m}k CERTi , i ,Wi
Sigi (m)
Certificate and key pair of i issued by the offline CA. Digital signature on message m using i ’s private key i . The session keys shared between MT and OAP and between MT and NAP. The history set of MT’s trust, as described in Section 5.2.
AC
kold , knew HMT
The AIK certificate of i ’s TPM with the private and public key pair ( prii , pubi ) which is issued by the TPM’s producer. PCR and SML (Storage Measure Logs), the integrity verification message of i ’s TPM. Message m encrypted with key k .
CE P
prii , pubi
6.3 The Access Authentication Protocol The proposed protocol is depicted in Figure 4 in which the following eight steps are needed for completing the authentication: 1) MT sends a Request Handoff message to OAP, which includes information about NAP. 2) After receiving a handoff request, OAP generates a random integer NOAP and replies it to MT. 3) MT constructs msgMT NOAP , NMT , xP,{ plat vertMT }k and its digital signature SigMT (msgMT ) , old
then sends them to OAP. In this step, N MT is a random integer generated by MT, x is a random integer and should be kept secret by MT, xP is used to accomplish key agreement, where P is the selected , Cert AIK, MT where SMLMT , PCRMT base point of E ( Fq ) , plat _ vertMN SMLMT ,{N MT , NOAP , PCRMT }pri AIK ,MT
and Cert AIK , MT are used to ensure MT’s platform authentication and integrity verification, kold is the current session key between MT and OAP, and SigMT (msgMT ) is MT’s digital signature on the message and is used to authenticate the user’s identity of MT. msg MT with its private key MT
4) After receiving the message, OAP can decrypt { plat vertMT }k with the old session key kold to old
get plat vertMT . It then combines MT’s current trust plat vertMT , MT’s history trusts H MT and
ACCEPTED MANUSCRIPT MT’s public certificate CERTMT , and then encrypts them with the new AP’s public key W
NAP
Finally, OAP constructs msgOAP msgMT , SigMT (msgMT ),{ plat vertMT , H MT , CERTMT }W
NAP
.
and its digital
signature SigOAP (msgOAP ) , and then sends them to NAP. MT
NAP
IP
T
OAP
SC R
Request Handoff
NOAP NOAP , N MT , xP,{ plat _ vertMT }kold , Sig MT (msg MT )
msg MT , Sig MT (msg MT ),
{ plat _ vertMT , H MT , CERTMT }WNAP ,
NU
SigOAP (msgOAP ) NOAP , N MT , N NAP , yP
{ plat _ vert NAP , CERTNAP }WMT , Sig NAP (msg NAP )
MA
{msg NAP , Sig NAP (msg NAP )}kold
{NOAP , N MT , N NAP }knew
TE
D
binded
Figure 4. Message Flows in the Protocol
private
key
CE P
5) After receiving the message, NAP verifies both MT’s identity and platform to ensure that MT is valid under the network’s current security policy. NAP can check OAP’s signature to authenticate OAP’s identity and the message’s integrity. NAP then decrypts { plat vertMT , H MT , CERTMT }W with its
NAP {NMT , NOAP , PCRMT } pri
.
AIK ,MT
NAP
NAP
will
verify
Cert AIK , MT
inside
plat vertMT
and
decrypts
to get PCRMT . It can then calculate the trust degree S ( x) and compare
AC
S ( x) with the reference values of the current network to evaluate MT’s platform’s trust. NAP gets CERTMT which contains MT’s public key WMT and verifies SigMT (msgMT ) to authenticate MT’s user
identity. Only when both verifications are successful, will NAP allow MT to connect to the new network. msg NAP NOAP , NMT , N NAP , yP,{ plat vert NAP , CERTNAP}W NAP constructs and its digital MT
signature Sig NAP (msg NAP ) and then sends them to OAP. NAP can calculate the new session key between it and MT knew y( xP) xyP . 6) OAP encrypts the receiving message with kold and forwards it to MT. 7) After receiving the message, MT decrypts {msg NAP , Sig NAP (msg NAP )}k with the old session key kold old
to get msg
NAP
. It will do the same verification as NAP did. If successful, MT will get the session key
through knew x( yP) xyP . Then it will encrypt the random integer set {NOAP , NMT , N NAP } with the new session key knew and sends it to OAP. 8) OAP can check the validity of {NOAP , NMT , N NAP}k and allow MT to bind if it is valid. new
VII. FORMAL ANALYSIS Formal analysis is currently the most effective way to analyze security protocols among which the strand space model [26] is one of the most effective formal analysis methods. Strand space model is an analyzing model of security protocols based on the Dolev-Yao model [27] built on graph theory and
ACCEPTED MANUSCRIPT partial ordering, and can be used to analyze complicated protocols because of its excellent expansibility. In this section, we formally analyze our proposed protocol with an extended strand space model. 7.1 The Enhanced Strand Model
SC R
IP
T
In the original strand space model, message terms only include atomic terms, encrypted terms and joined terms. Since there are two new operations, i.e., the signature and the ECC operations in our protocol, we will add some new data collections into the model [28]. Definition 1. M is a collection of message terms. Term t is an element of M if it is an element of collection T of plaintexts or collection K of key symbols. Complex terms of M can be constructed using the following four operations: 1) Encryption operation, expressed as M K : M K M .
NU
2) Join operation, expressed as M1M 2 : M M M . 3) Signature operation, expressed as [M ]K : M K M . 4) ECC operation, expressed as tP : K T K . Definition 2. A subterm relation is defined as follows, where A and N are terms: 1) AA . 2) k K , if AN , then ANk , especially, k N k only if kN .
MA
3) N1 M , if AN , then ANN1 and AN1N . 4) k K , if AN , then A[ N ]k , especially, k[ N ]k only if kN . 5) If x T and xN , then xPN , but not vice versa, especially, xxP is disproved, which results from the NP-hard intractability of ECDLP. We can deduce that is a partially ordered relation and that if K K1 and {h}K {h1}K1 , then
TE
D
{h}K h1 . Definition 3. If M is a message term, then M is an event that means sending message M while M is an event that means receiving message M. If Ei M , then un _ term( Ei ) M . The strand is an array of events and a strand space graph is a set and traces in : ( A)* . Node n on trace is labeled as ,i and the number of nodes on is labeled as height ( ) . Term t originates on
CE P
node n if and only if sign(n) and t term(n) . If n is a preorder node on the trace, i.e., n n ,
AC
then t term(n ') . Definition 4. In addition to the original eight attack strands, M-strand, F-strand, Tee-strand, Cstrand, S-strand, K-strand, E-strand and D-strand, we add two new attack strands: 1) Sig-strand: k , h, [h]k , k K , h M . 2) ECC-strand: x, yP, xyP . Definition 5. K-ideal of collection M is a collection, expressed as I K [h] M , that satisfies the following requirements: 1) h I , g M , then gh I and hg I . 2) h I , k K , then {h}k I . 3) h I , k K , then [h]k I . Node n is the entry point of I if and only if sign(n) , term(n) I . If n is a preorder node on the trace, i.e., n n , then term(n ') I . 7.2 The Strand Graph Omitting the information that has nothing to do with security in the protocol, the strand space of our protocol as depicted in Figure 5 can be expressed as a Strand Graph . Labeled as pi in the graph, plat _ verti is computed in the TPM’s protected functionality and cannot be tampered with or faked. The
private and public key pair i ,Wi is labeled as k 1 , ki while the new and the old session key are i
labeled as k S and kO , respectively. Let Tnames denote the collection of names and K P the collection of keys that an attacker has already obtained, then X Tnames , public keys k X K P and the corresponding private keys k X1 K K P .
ACCEPTED MANUSCRIPT 1) M1= NOAP . 2) M2= NOAP NMT ( xP){ pMT }k [ NOAP NMT ( xP){ pMT }k ]k . 3) M3=
O
1 MT
NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT kMT }kNAP MT
[ NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT kMT }kNAP ]k 1 MT
.
OAP
4) M4= NOAP NMT N NAP ( yP){ pNAP kNAP }k [ NOAP NMT N NAP ( yP){ pNAP kNAP }k ]k MT
MT
1 NAP
.
T
O
5) M5= {NOAP NMT N NAP ( yP){ pNAP kNAP }k [ NOAP NMT N NAP ( yP){ pNAP kNAP }k ]k }k . MT
MT
O
IP
6) M6= {NOAP NMT N NAP }k .
1 NAP
S
SC R
There are therefore three regular strands in the protocol: 1) Init[ N , N ', N '', p, p ', kS ] is the set of strand s whose trace is <-M1,+M2,-M5,+M6>. 2) Mid[ N , N ', N '', p, p ', kS ] is the set of strand s whose trace is <+M1,-M2,+M3,-M4,+M5>. 3) Re sp[ N , N ', N '', p, p ', kS ] is the set of strand s whose trace is <-M3,+M4,-M6>. Obviously, they are pairwise disjoint.
NAP
D
M4
M5
M3
MA
M2
M1
NU
OAP
MT
M6
TE
Figure 5. Strand Graph ∑
CE P
7.3 The Secrecy
Message m is secret in the strand graph G of a protocol if there is no strand n which meets the following two conditions: n G and un _ term(n) m . Theorem 1. Suppose C is a bundle in and k S is uniquely originated. Let 1 1 1 S {kMT , kOAP , kNAP , kO , kS } and K K S . For every node n C , term(n) I K *[kS ] .
