SPFP: Ticket-based secure handover for fast proxy mobile IPv6 in 5G networks

Accepted Manuscript

SPFP: Ticket-based Secure Handover for Fast Proxy Mobile IPv6 in 5G Networks Ilsun You, Jong-Hyouk Lee PII: DOI: Reference:

S1389-1286(17)30200-1 10.1016/j.comnet.2017.05.009 COMPNW 6203

To appear in:

Computer Networks

Received date: Revised date: Accepted date:

14 December 2016 26 March 2017 8 May 2017

Please cite this article as: Ilsun You, Jong-Hyouk Lee, SPFP: Ticket-based Secure Handover for Fast Proxy Mobile IPv6 in 5G Networks, Computer Networks (2017), doi: 10.1016/j.comnet.2017.05.009

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT 1

SPFP: Ticket-based Secure Handover for Fast Proxy Mobile IPv6 in 5G Networks Ilsun You and Jong-Hyouk Lee

CR IP T

Abstract—Recently, Chuang et. al introduced a secure password authentication mechanism, called SPAM, for seamless handovers in Proxy Mobile IPv6 (PMIPv6). SPAM aimed at providing high security properties while optimizing handover latency and computation overhead, but as pointed out in this paper SPAM is vulnerable to replay and malicious insider attacks as well as the compromise of a single node. In this paper, a new Security Protocol for Fast PMIPv6, called SPFP, is proposed that provides a ticket-based secure handover for mobile nodes (MNs). In SPFP, a ticket containing authentication materials is used for fast handover authentication when an MN changes its attachment point. Moreover, the MN’s anonymity is supported for preserving location privacy. Detailed operations of initial authentication and handover authentication are presented with message flows. The formal security analysis of SPFP is provided with results of qualitative analysis and quantitative analysis. Index Terms—Secure Authentication, Handover, F-PMIPv6, Formal Security Analysis, BAN Logic.

1

AN US

✦

I NTRODUCTION

W

M

I reless and mobile network technologies have evolved rapidly over the past few years. Internet mobility management protocols developed by the Internet Engineering Task Force (IETF) such as Mobile IPv6 (MIPv6) and Proxy Mobile IPv6 (PMIPv6) are the main enablers for the future IP based wireless mobile network. Already the Internet mobility management protocols are adopted in 3GPP and being used for Internet data communications of mobile devices such as smart phones. Especially, PMIPv6 [1], which is a network-based Internet mobility management protocol, does not require a specific mobility stack at mobile devices. This made a wide adoption of PMIPv6 in cellular networks possible. As an extension of improving handover performance, the Fast PMIPv6 protocol (F-PMIPv6) [2] is also developed. Securing handovers of a mobile node (MN) is a fundamental security issue for the Internet mobility management protocols. Initially security mechanisms designed for a fixed network had been applied but those had not considered characteristics of wireless and mobile networks such as limited bandwidth, battery issues, handover issues, etc. For instance, as an MN changes its point of attachment while moving, frequent handovers occur. Such handovers require a secure handover authentication scheme that must provide security requirements, e.g., mutual authentication required between them, secure session key sharing, defence ability against malicious nodes, resistance against DoS attacks,

preserving location privacy, etc. Advanced mobility support is required for 5G networks while supporting security. In other words, the overhead and handover latency caused by security protection should be minimized for Ultra-Reliable and Low-Latency 5G communications. In this paper, we focus on securing handovers for FPMIPv6. In particular the following contributions are presented in this paper.

ED

•

AC

CE

PT

•

The work of I. You was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2014R1A1A1005915). The work of J.-H. Lee was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2017R1A1A1A05001405). (Jong-Hyouk Lee is a corresponding author) I. You is with Soonchunhyang University, Asan, Republic of Korea (e-mail: [email protected]). J.-H. Lee is with Sangmyung University, Cheonan, Republic of Korea (e-mail: [email protected]).

•

Ticket-based secure handover scheme for F-PMIPv6, called SPFP, is introduced. After a secure initial access to the network, the MN uses a ticket containing authentication materials for fast handover authentication. SPFP is moreover supports the MN’s anonymity for preserving location privacy. Security analysis based on BAN Logic [3] is presented to formally prove its correctness. Comparative analysis is presented in which the representative authentication scheme, EAP-TLS, and other existing ticket-based schemes are compared with the proposed scheme, SPFP in terms of qualitative and quantitative analysis.

The rest of the paper is organized as follows: In Section, 2 related works are provided. Then, the proposed ticket-based secure handover scheme, SPFP, is described in Section 3. In Section 4, the correctness of SPFP is analyzed based on BAN Logic. The results of qualitative analysis and quantitative analysis are presented in Sections 5 and 6. We conclude this paper in Section 7.