AC
Proof. According to the theory of K-ideal, we just need to prove that no regular node n is an entry point of I K *[S ] , which we will argue by contradiction. Assume n is a regular node which is an entry 1 1 1 point of I K *[S ] . Then one of the keys kMT , kOAP , kNAP , kO , kS is a subterm of term(n) . Since there is no 1 1 1 regular node that contains kMT , kOAP , kNAP , kO as a subterm, k S must be a subterm of term(n) . kS xyP doesn’t appear in any message term, but it can be gained through the following ECC operations: x( yP) , y( xP) and ( xy) P . The form in which term x appears in all message terms is xP , so xterm(n) if and only if xxP . But in our extended strand model, xxP is disproved due to the NPhard intractability of ECDLP. So xterm(n) is disproved and none of x, y, xy is a subterm of term(n) . So, the operations listed above cannot be carried out in , that is, k S is not a subterm of term(n) . Therefore, no regular node n can be an entry point of I K *[S ] . That is, for every node n C , term(n) I K *[ kS ] .
7.4 The Authentication A protocol guarantees agreement to a participant B as the responder for certain data items d if each time participant B completes a run of the protocol as the responder using d , which to B appears to be a run with A, then there is a unique run of the protocol with a principal A as the initiator using d , which to A appears to be a run with B. Lemma 1. Suppose C is a bundle in , X Tnames and k X1 K K P , then no term of the form [ g ]k 1 X
can originate on a penetrator node in C .
ACCEPTED MANUSCRIPT Proof: Let S {k X1} . First, it is obvious that there is no regular node that takes k X1 as its subterm. So, k X1 cannot originate on any regular node and no regular strand is an entry of I K [ S ] . Suppose [ g ]k originates on a penetrator strand s in . Obviously, s cannot be M-strand, F-strand, 1 X
Tee-strand, C-strand, S-strand, K-strand, E-strand, D-strand or ECC-strand. If s is a Sig-strand, then s k , h, [h]k . From [ g ]k [h]k and k k X1 , we can get [ g ]k h . 1 X
1 X
T
Since h doesn’t originate from s, there must be another strand s ' ..., h,.. that satisfies the condition s ' s , which means that [ g ]k doesn’t originate from s and it should originate on s ' , which is clearly
IP
1 X
a contradiction. So, no term of the form [ g ]k can originate on a penetrator node in C .
SC R
1 X
Lemma 2. Suppose [ H ]k originates on a regular strand s . 1 X
NU
1) If s Init[ N , N ', N '', p, p ', kS ] , then H N A N B LL ' , where N A , NB Tnames and L K , L ' M . 2) If s Mid[ N , N ', N '', p, p ', kS ] , then H N A NB LL ' L '' L ''' , where N A , NB Tnames and L K , L ' L '' L ''' M . 3) If s Re sp[ N , N ', N '', p, p ', kS ] , then H N A N B Nc LL ' , where N A , NB , NC Tnames and L K , L ' M . Proof: s needs to be positive sign. If s is an Init-strand, then m s,2 and term(m) N AN B ( K ){ pA}k {N ANB (K ){ pA}k }k . At the B
B
1 A
MA
moment, H N A N B LL ' . If s is an Mid-strand, then m s,3 and term(m) N AN B ( K ){ pA}k {N AN B ( K ){ pA}k }k { pA H Ak A}k . At the moment, H N A NB LL ' L '' L ''' . If s is a Resp-strand, then m s,2 and term(m) N ANB NC ( K ){ pB}kA {N ANB NC ( K ){ pB}kA }k 1 . At O
O
1 A
C
B
1 X
TE
D
the moment, H N A N B Nc LL ' . Lemma 3. Suppose s is a regular strand in . 1) If {N A N B LL'}k originates on s , then s Init[ N , N ', N '', p, p ', kS ] and NMT , pMT originate on s . 2) If {N A N B NC LL '}k originates on s , then s Re sp[ N , N ', N '', p, p ', kS ] and N NAP , pNAP originate on s . 1 X
CE P
Proof: The results can be deduced from Lemma 2. Theorem 2. (NAP’s Authentication) Suppose C is a bundle in , N NAP , pNAP is uniquely originating in C and k X1 K K P . If r Init[ N , N ', N '', p, p ', kS ] has C height (r ) 3 , then there is a regular strand s Re sp[ N , N ', N '', p, p ', kS ] and C height (s) 2 . Proof: The trace of r is as follows:
AC
r M 1, M 2, M 5, M 6 NOAP ,
NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1
MT
{NOAP N MT N NAP ( yP){ pNAP k NAP }kMT {N OAP N MT N NAP ( yP){ pNAP k NAP }kMT }k 1 }kO NAP
{NOAP N MT N NAP }kS
and term( r,3 ) {NOAP NMT N NAP ( yP){ pNAP kNAP }kMT [ NOAP NMT N NAP ( yP){ pNAP kNAP }kMT ]k 1 }kO . NAP
From Lemma 1, [ NOAP NMT N NAP ( yP){ pNAP kNAP }kMT ]k 1 originates on a regular strand in G and from NAP
Lemma 3, this strand is s Re sp[ N , N ', N '', p, p ', kS ] and C height (s) 2 . Theorem 3. (MT’s Authentication) Suppose C is a bundle in , NMT , pMT is uniquely originating in C and k X1 K K P . If r Re sp[ N , N ', N '', p, p ', kS ] has C height (r ) 1 , then there are regular strand s Init[ N, N ', N '', p, p ', kS ] and C height (s) 2 . Proof: The trace of r is as follows: r M 3 , M 4 , M 6 NOAP N MT ( xP){ pMT }kO [ N OAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT k MT }k NAP MT
and
[ NOAP N MT ( xP){ pMT }kO [ N OAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT k MT }kNAP ]k 1 MT
OAP
NOAP N MT N NAP ( yP){ pNAP k NAP }kMT [ NOAP N MT N NAP ( yP ){ pNAP k NAP }k MT ]k 1
NAP
{NOAP N MT N NAP }kS
ACCEPTED MANUSCRIPT term( r ,1 ) NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT k MT }kNAP MT
[ NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT kMT }kNAP ]k 1 MT
.
OAP
From Lemma 1, [ NOAP NMT ( xP){ pMT }kO ]k 1 originates on a regular strand in G and from Lemma 3, MT
T
this strand is s Init[ N , N ', N '', p, p ', kS ] and C height (s) 2 .
IP
VIII. PERFORMANCE ANALYSIS 8.1 Security Properties
TE
D
MA
NU
SC R
Based on the description of our protocol as well as the analysis that we performed in the previous section, we can generally claim the following security properties for our protocol: 1) Only legitimate users operated on trusted terminals can connect to the network. Moreover, a user can only connect to those networks that have a higher security strategy. 2) The session key knew generated through an ECC key agreement is secure. According to the NPhard intractability of the ECDLP operation, even with all the key materials, the final session key could not constructed without the availability of the secret key gene. 3) The identity of MT is well protected and doesn’t appear in the communication. 4) Mutual authentication and platform verification exist between MT and NAP. 5) The secret key genes (x,y) and N can all be randomly generated by TPM, which prevents attacks such as the man-in-middle attacks, replay attacks, impersonation attacks, etc. 6) Perfect Forward Secrecy (PFS) and Known Key Security (KKS) can be guaranteed by the randomly chosen secret key genes (x,y) in each session. 7) There is No Key Compromise Impersonation (Non-KCI). If A’s private key is compromised, an attacker can only disguise as A rather than as any other participant, which can be guaranteed by the mutual authentication of all participants. 8.2 Experiment
AC
CE P
We have performed some experiment using simulation system OPNET 10.5A under Windows XP to compare our proposed protocol, which is labeled as NEW, to EMSA described in Section II. The simulation scenario is set as follows: 1) The network covers an area of 300m×300m. 2) Network delay is set at 1 microsecond. 3) Packet loss ratio is set at 10% in the network according to an average level. In the experiment, we carried out 32 rounds of simulations in total, starting with one terminal node requesting for handoff service and adding one additional terminal node in the subsequent round. Thus, at the last round of the simulation, 32 terminal nodes participate in requesting for the handoff service. During the simulation, all participating terminal nodes randomly start in 0.5s. The total length of time for the simulation is 20s and three retries are allowed should authentication fail. In our simulation scenario, one modular multiplication takes about 3ms through the experiment. We first compare the success ratio of authentication, which is defined as the number of MTs getting the handoff successfully divided by the total number of MTs requesting for handoff. The results are shown in Figure 6 from which we can see that the success rate in our protocol (labeled as NEW) is better than that in EMSA since the number of interactions in our protocol is much less than that in EMSA, resulting in less radio conflict and hence higher success ratio. We then compare the average delay of authentication for all the MTs to get the handoff service, which is defined as the total amount of latency for completing handoff divided by the number of MTs that get handoff service successfully. The results are shown in Figure 7 from which we can see that average delay in our protocol is much less than that in EMSA. Although the delay for calculation in our protocol is longer, the communication delay is much less, which results in lower average delay. IX. CONCLUSION In this paper, we proposed a trusted handoff protocol based on several technologies such as the hierarchical network model, ECC, trust evaluation and grey relevance analysis. Our analysis and performance evaluation show that mobile terminal nodes can complete access authentication for handoff not only with a higher success rate and a shorter delay than a comparable scheme EMSA but also with the security protection of mobile nodes and the handoff network. The proposed protocol
ACCEPTED MANUSCRIPT
SC R
IP
T
dictates that the mobile platform’s configuration is measured first before access to the handoff network can proceed and only those terminal nodes whose configuration meets the security requirements of the network can be allowed to access the network. We proved the security properties and evaluated the performance of the proposed protocol through formal analysis and experiment, respectively. The ultimate goal in the design of our protocol is to ensure that only a legitimate user operated on a trusted platform can get handed off to a new network in a secure manner. In the future, we will perform more analysis and optimization on the protocol to further improve the performance of our protocol in the aspects of delay, power consumption and computation overhead.