2 2.1

BACKGROUND AND PRELIMINARIES Network-based IP Mobility Management

PMIPv6 and its extensions like F-PMIPv6 enable Internet mobility for an MN without requiring the MN to participate in any mobility control signaling. Mobility entities such as mobile access gateway (MAG) and local mobility anchor (LMA) are responsible for tracking the movements of the

ACCEPTED MANUSCRIPT 2

2.2

introduced a secure password authentication mechanism, called SPAM, for seamless handovers in PMIPv6, but as revealed in this paper SPAM is vulnerable to replay and malicious insider attacks as well as the compromise of a single node.

3

SPFP: T ICKET- BASED S ECURE H ANDOVER

(1)

CR IP T

The proposed authentication scheme called SPFP is composed of two phases: the initial and handover phases. In the former an MN is provided with secret keys after a full Authentication, Authorization and Accounting (AAA) protocol’s authentication. Note that the full AAA authentication is performed with an AAA protocol, e.g., the Diameter protocol or RADIUS protocol. The latter, seamlessly harmonized with F-PMIPv6, enables the MN to securely and efficiently execute its successive handovers. For this scheme, we make the following assumptions: With the help of the current access network (i.e., Layer 2 network), an MN can not only detect its movement to a new MAG in advance, but also report its lower-layer information to the current MAG via a HandOver Indication (HOI) message. A MAG establishes a bidirectional secure channel with its neighbor MAGs as well as a LMA establishes a bidirectional secure channel with its MAGs beforehand. The secure channel is used to protect and tunnel messages between two neighboring MAGs or a LMA and a MAG. Access Points (APs) build a bidirectional secure channel with their MAG.

AN US

MN and initiating the required mobility control signaling on behalf of the MN. When an MN changes its point of attachment from a previous MAG (pMAG) to a new MAG (nMAG), the MN’s mobility is supported by the network entities. For instance, as the nMAG detects the movement of the MN in its network, it sends a proxy binding update (PBU) message to the LMA. The LMA confirms the location of the MN and then provides the home network prefix (HNP) for the MN by sending back a proxy binding acknowledgment (PBAck) message. The MN receives a route advertisement (RA) message containing the HNP from the nMAG. Note that the MN obtains the same HNP during its movements in a PMIPv6 domain as a part of the home network emulation. The bidirectional tunnel established between the nMAG and the LMA is used for data communications of the MN. Details of the protocol’s operation are presented in Section 3 while the proposed authentication scheme’s initial and handover phases are illustrated. Note that the handover procedures and performance analysis of the PMIPv6 protocol are available in [4], [5]. Secure Handover in Proxy Mobile IPv6

(2)

(3)

Considering F-PMIPv6, all of the above are reasonable because they are its assumptions [2]. Fig. 1 shows the notations used in this paper.

AC

CE

PT

ED

M

The potential attack points of PMIPv6 are the two communication interfaces: one between an MN and a serving MAG; another one between the serving MAG and the LMA. The latter interface is the fixed network interface so that traditional security mechanisms to protect communications can be used, e.g., use of IPsec is recommended for protecting the communication interface between the serving MAG and the LMA. The communication interface between the MN and the serving MAG is a wireless interface in which mutual authentication, secure session key sharing, and anonymity for preserving the MN’s location privacy are required. Secure authenticated handover schemes have been applied to protect the wireless interface between the MN and the serving MAG. The EAP framework that provides various authentication methods is one of them and EAP-TLS [6] is the authentication method widely used as a baseline protocol in wireless mobile networks. However, in EAPTLS, an MN’s handover is not specially treated. In other words, the authentication procedure for the MN’s handover is the same with that of the MN’s initial network attachment. The latency of handover authentication is thus longer than other secure handover authentication schemes designed for PMIPv6. In addition, as shown later in this paper, EAPTLS is still prone to a malicious MAG attack, DoS attacks, anonymity support for MNs, etc. Various authentication schemes have been proposed for PMIPv6. Among them, ticket-based secure handover schemes such as TA [7], HOTA [8], and SPAM [9] are known as cost effective schemes thanks to their high security properties and minimized handover latency. An MN with a ticket provided from an authentication server (AS) can provide authentication materials to an nMAG without reconnecting to the AS when the MN attaches to the nMAG. Each ticketbased scheme has the pros and cons as shown later in this paper, but as analyzed in this paper, all the ticket-based schemes cannot provide secure handovers of the MN. For instance, a recently published work by Chuang et. al [9]

Fig. 1: Notation used in the paper.

3.1

Initial Phase

The initial phase, which is shown in Fig. 2, is executed when an MN turns on or first joins its PMIPv6 domain.

ACCEPTED MANUSCRIPT 3

Fig. 2: The initial phase of the proposed security scheme.

AN US

An MN starts this phase by performing a full AAA authentication with its AAA authentication server, i.e., AS. Once the full authentication is successful, the AS pseudorandomly generates two session keys KM N −LM A and SK0 as well as the first sequence number Seq1 . Through the AAA protected communication, the generated keys and sequence number are securely distributed from the AS to the entities such as LMA, MAG, and MN as depicted in Fig. 2. After this distribution, both the MAG and the MN compute the key KM N −M AG , and then the alias AID1 as IDM N (+)h(KM N −M AG ||Seq1 ) to hide the MN’s real identifier IDM N . Consequently, Seq1 is shared among all the three entities to defend against replay attacks. Then, SK1 and KM N −M AG are exchanged between the MN and the MAG for their safe communication, and AID1 is ready for keeping the MN’s location privacy. More importantly, through the delivered KM N −LM A , the MN can authenticate both itself and its messages to the LMA. Once the initial phase is finished, the MN, if needed, can trigger the MAG to perform its proxy binding update procedure, which consists of the steps (1)-(9) of the handover phase shown in Fig. 3. We explain this procedure in detail in the next subsection.

(4-5)

On receipt of the HOI message, the pMAG searches the MN’s handover context including IDM N , KM N −M AG , SKi−1 , and Seqj from its database with the received AIDj . If found, it verifies the received Seqj and HM2 . In a positive case, it forwards the context information such as IDM N , KM N −M AG , IDnAP , and Seqj to the nMAG while exchanging the HI and HAck messages. To authenticate the MN during the movement, the nMAG computes Seqj+1 and AIDj+1 , which are then stored along with the received context information. After these steps, the MN’s packets are tunneled from the pMAG to the nMAG over the secure channel that has been created. The pMAG transmits the DeReg PBU message to the LMA to deregister the MN’s current binding information. The LMA first checks if the received Seqj is fresh, and the new access point (nAP) does not belong to the pMAG. Then, the LMA verifies the correctness of HM1 with KM N −LM A . If the verification is right, the LMA updates the current sequence number with Seqj+1 . It is worth noting that a malicious MAG cannot fabricate a DeReg PBU message at its will because it is unable to compute a proper HM1 . The LMA concludes the de-registration work by returning the DeReg PBA message to the pMAG. As soon as the MN moves to the new network, it calculates both the message authentication values HM3 and HM4 after pseudo-randomly generating a nonce n1 . Note that HM3 and HM4 are used for authenticating the MN to the LMA and to the nMAG, respectively. Once prepared, the ATT message is sent to the nMAG while announcing the MN’s attachment to it. Upon receiving the ATT message, the nMAG first searches the MN and its handover context with the received AIDj+1 , then verifying if the received IDnAP , Seqj+1 , and HM4 are valid. In this way, the nMAG not only authenticates the MN, but also ensures that the ATT message is fresh and the MN is now connected to the nAP (i.e., the network of nMAG). That makes the nMAG advance the proxy binding update procedure with the LMA. After having sent the PBU message, the LMA uses the shared key KM N −LM A to verify HM 3. If successful, the LMA updates the MN’s binding entry in its cache. Note that, thanks to HM3 , the LMA can prevent malicious MAGs from launching redirection attacks with fabricated PBU messages. The LMA prepares for the PBA message by pseudo-randomly generating a nonce n2 and computing the new session key SKi as HM AC(KM N −LM A , n1 ||n2 ||“SK”). Afterwards, the PBA message is sent to the nMAG, and the MN’s sequence number is replaced with Seqj+2 . If the PBA message arrives, the nMAG obtains SKi . Here, because SKi is independent from the previous ones, it is only known to the MN and the nMAG, thus enabling the proposed scheme to be immune to the compromise of a single MAG.

CR IP T

(2-3)

Handover Phase

CE

3.2

(7)

PT

ED

M

(6)

The handover phase of the proposed security scheme is illustrated in Fig. 3. If the MN detects that an handover to a new network is imminent, it first calculates HM1 and HM2 with the keys KM N −LM A and SKi−1 , respectively. Note that the MN knows IDnAP with the help of its current access network. Note that the detailed procedure is out of the scope of this paper. At this point, the MN does not need to compute AIDj , because it already shares this alias with the pMAG during its attachment to the current network. The MN then notifies the pMAG of its handover by sending the HOI message via the current access network. In addition, both the next sequence number and alias are updated with Seqj+1 = Seqj + 1 and AIDj+1 = IDM N (+)h(KM N −M AG ||Seqi+1 ) respectively.