1.0
0.6
NU
Success rate
0.8
0.4
MA
0.2
0.0 0
5
10
15
20
NEW EMSA
25
30
35
D
Amount of MT requesting for handoff
CE P
TE
Figure 6. Success Rate of Handoff
Average delay (unit: second)
AC
0.02
0.01
NEW EMSA
0.00 0
5
10
15
20
25
30
35
Amount of MT requesting for handoff
Figure 7. Average Delay of Handoff Acknowledgement This work in this paper has been supported by Core Electronic Devices, High-end General Purpose and Basic Software Products in China (No. 2010ZX01037-001-001), National Soft Science Research Program (No. 2010GXQ5D317) and National Natural Science Foundation of China (No. 61272500). References [1] T. Gamer, L. Volker, M. Zitterbar. Differentiated Security in Wireless Mesh Networks. Security and Communication Networks, 2011, 4(3): 257–266. [2] I. F. Akyildiz, X. Wang. A Survey on Wireless Mesh Networks. IEEE Radio Communications, 2005, 43(9): 23-30.
ACCEPTED MANUSCRIPT
AC
CE P
TE
D
MA
NU
SC R
IP
T
[3] P. Yi, T. Tong, N. Liu, Y. Wu, J. Ma. Security in Wireless Mesh Networks: Challenges and Solutions. Proceedings of the 6th International Conference on Information Technology: New Generations, April 2009, pp. 423-428. [4] M. Cesana, A. Boukerche, A. Zomaya. Security for QoS Assured Wireless and Mobile Networks. Security and Communication Networks, 2011, 4(3): 239-241. [5] S. Khan, N. Mast, K. K. Loo, A. Silahuddin. Passive Security Threats and Consequences in IEEE 802.11 Wireless Mesh Networks. International Journal of Digital Content Technology and Its Applications, 2008, 2(3): 4-8. [6] S. Khan, N. Mast, K. K. Loo, A. Silahuddin. Cloned Access Point Detection and Prevention Mechanism in IEEE 802.11 Wireless Mesh Networks. International Journal of Information Assurance and Security, 2008, 3(4): 257-262. [7] S. Khan, K. K. Loo, T. Naeem, M. A. Khan. Denial of Service Attacks and Challenges in Broadband Wireless Networks. International Journal of Computer Science and Network Security, 2008, 8(7): 1-6. [8] A. Munoz, A. Mana. TPM-based Protection for Mobile Agents. Security and Communication Networks, 2010, 4(3): 45-60. [9] IEEE Standard 802.11, IEEE Standard for Information Technology Telecommunications and Information Exchange between Systems-local and Metropolitan Area Networks-specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. http://standards.ieee.org/getieee802/802.11.html, 2007. [10] M. M. Arunesh, W. A. Shin. An Empirical Analysis of the IEEE 802.11 MAC Layer Handoff Process. ACM SIGCOMM Computer Communication Review, 2003, 33(2): 93-102. [11] S. Cui, Y. Xu, C. Cheng, J. Gong. Commercialization and New Developments of MIP Technology. Acta Petrolei Sinica (Petroleum Processing Section), 2010, 26(SUPPL. 1): 23-28. [12] C. Blondia, O. Casals. Low Latency Handoff Mechanisms and Their Implementation in an IEEE 802.11 Network. Proceedings of the 18 International TELETRAFFIC Congress, September 2003, pp. 971-980. [13] 802.11 Working Group of the IEEE 802 Committee. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE P802.11s™/D1.01, 2007, pp. 1-124. [14] S. Pack, Y. Choi. Pre-authenticated Fast Handoff in a Public Wireless LAN based on IEEE 802.1x Model. Proceedings of the IFIP TC6/WG6.8 Working Conference on Personal Wireless Communications, October 2002, pp.175-182. [15] F. Rousseau, F. Theoleyre, A. Duda, A. Krendzel, M. Requena-Esteo, J. Mangues-Bafalluy. Geomobility and Location Service in Spontaneous Wireless Mesh Networks. Proceedings of ICTMobileSummit 2008, June 2008. [16] Q. Han, Y. Zhang, X. Chen, H. Li, J. Quan. Efficient and Robust Identity-Based Handoff Authentication in Wireless Networks. Proceedings of the 6th International Conference on Network and System Security, 2012, pp. 180-191. [17] A. Munoz, A. Mana. TPM-based Protection for Mobile Agents. Security and Communication Networks, 2011, 4(1): 45-60. [18] H. Zhang, L. Chen, L. Zhang. Research on Trusted Network Connection. Chinese Journal of Computers, 2010, 33(4): 706-717. [19] A. Shrestha, D. Choi, G. Kwon, S. Han. Kerberos based Authentication for Inter-domain Roaming in Wireless Heterogeneous Network. Computers and Mathematics with Applications, 2010, 60(2): 245-255. [20] P. Xiao, J. He, Y. Fu. A Secure Mutual Authentication Protocol for Roaming in Wireless Mesh Networks. Journal of Networks, 2012, 7(2): 267-274. [21] L. Terzis, G. Kambourakis, G. Karopoulos, C. Lambrinoudakis. Privacy Preserving Context Transfer Schemes for 4G Networks. Wireless Communications and Mobile Computing, 2011, 11(2): 289-302. [22] G. Kambourakis, G. Karopoulos, S. Gritzalis. Survey of Secure Hand-off Optimization Schemes for Multimedia Services over all-IP Wireless Heterogeneous Networks. IEEE Communications Surveys and Tutorials, 2007, 9(3): 18-28. [23] D. Li, Y. Yang, L. Gu, B. Sun. Study on Dynamic Trust Metric of Trusted Network based on State and Behavior Associated. Tongxin Xuebao/Journal on Communications, 2010, 31(12): 1219. [24] F. Kong, Z. Zhang, Y. Liu. Research on Improvement of Grey Relation Analysis Method based on Ideal Points. Proceedings of 2007 3rd International Conference on Wireless Communications, Networking, and Mobile Computing, 2007, pp. 5712-5715.
ACCEPTED MANUSCRIPT
AC
CE P
TE
D
MA
NU
SC R
IP
T
[25] L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone. An Efficient Protocol for Authenticated Key Agreement. Designs, Codes and Cryptography, 2003, 28(2): 119-134. [26] F. Thayer, J. Herzog, J. Guttman. Strand Spaces: Why is a Security Protocol Correct? Proceedings of the 1998 IEEE Symposium on Security and Privacy, May 1998, pp. 160-171. [27] D. Dolev, A. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 1983, 29(2): 198-208. [28] L. Li, J. Chen, Y. Wang. An Extended Strand Space Method for Fairness Analysis of Nonrepudiation Protocols. Journal of Xi'an Jiaotong University, 2010, 44(6): 16-20.
ACCEPTED MANUSCRIPT Biographies
IP
T
Peng Xiao is currently a Ph.D. student in the College of Computer Science and Technology at Beijing University of Technology. He receives a BA degree from Wuhan University, an AM degree from Beijing University of Technology. His research interests include network security, trusted authentication in WMNs and Ad Hoc networks. Email: xp4523 @ emails.bjut.edu.cn
SC R
Jingsha He is currently a professor in the School of Software Engineering at Beijing University of Technology. His research interests include network security and wireless communication technologies. Yingfang Fu is currently a post-doctoral student in the College of Computer Science and Technology at Beijing University of Technology. Her research interests include network security and trusted computing in WMNs.
AC
CE P
TE
D
MA
NU
Correspondence author Jingsha He, Telephone number: +86-10-67396061, E-mail: [email protected]
ACCEPTED MANUSCRIPT Highlights
AC
CE P
TE
D
MA
NU
SC R
IP
T
1. A trust-based protocol is proposed for secure handoff in wireless mesh networks. 2. Security properties are formally verified based on an enhanced Strand model. 3. Performance is evaluated and shown to be more advantageous than the EMSA scheme.
S0920-5489(13)00095-0 doi: 10.1016/j.csi.2013.08.016 CSI 2923
To appear in:
Computer Standards & Interfaces
Received date: Revised date: Accepted date:
15 January 2013 22 August 2013 24 August 2013
Please cite this article as: Peng Xiao, Jingsha He, Yingfang Fu, An Access Authentication Protocol for Trusted Handoff in Wireless Mesh Networks, Computer Standards & Interfaces (2013), doi: 10.1016/j.csi.2013.08.016
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT An Access Authentication Protocol for Trusted Handoff in Wireless Mesh Networks Peng Xiao1, Jingsha He2* and Yingfang Fu1 College of Computer Science and Technology Beijing University of Technology, Beijing 100124, China [email protected], [email protected] 2 School of Software Engineering Beijing University of Technology, Beijing 100124, China [email protected], +86-10-67396061
SC R
IP
T
1
MA
NU
Abstract: WMNs (Wireless Mesh Networks) are a new wireless broadband network structure based completely on IP technologies and has rapidly become a broadband access measure to offer high capacity, high speed and wide coverage. Trusted handoff in WMNs requires that mobile nodes complete access authentication not only with a short delay, but also with the security protection for the mobile nodes as well as the handoff network. In this paper, we propose a trusted handoff protocol based on several technologies, such as hierarchical network model, ECC (Elliptic Curve Cryptography), trust evaluation and grey relevance analysis. In the protocol, the mobile platform’s configuration must be measured before access to the handoff network can proceed and only those platforms whose configuration meets the security requirements can be allowed to access the network. We also verify the security properties through formal analysis based on an enhanced Strand model and evaluate the performance of the proposed protocol through simulation to show that our protocol is more advantageous than the EMSA (Efficient Mesh Security Association) authentication scheme in terms of success rate and average delay.