AC

(1)

(8)

ACCEPTED MANUSCRIPT

AN US

CR IP T

4

The nMAG transmits the RA message after computing HM AC(SKi , RA). Given this message, the MN uses the two nonces n1 and n2 to compute SKi , which is then used to verify the received HM AC(SKi , RA). If the authentication code is valid, the MN believes that it is successfully authenticated to both the nMAG and the LMA. Moreover, it authenticates the nMAG based on trusting that the nMAG owns SKi . Finally, the MN and nMAG compute and store the next sequence number and alias, Seqj+2 and AIDj+2 , which will be used to protect the next HOI message.

Fig. 4: Notation of BAN Logic.

CE

PT

ED

(9)

M

Fig. 3: Handover phase of the proposed security scheme.

AC

Note that the predictive mode is considered in the above handover phase. However, in the reactive mode, the MN just needs to send the HOI and AT T messages to the nMAG. Then, the nMAG exchanges the HI and HAck messages after forwarding the HOI one to the pMAG. The rest steps are same as those of the predictive mode. Fig. 5: Rules of BAN Logic.

4

S ECURITY A NALYSIS

In this section, we formally analyze the proposed authentication scheme with BAN Logic, which has been widely applied to reasoning about security schemes [3], [8], [10]– [12]. For this analysis, we focus on the handover phase. The basic notation and rules of BAN Logic are shown in Figures 4 and 5.

As the first step, we translate the handover phase into the idealized form in Figure 6. Note that the messages (2), (3), (5), and (8) are omitted in the idealized form because of they do not contribute to this analysis. The assumptions are made as described in Figure 7. Strictly speaking, the assumptions on KM N −M AG , Ac and

ACCEPTED MANUSCRIPT 5

AN US

CR IP T

Fig. 6: Idealized Form

Fig. 7: Assumptions

LMA believes that the nMAG believes the MN’s arrival at its own network. In addition to this belief, the derived one (7c) shows that the LMA authenticates the MN as well as its movement to the new network. Therefore, this proposition is valid. 

Proposition 1. pMAG and LMA believe that MN is going to move to the nMAG’s network.

Proposition 4. SKi is securely exchanged between the MN and the nMAG.

proof: The derived beliefs (1f) and (1g) allow the pMAG to trust the MN’s handover from its network to the new one including the nAP (i.e., nMAG). On the other hand, the LMA counts on the belief (4d) to authenticate that the MN moves to the new network. As a result, we can conclude that the pMAG and the LMA believe that the MN is going to the new network, to which the nMAG belongs. 

proof: It is shown from the beliefs (9c) and (9f) that the MN trusts SKi and the nMAG’s belief in SKi . Note that based on An in the assumptions shown in Fig. 7, the nMAG believes SKi . As a result, we can conclude that SKi is securely exchanged between the MN and the nMAG.  From the above analysis and propositions, it is demonstrated that the the MN and the nMAG mutually authenticate each other as well as securely exchange SKi . Moreover, the propositions 1 and 3 show that the proposed protocol allows the LMA to directly obtain the belief in the MN’s handover without relying on its MAGs. As a result, we can conclude the proposed scheme is valid.

AC

CE

PT

ED

M

Af, are not correct because that key is shared among the MAGs visited by the MN. However, the MN is authenticated based on two keys KM N −M AG and KM N −LM A , thus defending against the previous malicious MAGs’ attacks. Moreover, we aim to provide the same level as the anonymity and location privacy of SPAM [9], [13]. Therefore, it is reasonable to add these assumptions. With the above idealized form and assumptions, we verify the proposed protocol as depicted in Figure 8. Based on the beliefs obtained from the above analysis, we can derive the following propositions.

Proposition 2. MN and nMAG mutually authenticate each other. proof: Based on the beliefs (6d) and (6e), the nMAG authenticates the MN. Moreover, this authentication is then enhanced by the belief (7c) indicating that the MN is also authenticated by the LMA. On the other hand, the belief (9d) proves that the nMAG is authenticated to the MN. Therefore, it is shown that the MN and the nMAG mutually authenticate each other.  Proposition 3. LMA authenticates MN and its handover to the nMAG’s network. proof: Basically, counting on the P BU message, the

Fig. 8: Analysis

5

Q UALITATIVE A NALYSIS

Table 1 provides a summary of the proposed authentication scheme compared with existing comparable authentication schemes. A detail of each existing authentication scheme is available at [6]–[9]. EAP-TLS [6] does not provide an optimized handover performance. The authentication procedure for the MN’s

ACCEPTED MANUSCRIPT 6

TABLE 1: Comparision Scheme

EAP-TLS [6]

Handover Authentication Full authentication required: When MN changes its attachment point, full authentication is required so that latency of handover authentication is long that results in potentially causing delay or disruption of communication during the MN’s handover.

R1

Y

R2

Y

R3

R4

Y

Y

R5

N

R6

Y

R7

N

R8

Limitation

N

Even if this authentication scheme is widely used in wireless networks as a standardized method, the latency of handover authentication is long due to the involvement of AS for MN’s every handover.