I. INTRODUCTION
TE
D
Key words: wireless mesh network; seamless handoff; security; access authentication; trusted network connect.
AC
CE P
WMNs are a new wireless network structure that is expected to set free the restrictions of Ad Hoc networks, WLANs (Wireless Local Area Networks), WPANs (Wireless Personal Area Networks) and WMANs (Wireless Metropolitan Area Networks), and will be used to establish commercial wireless mobile networks. Combining the advantages that WLANs and Ad Hoc networks can offer, WMNs are a wireless broadband network structure based completely on IP technologies, and becomes a growing effective broadband access measure that can provide high capacity, high speed and wide coverage. To some extent, WMNs are mainly a network design idea with features including no-center, selforganization, multi-hops, best routing-judgment, etc. [1] Since a WMN doesn’t rely on fixed infrastructure and is operated in an open space, any user within the coverage area of the radio waves can access the network. Therefore, secure access authentication is the first provision to prevent unauthorized users from accessing the network. [2,3,4] For handoff in WMNs, it is required that mobile nodes complete access authentication not only with a short delay, but also with the protection for the mobile nodes as well as the handoff network. Past practice in the areas of information security has shown that most security problems just come from the network but more from terminal nodes. [5,6,7] Thus, the original idea of trusted computing was proposed to ensure the security of network terminals. Moreover, trusted computing is relied upon to secure the entire computer system through successive steps. First, a root of trust is established to construct a chain of trust, namely, from the root to the hardware platform to the operating system and finally to applications. Thus, trust can spread to the entire system through graded trusted authentications. For handoff in a WMN, the platform’s configuration must be measured before access to the network can proceed and only those platforms whose configuration meets the security demands of the network can be allowed to access the network. Consequently, a terminal with potential threat cannot gain access to the network directly. Moreover, the terminal can verify the security of the AP (Access Point) with which it is associated and will only connect to the network when it satisfies the terminal’s security demands. [8] Based on the current 802.1x authentication scheme and trusted computing technologies, we present a trusted handoff protocol in this paper to ensure security and trust in WMNs. Our goal in the design of the protocol presented in this paper is to ensure that only a legitimate user operated on a trusted platform can complete handoff to a new secure network without too much sacrifice on performance. In addition to proposing a trust-based authentication protocol to achieve the above goal for secure handoff from one
ACCEPTED MANUSCRIPT
SC R
IP
T
network zone to another, our other contributions in this paper include the following. We propose a trust model for the trust evaluation of both starting and runtime system states, prove the security properties of the protocol through formal analysis based on an enhanced Strand model, evaluate the performance of the protocol in terms of success rate and handoff delay using simulation, and compare our protocol to a comparable scheme to demonstrate the advantages of our protocol over the other scheme. The rest of this paper is organized as follows. Section II reviews some related work on handoff protocols in WMNs. Section III provides some background information on TPM (Trusted Platform Module) and TNC (Trusted Network Connect). Section IV contains a zone-based hierarchical network model for hybrid WMNs and a universal handoff model in WMNs. Section V describes the method for evaluating the trust degrees of both the starting and the runtime states in a trusted system. Section VI presents our handoff protocol, which is based on several technologies such as the hierarchical network model, ECC, trust evaluation and grey relevance analysis. Then, a formal analysis of the security properties of the protocol based on the strand space model and a demonstration of the security performance based on experiment results are provided in Sections VII and VIII, respectively. Finally, Section IX concludes the paper, which also contains a description of our future work.
NU
II. RELATED WORK
AC
CE P
TE
D
MA
The IEEE 802.11 [9] protocol outlines the basic steps of the handoff process. Unfortunately, the handoff latency of the original protocol is several hundred milliseconds [10] while real-time applications require that MAC layer handoff latency be 50 ms or lower. As the result, a lot of work has been done to reduce the handoff latency in recent years. However, most of the work has failed to consider a complete authentication process which is useful in real scenarios. MIP (Mobile IP) is the most widely known mobility management proposal and has, thus, become the most common solution that can offer seamless handoff to mobile devices on the Internet. [11] Essentially, MIP uses two addresses to handle the movement of the user. Every time the MN (Mobile Node) connects to a foreign network, it obtains a temporary address called CoA (Care-of-Address) from a mobile agent called FA (Foreign Agent) through the exchange of ASAA (Agent Solicitation and Agent Advertisement) messages. However, MIP is originally designed to operate at L3 (Layer 3) only regardless of the underlying link layer (L2). This approach thus implies a clear separation between L2 and L3 handoff functionality, which may lead to unacceptable handoff latency. Actually, the messages generated by the registration process need some time to propagate through the network and the MN is unable to send or receive packets during that time. [12] IEEE P802.11s™/D1.01 [13] provides an EMSA (Efficient Mesh Security Association) authentication scheme based on the IEEE 802.11i standard where the 802.1x scheme and four handshakes are adopted to implement access authentication and key establishment. EMSA can be used to achieve efficient establishment of link security between two MNs in a WMN. It relies on a mesh key hierarchy in which keys are derived through the use of a PSK or when a MN performs IEEE 802.1X authentication. EMSA makes use of EAP (Extended Authentication Protocol) just like EAP-SIM (Subscriber Identity Module), EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol). However, handoff in WMNs is not adequately addressed in EMSA due primarily to the reason that EMSA cannot meet the requirement of performance and identity protection in handoff. A predictive authentication scheme is proposed in [14] using FHR (Frequent Handoff Region). In the scheme, a statistical method is used to modulate the mobility pattern of the mobile terminal. A set of access points are selected as the FHR access points with which the mobile terminal may be associated in the near future. Before handoff, the mobile terminal sends an authentication request to the authentication server and the authentication server sends the authentication response to the FHR access points with authentication information. During handoff, the mobile terminal only needs to exchange a few messages with the new access point. However, how to select an appropriate FHR member and establish a secure connection with the FHR is not adequately addressed in the paper. A scheme for efficient mobility management in WMNs was presented in [15]. In the scheme, a new model of location service is proposed based on several design principles. First, the proposal distinguishes between an allotted address, which changes according to the geographical location of the node, and a persistent identifier, which remains unchangeable despite the movement. This requirement thus needs the presence of a mapping service to locate each station and can be carried out by installing “Distributed Location Service”, resulting in additional centralized equipment in the network. In addition, the scheme causes additional resource consumption and great computation latency. An efficient and robust identity-based handoff authentication in wireless networks was proposed in [16] in which a special double-trapdoor chameleon hash function is the key. Compared to other
ACCEPTED MANUSCRIPT existing identity-based handoff schemes, the main advantage of this scheme is to remove the assumption that PKG (Private Key Generator) must be fully trusted, which could result in high security and simply deployment. However, this scheme is more suitable for WLAN since in a multi-hop WMN, there may not be any PKG in a more complicated environment.
T
III. TPM and TNC
CE P
TE
D
MA
NU
SC R
IP
A TPM (Trusted Platform Module) is usually implemented on a chip and is hence integrated into the hardware of a platform, such as a PC, a laptop, a PDA or a mobile phone. A property of TPM is that it owns shielded locations, meaning that only TPM itself can access the storage inside the TPM, as well as protected functionality, meaning that the functions computed inside the TPM cannot be tampered with and can only be accessed directly via TPM commands or via higher layer application interfaces TSS (TCG Software Stack). In order to verify the configuration of a platform, all parts engaged in the boot process of the platform, e.g. BIOS and master boot record, are measured using some integrity measurement hash values and the final result of the accumulated hash values is stored inside the TPM in an area called PCR (Platform Configuration Registers). An entity that needs to verify if the platform is in a certain configuration will require TPM to sign the content of the PCR using its AIK (Attestation Identity Key) that is generated specifically for this purpose. Then, the verifier would check the signature, compare the PCR values with some reference values to verify that the platform is indeed in a desired state and to verify the trustworthiness of an AIK’s signature through the certificate Cert AIK . Note that Cert AIK doesn’t prove the identity of the TPM owner, but only the identity of the TPM device. [17] As shown in Figure 1, the TNC architecture based on trusted computing technologies establishes connections from the viewpoint of the integrity of the terminals in which there are three types of entities: AR (access requestor), PEP (policy enforcement point) and PDP (policy decision point). [18] The basic concept is that the platform’s configuration must be measured before access to the network can proceed and only those platforms whose configurations meet the security requirements of the network are allowed to access the network. Thus, a terminal with potential threat cannot access the network directly. Moreover, the terminal can verify the security of the AP with which it is associated and will only connect to the network when it satisfies its own security requirements. TNC is an active pre-alerted mutual network access measure. Integrity Measurement Controller
IF-M
Integrity Measurement Verifier
Integrity Estimate Layer
TNC Client
IF-TNCCS
TNC Server
Network Access Requestor
IF-T Policy Enforcement Point
Network Access Authority
AC
Integrity Measurement Layer
Network Access Layer
Policy Decision Point
Access Requestor
Figure 1. The TNC Architecture IV. HANDOFF MODEL IN HIERARCHICAL WMNs Figure 2 shows a zone-based hierarchical network model for hybrid WMNs, where dash and solid lines indicate wireless and wired links, respectively. [19] The whole network consists of one backbone network, one or more local area networks called zones and some scattered wired or wireless terminals. In the backbone network, the mesh routers form a mesh infrastructure with self-configuring, selfhealing and self-organizing links among which there are at least two backbone routers connected to the Internet. All backbone routers share a single database that stores authorized certificates (not explicitly shown in the figure). There is an offline CA (Certificate Authority) supported by an ISP (Internet Service Provider) or a network carrier. The CA connects to the network only when it is notified of the introduction of a new terminal user, a new zone router or a new backbone router. The backbone network can be built using various types of radio technologies including the IEEE 802.11 technologies. Zones are connected to the backbone network through border mesh routers called gateways, which enables the integration of existing wireless networks such as multi-hop networks, Wi-Fi networks, sensor networks and cellular networks. In each zone, there is at least one mobile node called AP (Access Point) that is connected to the backbone. APs can be MAPs (Mesh Access Point) in multi-hop networks
ACCEPTED MANUSCRIPT
T
and microwave towers in cellular networks which may use different radio technologies. It is therefore required that the backbone border routers support various radio technologies. There is also a database that stores user information like user ID, zone ID, authorized key, etc. in each zone. Terminal nodes can roam from one zone to another or handoff from one AP to another in the same or different zones.
IP
Internet Mesh Routers
Wired Terminals
Multi-hop Networks
Wi-Fi Networks
Cellular Networks
NU
Offline CA
SC R
Wireless Terminals
Sensor Networks
MA
Figure 2. The Network Model
AC
CE P
TE
D
Conventional terminals with an Ethernet interface can be connected to mesh routers via Ethernet links, whether wired or wireless. For conventional terminals with the same radio technologies as mesh routers, they can directly communicate with the mesh routers. If a different radio technology is used, a terminal must communicate with the AP of a zone that has Ethernet connections to the mesh routers. Especially, mesh terminals can access the network through mesh routers or directly meshing with other mesh terminals in multi-hop networks whose routing capabilities can provide improved connectivity and coverage. When a user wants to access a trusted WMN, the network administrator needs to measure its platform configuration information and compare the measured value with some reference values of the network to verify its security under the current network security policies. [20] Figure 3 shows that an MT (Mobile Terminal) first connects to the OAP (Old Access Point) at point A and moves along route A→B→C. When it moves to point B, it needs to handoff from the OAP to the NAP (New Access Point) since it is about to get out of the radio coverage of the OAP. After successful trusted authentication, the terminal will connect to the NAP at point C. According to the framework of the network model shown in Figure 2, both the OAP and the NAP are connected to the backbone network while the terminal completes handoff from the old zone network to the new one. It is assumed that a predefined security association and a secure connection already exist between the OAP and the NAP, i.e., they can get each other’s public-key certificate securely. [21,22]
Backbone
Old AP
A
New AP
B
C
Figure 3. The Handoff Model V. TRUST EVALUATION Integrity measurement is a basic mechanism for the establishment of the trust of a system. The basic concept is that any entity that wants to gain control must be measured in terms of trust and validated in terms of integrity, which includes hardware, operating system, shared libraries,
ACCEPTED MANUSCRIPT
IP
T
configuration documents, etc. From the power supply to the platform to the establishment of the operation environment, all the applications loaded as well as related data must be measured and validated. The standards of TCG (Trusted Computing Group) specify in details a series of trust measurement about the starting process of the operating system that can be easily implemented in a defined sequence. But the integrity of a running software or application has not specified by TCG and can thus be different from one system to another. [23] The trust evaluation of states relies mostly on the current integrity message and trust measurement collected by the trusted group administrator. In this paper, we define three ranks of trust: extremely trusted, critically trusted and untrusted. Suppose X {x1 , x2 ,..., xn } is a trusted group, x is one entity in X , and S : x [0,1] is the trust evaluation function of the entity x . Then,
SC R
1) x is untrusted if 0 S ( x) E0 ; 2) x is critically trusted if E0 S ( x) E1 ;
3) x is extremely trusted if E1 S ( x) E2 . where E0 , E1 , E2 are predefined thresholds by the administrator and 0 E0 E1 E2 1 .
NU
5.1 Trust Evaluation of the Starting States
MA
Suppose BAC { , , ,[1].........[n]} is the basic value of the user’s trust measurement in which , and are the measured hash values of the BIOS, the OS (Operation System) Loader and the OS Kernel, respectively, and [1].........[n] are the measure hash values of the extended security applications. Also, suppose P { ', ', ',[1]'.........[n]'} is the measured value expected and stored by the administrator. The administrator will then compute the result R ( ') ( ') ( ') . If R 0 , the user
D
n
is totally untrusted and not allowed to access the network. Otherwise, define S ( x) [i] [i]' and
TE
i 1
determine x ’s trust degree following the rules described above.
CE P
5.2 Trust Evaluation of the Runtime States
It is infeasible to collect all the integrity messages at runtime. So, a parameter T is defined by the administrator to define the cycle time for trust measurement and evaluation of the runtime states. In addition, current trust evaluation always takes into consideration of the previous trust evaluations. Therefore, we use grey relevance analysis [24] to relate S : x [0,1] to former trust measurements.
AC
Suppose there are n applications A1 , A2 ,..., An running in member x and the trust measurements in cycle k for all the applications are denoted as P(k ) {A1 (k ), A2 (k ),..., An (k )} . The collected integrity measurement for all the m cycles is defined as: P(1) A1 (1) A2 (1) ... An (1) P(2) A1 (2) A2 (2) ... An (2) P ... ... ... ... ... P(m) A1 (m) A2 (m) ... An (m) where 0 Ai ( j ) 1 . The optimal reference data is set as P(0) {1,1,...,1} , which is the highest trust in the design and should never be reached in theory. Then, the correlation coefficient between application Ai in each cycle k and the optimal data is calculated as:
min i min k | A0 (k ) Ai (k ) | max i max k | A0 (k ) Ai (k ) | | A0 (k ) Ai (k ) | max i max k | A0 (k ) Ai (k ) | where is the relative parameter which is usually assigned with value 0.5 without specific orientation. The trust evaluation function then becomes:
i ( k )
n
S ( x)
m
(k ) i 1 k 1
i
. im Furthermore, if each application has a different weigh Wi that is determined by the administrator, then:
ACCEPTED MANUSCRIPT n
S ( x)
m
(W (k )) i 1 k 1
i
i
T
. im Lastly, the administrator can determine whether member x ’s current state can be trusted using the value S ( x) and the thresholds E0 , E1 , E2 .
IP
5.3 Trust Evaluation in Handoff
SC R
Regarding handoff in WMNs, a terminal wants to access a new zone network by connecting to a new AP. Since the thresholds E0 , E1 , E2 defined in the old zone may be different from the thresholds
E0 , E1 , E2 defined in the new zone, some strategy may be used by an ISP or network carrier to handle the difference. A few such strategies are listed below: 1) Maximum Compatibility Strategy: E0 max( E0 , E0 ) , E1 max( E1 , E1 ) and E2 max( E2 , E2 ) .
NU
x, if x y . E0 , E1 , E2 are the new thresholds and max( x, y) y, if x y 2) Minimum Compatibility Strategy: E0 min( E0 , E0 ) , E1 min( E1 , E1 ) and E2 min( E2 , E2 ) .
MA
y, if x y . E0 , E1 , E2 are the new thresholds and min( x, y) x, if x y 3) Customization Strategy: E0 f ( E0 , E0 , E1 , E1 , E2 , E2 ) , E1 g ( E0 , E0 , E1 , E1 , E2 , E2 ) and
E2 h( E0 , E0 , E1 , E1 , E2 , E2 ) . E0 , E1 , E2 are the new thresholds and f , g , h are custom functions.
CE P
TE
D
After the thresholds E0 , E1 , E2 are negotiated between the old and the new APs, trust evaluation of the starting states and the runtime states can be carried out. 1) If the result is untrusted, the terminal is denied of access to the network. 2) If the result is critically trusted, the terminal will be allowed to only access an isolated region with limited capability while the terminal could ask for a trust repair. With a repair, the trust degree may increase to the extremely trusted and access to the network can be authorized accordingly. 3) If the result is extremely trusted, the terminal can access the network. VI. THE AUTHENTICATION PROTOCOL FOR TRUSTED HANDOFF
6.1 ECC
AC
Based on the TPM hardware and the TNC architecture, we propose an access authentication protocol for trusted handoff in WMNs in which several technologies are used, e.g., hierarchical topology, ECC public key cryptography, verifiable secret sharing, three-party key agreement, etc.
We adopt ECC-based key pair generation and key agreement protocol in this paper because ECC offers the same level of security with smaller key sizes and faster computation speed compared to other schemes such as RSA. All cryptography is built on a suitably chosen elliptic curve E defined over a finite field Fq of characteristic p as well as a base point P E ( Fq ) . The ECDLP (Elliptic Curve Discrete Logarithm Problem) on E ( Fq ) is to find an integer m that satisfies Q mP while P and Q are given. This is shown to be an NP- hard intractability problem. As described in [25], some domain parameters are defined as follows: 1) A field size q , where q is a prime power (in practice, either q p , or an odd prime, q 2m ). 2) An indication FR (field representation) of the representation used for the elements of Fq . 3) Two field elements a and b in Fq which define the equation of the elliptic curve E over Fq (e.g., y 2 x3 ax b in the case p 3 , and y 2 xy x3 ax2 b in the case p 2 ). 4) A finite point P ( xP , yP ) of prime order in E ( Fq ) and P O where O denotes the point at infinity.