Because the group key is used to decrypt the ticket and the authentication key in the ticket is used for all handovers, this scheme is vulTA [7] Y Y Y Y N N Y N nerable to malicious MAG’s attacks and does not prevent session key domino effects. Location privacy of an MN is not supported. As the authentication key in the ticket is used for all handovers, this Ticket authentication used: Similar scheme is vulnerable to malicious to TA, but secure channels between MAG’s attacks and does not prevent HOTA [8] Y Y Y Y N N Y N MAGs are used to distribute the session key domino effects. Locaticket decryption key. tion privacy of an MN is not supported. Because the group key is used to Ticket authentication used: Similar decrypt the ticket and the authentito HOTA, but the ticket is used for cation key in the ticket is used for localized handover authentication. all handovers, this scheme is vulSPAM [9] Y Y Y Y N N Y Y Location privacy of an MN is supnerable to malicious MAG’s attacks ported. and does not prevent session key domino effects. Ticket authentication used: The AS’s Securely authentication is supinvolvement is not required, but the ported while location privacy of an LMA is involved in authentication. MN is also supported. Note that SPFP Y Y Y Y Y Y Y Y Location privacy of an MN is supMAGs may analogize the MN’s ID ported. yet. R1: mutual authentication, R2: key exchange, R3: confidentiality, R4: integrity, R5: defence ability against a malicious MAG R6: prevention of session key domino effects, R7: resistance against DoS attacks, R8: anonymity support for MNs

M

AN US

CR IP T

Ticket authentication used: MN uses a ticket issued from AS at initial authentication so that the involvement of AS is not required for handover authentication. Ticket decryption key is a group key shared among MAGs and LMA

AC

CE

PT

ED

handover is treated as like that of the MN’s initial network attachment so that the full authentication procedure is required that causes a longer latency of handover authentication than others. In addition, as shown in Table 1, EAPTLS is still prone to a malicious MAG attack, DoS attacks, anonymity support for MNs, etc. The first scheme that introduces the use of tickets for handover authentication in a PMIPv6 domain is TA presented in [7]. TA speeds up the authentication procedure for the MN’s handover by utilizing a ticket issued from an AS during the initial authentication procedure. A group key, which is shared among MAGs and LMA, is used to decrypt the ticket. Then, the ticket is used to authenticate the MN by the MAGs without the involvement of the AS. However, as TA has been developed for the basic PMIPv6 protocol, its effort to reduce the latency of handover authentication is still limited. HOTA [8] is another ticket-based secure protocol that introduced the use of tickets for F-PMIPv6. The handover authentication procedure of HOTA is similar with that of TA, but bidirectional tunnels established between MAGs are utilized to securely distribute the ticket decryption key. In addition, as HOTA is designed for F-PMIPv6, the overall handover latency is lower compared with that of TA. Concerns about location privacy are getting increased. In terms of location privacy, the above two ticket-based

authentication protocols do not provide any means of protection. SPAM [9], which is also a ticket-based secure protocol, supports an MN’s anonymity while utilizing the ticket similar to HOTA. SPAM has been not developed for FPMIPv6, but it relies on PMIPv6 bicasting to prevent the packet loss during the MN’s handover. The ticket-based secure protocols share a common weakness. The group key shared among MAGs are used as the ticket decryption key so that the defence ability against a malicious MAG is weak. In addition, due to the use of the group key, it cannot withstand session key domino effects.

6

Q UANTITATIVE A NALYSIS

We evaluate the proposed scheme with the previously developed authentication schemes such as EAP-TLS based authentication [6], TA [7], HOTA [8], and SPAM [9] in terms of authentication latency, handover latency, number of loss packets or buffered packets, and handover failure probability. The authentication latency is the latency occurred during the exchanges of authentication related messages. The authentication latency can be further analyzed in terms of (·) initial authentication latency LIN −AU and handover au(·) (·) thentication latency LHO−AU . The handover latency LHO is the latency occurred during an MN’s handover from one

ACCEPTED MANUSCRIPT 7

6.1

System Model

α

fα∗ (s)

µ , η

=

ED

N

M

is the Laplace transform of the PDF of the MN’s where session holding time, pf is the MN’s handover blocking probability, φα is the singular points of fα∗ (−s), and Ress=p represents the residue at a singular point s = p. By assuming that a session duration time TS follows an exponential distribution with its mean value 1/η and pf = 0, we have (2)

CE

PT

where 1/µ is the MN’s average residence time in a network. Suppose $A is the average number of handover authentications during the MN’s movements. Then, $A is calculated as $A = dN e − 1, because handover authentication is only happened when the MN moves to another network. We assume that the session arrival rate at the MN with the mean λs . The number of loss packets or buffered packets (·) ϕp is then obtained as