ACCEPTED MANUSCRIPT 5) The order n of the point P with nP O and n 2160 as commonly recommended. 6) The cofactor h # E ( Fq ) / n where # E ( Fq ) denotes the number of Fq -rational points on E . Given a valid set of domain parameters (q, FR, a, b, P, n, h) , an entity A’s private key is an integer A R[1, n 1] while its public key is the point WA A P . A’s public-key certificate, represented as
NU
SC R
IP
T
CERTA , contains a string of information that uniquely identifies A, its public key WA , the domain parameters if these are not known from the context and a certifying authority CA’s signature over this information. Any other entity B can use his authentic copy of the CA’s public key obtained a priori to verify A’s certificate, therefore obtaining an authentic copy of A’s public key. In the protocol proposed in this paper, all entities should acquire an authorized certificate from the offline CA before accessing the network. Two entities A and B can complete key agreement as follows: 1) A selects x R [1, n 1] , computes point RA xP and sends RA to B. 2) B selects y R [1, n 1] , computes point RB yP and sends RB to A. The session key is then the point KS yRA xRB xyP . 6.2 Terms and Notations
MA
Table 1 lists some terms and notations used in this paper. Note that Cert AIK proves the identity of the TPM device while CERTi proves the identity of the user, and Cert AIK CERTi . Table 1. Terms and Notations A random integer generated by i . The random integers selected by MT and NAP to accomplish key agreement. The authentication message to verify i 's platform.
D
Ni x, y
TE
plat _ verti Cert AIK ,i ,
PCRi , SMLi
{m}k CERTi , i ,Wi
Sigi (m)
Certificate and key pair of i issued by the offline CA. Digital signature on message m using i ’s private key i . The session keys shared between MT and OAP and between MT and NAP. The history set of MT’s trust, as described in Section 5.2.
AC
kold , knew HMT
The AIK certificate of i ’s TPM with the private and public key pair ( prii , pubi ) which is issued by the TPM’s producer. PCR and SML (Storage Measure Logs), the integrity verification message of i ’s TPM. Message m encrypted with key k .
CE P
prii , pubi
6.3 The Access Authentication Protocol The proposed protocol is depicted in Figure 4 in which the following eight steps are needed for completing the authentication: 1) MT sends a Request Handoff message to OAP, which includes information about NAP. 2) After receiving a handoff request, OAP generates a random integer NOAP and replies it to MT. 3) MT constructs msgMT NOAP , NMT , xP,{ plat vertMT }k and its digital signature SigMT (msgMT ) , old
then sends them to OAP. In this step, N MT is a random integer generated by MT, x is a random integer and should be kept secret by MT, xP is used to accomplish key agreement, where P is the selected , Cert AIK, MT where SMLMT , PCRMT base point of E ( Fq ) , plat _ vertMN SMLMT ,{N MT , NOAP , PCRMT }pri AIK ,MT
and Cert AIK , MT are used to ensure MT’s platform authentication and integrity verification, kold is the current session key between MT and OAP, and SigMT (msgMT ) is MT’s digital signature on the message and is used to authenticate the user’s identity of MT. msg MT with its private key MT
4) After receiving the message, OAP can decrypt { plat vertMT }k with the old session key kold to old
get plat vertMT . It then combines MT’s current trust plat vertMT , MT’s history trusts H MT and
ACCEPTED MANUSCRIPT MT’s public certificate CERTMT , and then encrypts them with the new AP’s public key W
NAP
Finally, OAP constructs msgOAP msgMT , SigMT (msgMT ),{ plat vertMT , H MT , CERTMT }W
NAP
.
and its digital
signature SigOAP (msgOAP ) , and then sends them to NAP. MT
NAP
IP
T
OAP
SC R
Request Handoff
NOAP NOAP , N MT , xP,{ plat _ vertMT }kold , Sig MT (msg MT )
msg MT , Sig MT (msg MT ),
{ plat _ vertMT , H MT , CERTMT }WNAP ,
NU
SigOAP (msgOAP ) NOAP , N MT , N NAP , yP
{ plat _ vert NAP , CERTNAP }WMT , Sig NAP (msg NAP )
MA
{msg NAP , Sig NAP (msg NAP )}kold
{NOAP , N MT , N NAP }knew
TE
D
binded
Figure 4. Message Flows in the Protocol
private
key
CE P
5) After receiving the message, NAP verifies both MT’s identity and platform to ensure that MT is valid under the network’s current security policy. NAP can check OAP’s signature to authenticate OAP’s identity and the message’s integrity. NAP then decrypts { plat vertMT , H MT , CERTMT }W with its
NAP {NMT , NOAP , PCRMT } pri
.
AIK ,MT
NAP
NAP
will
verify
Cert AIK , MT
inside
plat vertMT
and
decrypts
to get PCRMT . It can then calculate the trust degree S ( x) and compare
AC
S ( x) with the reference values of the current network to evaluate MT’s platform’s trust. NAP gets CERTMT which contains MT’s public key WMT and verifies SigMT (msgMT ) to authenticate MT’s user
identity. Only when both verifications are successful, will NAP allow MT to connect to the new network. msg NAP NOAP , NMT , N NAP , yP,{ plat vert NAP , CERTNAP}W NAP constructs and its digital MT
signature Sig NAP (msg NAP ) and then sends them to OAP. NAP can calculate the new session key between it and MT knew y( xP) xyP . 6) OAP encrypts the receiving message with kold and forwards it to MT. 7) After receiving the message, MT decrypts {msg NAP , Sig NAP (msg NAP )}k with the old session key kold old
to get msg
NAP
. It will do the same verification as NAP did. If successful, MT will get the session key
through knew x( yP) xyP . Then it will encrypt the random integer set {NOAP , NMT , N NAP } with the new session key knew and sends it to OAP. 8) OAP can check the validity of {NOAP , NMT , N NAP}k and allow MT to bind if it is valid. new
VII. FORMAL ANALYSIS Formal analysis is currently the most effective way to analyze security protocols among which the strand space model [26] is one of the most effective formal analysis methods. Strand space model is an analyzing model of security protocols based on the Dolev-Yao model [27] built on graph theory and
ACCEPTED MANUSCRIPT partial ordering, and can be used to analyze complicated protocols because of its excellent expansibility. In this section, we formally analyze our proposed protocol with an extended strand space model. 7.1 The Enhanced Strand Model
SC R
IP
T
In the original strand space model, message terms only include atomic terms, encrypted terms and joined terms. Since there are two new operations, i.e., the signature and the ECC operations in our protocol, we will add some new data collections into the model [28]. Definition 1. M is a collection of message terms. Term t is an element of M if it is an element of collection T of plaintexts or collection K of key symbols. Complex terms of M can be constructed using the following four operations: 1) Encryption operation, expressed as M K : M K M .
NU
2) Join operation, expressed as M1M 2 : M M M . 3) Signature operation, expressed as [M ]K : M K M . 4) ECC operation, expressed as tP : K T K . Definition 2. A subterm relation is defined as follows, where A and N are terms: 1) AA . 2) k K , if AN , then ANk , especially, k N k only if kN .
MA
3) N1 M , if AN , then ANN1 and AN1N . 4) k K , if AN , then A[ N ]k , especially, k[ N ]k only if kN . 5) If x T and xN , then xPN , but not vice versa, especially, xxP is disproved, which results from the NP-hard intractability of ECDLP. We can deduce that is a partially ordered relation and that if K K1 and {h}K {h1}K1 , then
TE
D
{h}K h1 . Definition 3. If M is a message term, then M is an event that means sending message M while M is an event that means receiving message M. If Ei M , then un _ term( Ei ) M . The strand is an array of events and a strand space graph is a set and traces in : ( A)* . Node n on trace is labeled as ,i and the number of nodes on is labeled as height ( ) . Term t originates on
CE P
node n if and only if sign(n) and t term(n) . If n is a preorder node on the trace, i.e., n n ,
AC
then t term(n ') . Definition 4. In addition to the original eight attack strands, M-strand, F-strand, Tee-strand, Cstrand, S-strand, K-strand, E-strand and D-strand, we add two new attack strands: 1) Sig-strand: k , h, [h]k , k K , h M . 2) ECC-strand: x, yP, xyP . Definition 5. K-ideal of collection M is a collection, expressed as I K [h] M , that satisfies the following requirements: 1) h I , g M , then gh I and hg I . 2) h I , k K , then {h}k I . 3) h I , k K , then [h]k I . Node n is the entry point of I if and only if sign(n) , term(n) I . If n is a preorder node on the trace, i.e., n n , then term(n ') I . 7.2 The Strand Graph Omitting the information that has nothing to do with security in the protocol, the strand space of our protocol as depicted in Figure 5 can be expressed as a Strand Graph . Labeled as pi in the graph, plat _ verti is computed in the TPM’s protected functionality and cannot be tampered with or faked. The
private and public key pair i ,Wi is labeled as k 1 , ki while the new and the old session key are i
labeled as k S and kO , respectively. Let Tnames denote the collection of names and K P the collection of keys that an attacker has already obtained, then X Tnames , public keys k X K P and the corresponding private keys k X1 K K P .
ACCEPTED MANUSCRIPT 1) M1= NOAP . 2) M2= NOAP NMT ( xP){ pMT }k [ NOAP NMT ( xP){ pMT }k ]k . 3) M3=
O
1 MT
NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT kMT }kNAP MT
[ NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT kMT }kNAP ]k 1 MT
.
OAP
4) M4= NOAP NMT N NAP ( yP){ pNAP kNAP }k [ NOAP NMT N NAP ( yP){ pNAP kNAP }k ]k MT
MT
1 NAP
.