ϕ(·) p

AC

=

(·)

λs E(S)LHO ,

(3)

where E(S) is the average session length in packets. When an MN’s residence time in a network is less than the handover completion time, the MN’s handover is failed. Let us assume that the handover latency is exponentially (·) distributed with the cumulative function FT (t). If we further assume that the handover latency is only the handover (·) failure factor, we can obtain ρb as (·)

ρb

(·)

= P r(LHO > µ) = (·)

=

µc

=

2ν , πR

(5)

where ν is the average velocity of the MN and R is the radius of the network area. 6.2 Latency Analysis In EAP-TLS based authentication, the full EAP exchange is occurred between an MN and its AS. Accordingly, the (T LS) latency of initial authentication in EAP-TLS LIN −AU is expressed as (T LS)

(T LS)

LIN −AU = DEAP = 3Tmn−mag + Tmag−as + T (m, Tmn−as ),(6) (T LS)

where DEAP is the average transmission delay for executing the full EAP Exchange. Tmn−mag is the average transmission delay between the MN and the MAG. Similarly, Tmag−as and Tmn−as are the average transmission delays between the MAG and the AS, and between the MN and the AS, respectively. T (·) means the average transmission delay function for a specific EAP method, where m is the number of messages required for executing of the EAP method. In Eq. (7), 3Tmn−mag indicates the required time to complete two EAP starting (EAP-Request/Identity and EAP-Response/Identity) messages and EAP finish (EAPSuccess) message. EAP-TLS based authentication requires the full EAP exchange whenever the MN boots up or moves to the new access network. Accordingly, the latency of handover (T LS) authentication in EAP-TLS LHO−AU is expressed as

AN US

For the quantitative analysis, the system model used in [8] is adopted in this paper. Let N is the average number of networks that an MN passes during handovers of the MN. Suppose 1/α is the MN’s average residence time in a network. Let f ∗ (s) is the Laplace transform of the probability density function (PDF) of the MN’s residence time in a network. By the theorem presented in [14], N is obtained as X 1 − f ∗ (s) N = −α Ress=p f ∗ (−s), (1) ∗ (s) α 1 − (1 − p )f f p∈φ

where fµ (t) is the PDF of µ, µc is the network crossing rate of the MN. Assuming that the network shape is circular, µc is obtained as [15]

CR IP T

access network to another. Depending on the schemes, the handover latency includes the whole authentication latency or a portion of the authentication latency with other latencies. Without a buffering mechanism, data packets destined for the MN is lost during handovers, but the data packets are buffered at relevant ARs with the buffering mechanism. The (·) number of loss packets or buffered packets ϕp is directly related to the handover latency. Note that the basic networkbased mobility management protocol, PMIPv6, does not provide the buffering mechanism, but F-PMIPv6 provides. (·) The handover failure probability ρb is the probability representing the MN’s handover failure during its handover.

µc E[LHO ] (·)

1 + µc E[LHO ]

,

Z

0

∞

(·)

(1 − FT (u))fµ (u)du (4)

(T LS)

(T LS)

(7)

LHO−AU = LIN −AU . (T LS)

The handover latency for EAP-TLS LHO pressed as (T LS)

LHO

is thus ex-

(T LS)

= LL2 + LHO−AU + DSA + DRS + DREG + DP −LM A ,

(8)

where LL2 is the link-layer handover latency depending on the used wireless implementation chipset. In this paper, we assume that all authentication schemes have the same value of LL2 . DSA is the required time to perform IEEE 802.11i four-way handshake so that it is represented as 4Tmn−mag . DRS is the required time for receiving the RS message sent from the MN so that it is represented as Tmn−mag . DREG is the required time for registering the MN between the MAG and the LMA so that it is represented as 2Tmag−lma . DP −LM A is the required time that the first data packet sent from the CN to the MN arrives at the MN from the LMA. It is thus expressed as Tmag−lma + Tmn−mag . In TA, the initial authentication message procedure is similar to that of Kerberos so that ticket-granting is required

ACCEPTED MANUSCRIPT 8

(T A)

(T A)

(T A)

LIN −AU = DAuth + DCR = 2Tmn−as + 2Tmn−mag ,

(9)

(T A)

where DAuth is the average transmission delay for ticket(T A) granting messages between the MN and AS. DCR is the average transmission delay for exchange of the challenge (T A) and response messages between the MN and MAG. DAuth (T A) is thus rewritten as 2Tmn−as , whereas DCR is rewritten as 2Tmn−mag . (T A) The latency of handover authentication in TA LHO−AU is expressed as (T A)

(T A)

(T A)

LHO−AU = DAuth−M at + DCR = Tmags + 2Tmn−mag ,

(10)

(T A) DAuth−M at

(T A) LHO

= LL2 +

(T A) DAuth

+ DSA + DREG + DP −nM AG , (11)

CE

PT

ED

M

where DP −nM AG is the required time that the first data packet buffered at the nMAG arrives at the MN. The transaction of authentication signaling for the MN is completed before the MN attaches with the nMAG. Then, as the nMAG receives the RS message sent from the MN, it recognizes the attachment of the MN and registers the MN to the LMA by sending the PBU message. Upon receiving the PBAck message, the nMAG immediately sends buffered data packets to the MN. In HOTA, during the initial authentication procedure a ticket is distributed from the AS to the MN and also to the serving MAG. Then, the MN is authenticated with the ticket and authenticator to the MAG. The latency of initial (HOT A) authentication in HOTA LIN −AU is expressed as (HOT A)

(HOT A)

(HOT A)

= DAcc + DAuth = 2Tmn−as + 2Tmn−mag ,

AC

LIN −AU (HOT A) DAcc

(12)

(HOT A) DAuth

where and are the required times to get the ticket from the AS and to be authenticated, respectively. Compared to the initial authentication procedure, during the handover authentication procedure in HOTA, the AS’s involvement is not required. More specifically, before the MN actually attaches to the nMAG, the pMAG performs handover authentication by sending the AuthCT message to the nMAG. Accordingly, the latency of handover authen(HOT A) tication in HOTA LHO−AU is expressed as (HOT A)

(HOT A)

(HOT A)

LHO

= LL2 + DAuth

(HOT A)

(SP AM )

(SP AM )

LIN −AU

(13)

(14)

(SP AM )

= DInit + DAuth = 2Tmn−as + 3Tmn−mag + 3Tmag−lma ,(15)

(SP AM )

(SP AM )

where DInit and DAuth are the required times to complete the initial registration procedure and authentication procedure, respectively. The latency of handover authentication in SPAM (SP AM ) LHO−AU is then expressed as (SP AM )

(SP AM )

LHO−AU = DLocal−Auth + DREG = 2Tmn−mag + 2Tmag−lma ,

(16)

(SP AM ) where DLocal−Auth

is the required time to complete the local authentication in SPAM. (SP AM ) The handover latency for SPAM LHO is then expressed as (SP AM )

LHO

(SP AM )

= LL2 + LHO−AU + DSA + DP −nM AG .

(17)

In the proposed authentication scheme, the full EAP exchange is required between the MN and its AS for initial authentication. Accordingly, the latency of initial authenti(P RO) cation in SPFP LIN −AU is expressed as (T LS)

(P RO)

(P RO)

LIN −AU = DEAP + DInit = 3Tmn−mag + Tmag−as + T (m, Tmn−as ) + Tmn−as , (18) (P RO)

where DInit is the required time to transmit the session keys and first sequence number from the AS to the MN. The latency of handover authentication in the proposed (P RO) authentication scheme LHO−AU is expressed as (P RO)

(HOT A)

LHO−AU = DHIA + DAuthCT + DAuth = 4Tmags + 2Tmn−mag ,

+ DSA + DP −nM AG ,

where DREG presented in Eqs. (8) and (11) is not involved because the registration for the MN is executed as the nMAG sends the AuthRes message during handover authentication. As the nMAG authenticates the MN, it immediately sends the buffered data packets to the MN. In SPAM, the initial registration procedure and authentication procedure are required for initial authentication. The (SP AM ) latency of initial authentication LIN −AU is thus expressed as

AN US

where is the average transmission delay for the authentication material message that contains a key to decrypt a ticket in TA. As the authentication material message is sent from the pMAG to the nMAG, it is rewritten as Tmags meaning the average transmission delay between MAGs. (T A) The handover latency for TA LHO is thus expressed as

where DHIA is the average transmission delay for exchange of HI and HAck messages between relevant MAGs. (HOT A) DAuthCT is the required time to complete the authentication context transfer between the pMAG and the nMAG. The authentication context transfer is proactively initiated before the MN attaches with the nMAG by utilizing L2 trigger. As the MN attaches with the nMAG, they authenticate each other by performing the authentication re(HOT A) quest/response. The handover latency for HOTA LHO is thus expressed as

CR IP T

from the AS to the MN. The latency of initial authentication (T A) LIN −AU is expressed as

(P RO)

LHO−AU = DHIA + DAuth = 2Tmags + 2Tmn−mag ,

(19)

ACCEPTED MANUSCRIPT 9 1000

250

3500 (.) LIN− AU

900

(.) LHO− AU

TLS TA HOTA SPAM SPFP

3000

200

600

500

400

The handover latency (ms)

2500

700

The handover latency (ms)

The authentication latency (ms)

800

TLS TA HOTA SPAM SPFP

2000

1500

150

100

1000

300

50

200

500

100

TLS

TA

HOTA

SPAM

1

1.5

SPFP

(a) Authentication Latencies.