T
O
5) M5= {NOAP NMT N NAP ( yP){ pNAP kNAP }k [ NOAP NMT N NAP ( yP){ pNAP kNAP }k ]k }k . MT
MT
O
IP
6) M6= {NOAP NMT N NAP }k .
1 NAP
S
SC R
There are therefore three regular strands in the protocol: 1) Init[ N , N ', N '', p, p ', kS ] is the set of strand s whose trace is <-M1,+M2,-M5,+M6>. 2) Mid[ N , N ', N '', p, p ', kS ] is the set of strand s whose trace is <+M1,-M2,+M3,-M4,+M5>. 3) Re sp[ N , N ', N '', p, p ', kS ] is the set of strand s whose trace is <-M3,+M4,-M6>. Obviously, they are pairwise disjoint.
NAP
D
M4
M5
M3
MA
M2
M1
NU
OAP
MT
M6
TE
Figure 5. Strand Graph ∑
CE P
7.3 The Secrecy
Message m is secret in the strand graph G of a protocol if there is no strand n which meets the following two conditions: n G and un _ term(n) m . Theorem 1. Suppose C is a bundle in and k S is uniquely originated. Let 1 1 1 S {kMT , kOAP , kNAP , kO , kS } and K K S . For every node n C , term(n) I K *[kS ] .
AC
Proof. According to the theory of K-ideal, we just need to prove that no regular node n is an entry point of I K *[S ] , which we will argue by contradiction. Assume n is a regular node which is an entry 1 1 1 point of I K *[S ] . Then one of the keys kMT , kOAP , kNAP , kO , kS is a subterm of term(n) . Since there is no 1 1 1 regular node that contains kMT , kOAP , kNAP , kO as a subterm, k S must be a subterm of term(n) . kS xyP doesn’t appear in any message term, but it can be gained through the following ECC operations: x( yP) , y( xP) and ( xy) P . The form in which term x appears in all message terms is xP , so xterm(n) if and only if xxP . But in our extended strand model, xxP is disproved due to the NPhard intractability of ECDLP. So xterm(n) is disproved and none of x, y, xy is a subterm of term(n) . So, the operations listed above cannot be carried out in , that is, k S is not a subterm of term(n) . Therefore, no regular node n can be an entry point of I K *[S ] . That is, for every node n C , term(n) I K *[ kS ] .
7.4 The Authentication A protocol guarantees agreement to a participant B as the responder for certain data items d if each time participant B completes a run of the protocol as the responder using d , which to B appears to be a run with A, then there is a unique run of the protocol with a principal A as the initiator using d , which to A appears to be a run with B. Lemma 1. Suppose C is a bundle in , X Tnames and k X1 K K P , then no term of the form [ g ]k 1 X
can originate on a penetrator node in C .
ACCEPTED MANUSCRIPT Proof: Let S {k X1} . First, it is obvious that there is no regular node that takes k X1 as its subterm. So, k X1 cannot originate on any regular node and no regular strand is an entry of I K [ S ] . Suppose [ g ]k originates on a penetrator strand s in . Obviously, s cannot be M-strand, F-strand, 1 X
Tee-strand, C-strand, S-strand, K-strand, E-strand, D-strand or ECC-strand. If s is a Sig-strand, then s k , h, [h]k . From [ g ]k [h]k and k k X1 , we can get [ g ]k h . 1 X
1 X
T
Since h doesn’t originate from s, there must be another strand s ' ..., h,.. that satisfies the condition s ' s , which means that [ g ]k doesn’t originate from s and it should originate on s ' , which is clearly
IP
1 X
a contradiction. So, no term of the form [ g ]k can originate on a penetrator node in C .
SC R
1 X
Lemma 2. Suppose [ H ]k originates on a regular strand s . 1 X
NU
1) If s Init[ N , N ', N '', p, p ', kS ] , then H N A N B LL ' , where N A , NB Tnames and L K , L ' M . 2) If s Mid[ N , N ', N '', p, p ', kS ] , then H N A NB LL ' L '' L ''' , where N A , NB Tnames and L K , L ' L '' L ''' M . 3) If s Re sp[ N , N ', N '', p, p ', kS ] , then H N A N B Nc LL ' , where N A , NB , NC Tnames and L K , L ' M . Proof: s needs to be positive sign. If s is an Init-strand, then m s,2 and term(m) N AN B ( K ){ pA}k {N ANB (K ){ pA}k }k . At the B
B
1 A
MA
moment, H N A N B LL ' . If s is an Mid-strand, then m s,3 and term(m) N AN B ( K ){ pA}k {N AN B ( K ){ pA}k }k { pA H Ak A}k . At the moment, H N A NB LL ' L '' L ''' . If s is a Resp-strand, then m s,2 and term(m) N ANB NC ( K ){ pB}kA {N ANB NC ( K ){ pB}kA }k 1 . At O
O
1 A
C
B
1 X
TE
D
the moment, H N A N B Nc LL ' . Lemma 3. Suppose s is a regular strand in . 1) If {N A N B LL'}k originates on s , then s Init[ N , N ', N '', p, p ', kS ] and NMT , pMT originate on s . 2) If {N A N B NC LL '}k originates on s , then s Re sp[ N , N ', N '', p, p ', kS ] and N NAP , pNAP originate on s . 1 X
CE P
Proof: The results can be deduced from Lemma 2. Theorem 2. (NAP’s Authentication) Suppose C is a bundle in , N NAP , pNAP is uniquely originating in C and k X1 K K P . If r Init[ N , N ', N '', p, p ', kS ] has C height (r ) 3 , then there is a regular strand s Re sp[ N , N ', N '', p, p ', kS ] and C height (s) 2 . Proof: The trace of r is as follows:
AC
r M 1, M 2, M 5, M 6 NOAP ,
NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1
MT
{NOAP N MT N NAP ( yP){ pNAP k NAP }kMT {N OAP N MT N NAP ( yP){ pNAP k NAP }kMT }k 1 }kO NAP
{NOAP N MT N NAP }kS
and term( r,3 ) {NOAP NMT N NAP ( yP){ pNAP kNAP }kMT [ NOAP NMT N NAP ( yP){ pNAP kNAP }kMT ]k 1 }kO . NAP
From Lemma 1, [ NOAP NMT N NAP ( yP){ pNAP kNAP }kMT ]k 1 originates on a regular strand in G and from NAP
Lemma 3, this strand is s Re sp[ N , N ', N '', p, p ', kS ] and C height (s) 2 . Theorem 3. (MT’s Authentication) Suppose C is a bundle in , NMT , pMT is uniquely originating in C and k X1 K K P . If r Re sp[ N , N ', N '', p, p ', kS ] has C height (r ) 1 , then there are regular strand s Init[ N, N ', N '', p, p ', kS ] and C height (s) 2 . Proof: The trace of r is as follows: r M 3 , M 4 , M 6 NOAP N MT ( xP){ pMT }kO [ N OAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT k MT }k NAP MT
and
[ NOAP N MT ( xP){ pMT }kO [ N OAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT k MT }kNAP ]k 1 MT
OAP
NOAP N MT N NAP ( yP){ pNAP k NAP }kMT [ NOAP N MT N NAP ( yP ){ pNAP k NAP }k MT ]k 1
NAP
{NOAP N MT N NAP }kS
ACCEPTED MANUSCRIPT term( r ,1 ) NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT k MT }kNAP MT
[ NOAP N MT ( xP){ pMT }kO [ NOAP N MT ( xP){ pMT }kO ]k 1 { pMT H MT kMT }kNAP ]k 1 MT
.
OAP
From Lemma 1, [ NOAP NMT ( xP){ pMT }kO ]k 1 originates on a regular strand in G and from Lemma 3, MT
T
this strand is s Init[ N , N ', N '', p, p ', kS ] and C height (s) 2 .
IP
VIII. PERFORMANCE ANALYSIS 8.1 Security Properties
TE
D
MA
NU
SC R
Based on the description of our protocol as well as the analysis that we performed in the previous section, we can generally claim the following security properties for our protocol: 1) Only legitimate users operated on trusted terminals can connect to the network. Moreover, a user can only connect to those networks that have a higher security strategy. 2) The session key knew generated through an ECC key agreement is secure. According to the NPhard intractability of the ECDLP operation, even with all the key materials, the final session key could not constructed without the availability of the secret key gene. 3) The identity of MT is well protected and doesn’t appear in the communication. 4) Mutual authentication and platform verification exist between MT and NAP. 5) The secret key genes (x,y) and N can all be randomly generated by TPM, which prevents attacks such as the man-in-middle attacks, replay attacks, impersonation attacks, etc. 6) Perfect Forward Secrecy (PFS) and Known Key Security (KKS) can be guaranteed by the randomly chosen secret key genes (x,y) in each session. 7) There is No Key Compromise Impersonation (Non-KCI). If A’s private key is compromised, an attacker can only disguise as A rather than as any other participant, which can be guaranteed by the mutual authentication of all participants. 8.2 Experiment
AC
CE P
We have performed some experiment using simulation system OPNET 10.5A under Windows XP to compare our proposed protocol, which is labeled as NEW, to EMSA described in Section II. The simulation scenario is set as follows: 1) The network covers an area of 300m×300m. 2) Network delay is set at 1 microsecond. 3) Packet loss ratio is set at 10% in the network according to an average level. In the experiment, we carried out 32 rounds of simulations in total, starting with one terminal node requesting for handoff service and adding one additional terminal node in the subsequent round. Thus, at the last round of the simulation, 32 terminal nodes participate in requesting for the handoff service. During the simulation, all participating terminal nodes randomly start in 0.5s. The total length of time for the simulation is 20s and three retries are allowed should authentication fail. In our simulation scenario, one modular multiplication takes about 3ms through the experiment. We first compare the success ratio of authentication, which is defined as the number of MTs getting the handoff successfully divided by the total number of MTs requesting for handoff. The results are shown in Figure 6 from which we can see that the success rate in our protocol (labeled as NEW) is better than that in EMSA since the number of interactions in our protocol is much less than that in EMSA, resulting in less radio conflict and hence higher success ratio. We then compare the average delay of authentication for all the MTs to get the handoff service, which is defined as the total amount of latency for completing handoff divided by the number of MTs that get handoff service successfully. The results are shown in Figure 7 from which we can see that average delay in our protocol is much less than that in EMSA. Although the delay for calculation in our protocol is longer, the communication delay is much less, which results in lower average delay. IX. CONCLUSION In this paper, we proposed a trusted handoff protocol based on several technologies such as the hierarchical network model, ECC, trust evaluation and grey relevance analysis. Our analysis and performance evaluation show that mobile terminal nodes can complete access authentication for handoff not only with a higher success rate and a shorter delay than a comparable scheme EMSA but also with the security protection of mobile nodes and the handoff network. The proposed protocol
ACCEPTED MANUSCRIPT
SC R
IP
T
dictates that the mobile platform’s configuration is measured first before access to the handoff network can proceed and only those terminal nodes whose configuration meets the security requirements of the network can be allowed to access the network. We proved the security properties and evaluated the performance of the proposed protocol through formal analysis and experiment, respectively. The ultimate goal in the design of our protocol is to ensure that only a legitimate user operated on a trusted platform can get handed off to a new network in a secure manner. In the future, we will perform more analysis and optimization on the protocol to further improve the performance of our protocol in the aspects of delay, power consumption and computation overhead.
1.0
0.6
NU
Success rate
0.8
0.4
MA
0.2
0.0 0
5
10
15
20
NEW EMSA
25
30
35
D
Amount of MT requesting for handoff
CE P
TE
Figure 6. Success Rate of Handoff
Average delay (unit: second)
AC
0.02
0.01
NEW EMSA
0.00 0
5
10
15
20
25
30
35
Amount of MT requesting for handoff
Figure 7. Average Delay of Handoff Acknowledgement This work in this paper has been supported by Core Electronic Devices, High-end General Purpose and Basic Software Products in China (No. 2010ZX01037-001-001), National Soft Science Research Program (No. 2010GXQ5D317) and National Natural Science Foundation of China (No. 61272500). References [1] T. Gamer, L. Volker, M. Zitterbar. Differentiated Security in Wireless Mesh Networks. Security and Communication Networks, 2011, 4(3): 257–266. [2] I. F. Akyildiz, X. Wang. A Survey on Wireless Mesh Networks. IEEE Radio Communications, 2005, 43(9): 23-30.
ACCEPTED MANUSCRIPT
AC
CE P
TE
D
MA
NU
SC R
IP
T
[3] P. Yi, T. Tong, N. Liu, Y. Wu, J. Ma. Security in Wireless Mesh Networks: Challenges and Solutions. Proceedings of the 6th International Conference on Information Technology: New Generations, April 2009, pp. 423-428. [4] M. Cesana, A. Boukerche, A. Zomaya. Security for QoS Assured Wireless and Mobile Networks. Security and Communication Networks, 2011, 4(3): 239-241. [5] S. Khan, N. Mast, K. K. Loo, A. Silahuddin. Passive Security Threats and Consequences in IEEE 802.11 Wireless Mesh Networks. International Journal of Digital Content Technology and Its Applications, 2008, 2(3): 4-8. [6] S. Khan, N. Mast, K. K. Loo, A. Silahuddin. Cloned Access Point Detection and Prevention Mechanism in IEEE 802.11 Wireless Mesh Networks. International Journal of Information Assurance and Security, 2008, 3(4): 257-262. [7] S. Khan, K. K. Loo, T. Naeem, M. A. Khan. Denial of Service Attacks and Challenges in Broadband Wireless Networks. International Journal of Computer Science and Network Security, 2008, 8(7): 1-6. [8] A. Munoz, A. Mana. TPM-based Protection for Mobile Agents. Security and Communication Networks, 2010, 4(3): 45-60. [9] IEEE Standard 802.11, IEEE Standard for Information Technology Telecommunications and Information Exchange between Systems-local and Metropolitan Area Networks-specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. http://standards.ieee.org/getieee802/802.11.html, 2007. [10] M. M. Arunesh, W. A. Shin. An Empirical Analysis of the IEEE 802.11 MAC Layer Handoff Process. ACM SIGCOMM Computer Communication Review, 2003, 33(2): 93-102. [11] S. Cui, Y. Xu, C. Cheng, J. Gong. Commercialization and New Developments of MIP Technology. Acta Petrolei Sinica (Petroleum Processing Section), 2010, 26(SUPPL. 1): 23-28. [12] C. Blondia, O. Casals. Low Latency Handoff Mechanisms and Their Implementation in an IEEE 802.11 Network. Proceedings of the 18 International TELETRAFFIC Congress, September 2003, pp. 971-980. [13] 802.11 Working Group of the IEEE 802 Committee. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE P802.11s™/D1.01, 2007, pp. 1-124. [14] S. Pack, Y. Choi. Pre-authenticated Fast Handoff in a Public Wireless LAN based on IEEE 802.1x Model. Proceedings of the IFIP TC6/WG6.8 Working Conference on Personal Wireless Communications, October 2002, pp.175-182. [15] F. Rousseau, F. Theoleyre, A. Duda, A. Krendzel, M. Requena-Esteo, J. Mangues-Bafalluy. Geomobility and Location Service in Spontaneous Wireless Mesh Networks. Proceedings of ICTMobileSummit 2008, June 2008. [16] Q. Han, Y. Zhang, X. Chen, H. Li, J. Quan. Efficient and Robust Identity-Based Handoff Authentication in Wireless Networks. Proceedings of the 6th International Conference on Network and System Security, 2012, pp. 180-191. [17] A. Munoz, A. Mana. TPM-based Protection for Mobile Agents. Security and Communication Networks, 2011, 4(1): 45-60. [18] H. Zhang, L. Chen, L. Zhang. Research on Trusted Network Connection. Chinese Journal of Computers, 2010, 33(4): 706-717. [19] A. Shrestha, D. Choi, G. Kwon, S. Han. Kerberos based Authentication for Inter-domain Roaming in Wireless Heterogeneous Network. Computers and Mathematics with Applications, 2010, 60(2): 245-255. [20] P. Xiao, J. He, Y. Fu. A Secure Mutual Authentication Protocol for Roaming in Wireless Mesh Networks. Journal of Networks, 2012, 7(2): 267-274. [21] L. Terzis, G. Kambourakis, G. Karopoulos, C. Lambrinoudakis. Privacy Preserving Context Transfer Schemes for 4G Networks. Wireless Communications and Mobile Computing, 2011, 11(2): 289-302. [22] G. Kambourakis, G. Karopoulos, S. Gritzalis. Survey of Secure Hand-off Optimization Schemes for Multimedia Services over all-IP Wireless Heterogeneous Networks. IEEE Communications Surveys and Tutorials, 2007, 9(3): 18-28. [23] D. Li, Y. Yang, L. Gu, B. Sun. Study on Dynamic Trust Metric of Trusted Network based on State and Behavior Associated. Tongxin Xuebao/Journal on Communications, 2010, 31(12): 1219. [24] F. Kong, Z. Zhang, Y. Liu. Research on Improvement of Grey Relation Analysis Method based on Ideal Points. Proceedings of 2007 3rd International Conference on Wireless Communications, Networking, and Mobile Computing, 2007, pp. 5712-5715.
ACCEPTED MANUSCRIPT
AC
CE P
TE
D
MA
NU
SC R
IP
T
[25] L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone. An Efficient Protocol for Authenticated Key Agreement. Designs, Codes and Cryptography, 2003, 28(2): 119-134. [26] F. Thayer, J. Herzog, J. Guttman. Strand Spaces: Why is a Security Protocol Correct? Proceedings of the 1998 IEEE Symposium on Security and Privacy, May 1998, pp. 160-171. [27] D. Dolev, A. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 1983, 29(2): 198-208. [28] L. Li, J. Chen, Y. Wang. An Extended Strand Space Method for Fairness Analysis of Nonrepudiation Protocols. Journal of Xi'an Jiaotong University, 2010, 44(6): 16-20.
ACCEPTED MANUSCRIPT Biographies
IP
T
Peng Xiao is currently a Ph.D. student in the College of Computer Science and Technology at Beijing University of Technology. He receives a BA degree from Wuhan University, an AM degree from Beijing University of Technology. His research interests include network security, trusted authentication in WMNs and Ad Hoc networks. Email: xp4523 @ emails.bjut.edu.cn
SC R
Jingsha He is currently a professor in the School of Software Engineering at Beijing University of Technology. His research interests include network security and wireless communication technologies. Yingfang Fu is currently a post-doctoral student in the College of Computer Science and Technology at Beijing University of Technology. Her research interests include network security and trusted computing in WMNs.
AC
CE P
TE
D
MA
NU
Correspondence author Jingsha He, Telephone number: +86-10-67396061, E-mail: [email protected]
ACCEPTED MANUSCRIPT Highlights
AC
CE P
TE
D
MA
NU
SC R
IP
T
1. A trust-based protocol is proposed for secure handoff in wireless mesh networks. 2. Security properties are formally verified based on an enhanced Strand model. 3. Performance is evaluated and shown to be more advantageous than the EMSA scheme.