2 2.5 3 The average resident time in a network (min)

3.5

4

0 10

(b) Handover Latency vs. 1/µ.

15

20

25 The velocity (m/s)

30

35

40

(c) Handover Latency vs. ν .

CR IP T

0

0

Fig. 9: Analysis of Authentication and Handover Latencies. (P RO)

(P RO)

LHO 6.3

(P RO)

= LL2 + DAuth + DSA + DP −nM AG .

Numerical Results

(20)

CE

PT

ED

M

In this subsection, the numerical results are presented. For comparative analysis, the following system parameter used in [8] are adopted: η = 0.2 min−1 , µ = [1/1, 1/4] min−1 , λs = [0.5, 1], E(S) = 10, ν = [10, 40] m/s, R = [100, 200] m, message transmission delay on one hop ttr = 20 ms [16], Tmn−mag = ttr , Tmag−lma = Tmag−as = nttr where n is the number of hops between the MAG and the LMA/AS, n = 3, p Tmn−as = Tmn−mag + Tmag−lma , Tas−lma = Tmags = Tmag−lma [17]. In addition, LL2 is set as 45.35 ms [18] and the value of m for EAP-TLS is defined as 4 [19]. In Fig. 9(a), the initial and handover authentication latencies are investigated. As presented, the sum of the initial and handover authentication latencies of EAP-TLS is greater than those of other ticket-based authentication schemes. This is because that EAP-TLS requires a number of authentication signaling with the AS. Especially, its handover authentication latency is exactly same with the initial authentication latency due to no specific procedure for optimizing handovers of an MN. On the other hand, the ticketbased authentication schemes have handover optimized authentication procedures so that the handover authentication latency is reduced compared with EAP-TLS. Among ticketbased authentication schemes, TA and HOTA shows good performance in terms of the sum of the initial and handover authentication latencies, while the proposed SPFP shows a longer initial authentication latency compared with the other schemes. This phenomenon is due to the required full AAA authentication plus the key distribution of SPFP. However, thanks to the use of the ticket for handover authentication, the proposed SPFP shows the reduced latency compared with those of EAP-TLS, HOTA, and SPAM. Note that the handover authentication latencies of TA and SPFP are mostly similar.

AC

We now investigate the effect of 1/µ on the handover latency. As 1/µ increases, the frequency of handover is reduced so that the handover latencies for all schemes are decreased as shown in Fig. 9(b). In this analysis, we confirm that the proposed SPFP and HOTA outperform other schemes thanks to the handover optimized authentication procedures with the fast handover function, i.e., reduced number of authentication signaling with the AS thanks to the ticket, while utilizing F-PMIPv6 to speed up the handover performance. Note that HOTA presents a slightly better performance than the proposed SPFP. In addition, we found that as 1/µ approaches to 3 min, the handover latencies for all schemes become stable. Next, we present the effect of ν on the handover latency in Fig. 9(c). We set R as 100 m, while changing ν from 10 to 40 m/s. As ν is increased, an MN quickly crosses the network boundaries. In other words, with the higher value of ν , the MN frequently changes its point of attachment so that the handover authentication and registration of the MN are also frequently performed. Fig. 9(c) reflects this phenomenon and confirms that the proposed SPFP and HOTA outperform others because those require less handover authentication and register latencies. We then analyze the handover latency as a function of the session to mobility ratio (SMR). Let Sϕ is the SMR defined as λs /µc [20]. In Fig. 10(a), the variation of the handover latency is presented when we set λs = 0.5 and R = 100 m while changing ν from 10 to 40 m/s. The higher value of Sϕ indicates the lower mobility rate with the fixed session arrival. As shown in Fig. 10(a), the ticket-based authentication schemes become stable when Sϕ approaches to 5.2, but EAP-TLS still suffers because of its higher authentication signaling. Data packets destined for an MN will be lost while handovers if a buffering mechanism is not supported. Fig. 10(b) demonstrates the number of loss or buffered packets during handovers of the MN. In this analysis we use the same system parameter valued used in Fig. 10(a), while setting E(S) = 10. As presented in Fig. 10(b), the packet loss of EAP-TLS during the handovers is directly proportional to the mobility rate. However, the schemes that adopts the buffering mechanism like HOTA, SPAM, SPFP prevent such packet loss but just receive buffered (delayed) packet arrival. For instance, data packets destined for the MN are

AN US

where DAuth is the required time to complete the message exchanges between the MN and nMAG for authentication that can be rewritten as 2Tmn−mag . The handover latency for the proposed authentication (P RO) scheme LHO is then expressed as

ACCEPTED MANUSCRIPT 10 250

1000

50

0

2

3

4

5 The session to mobility ratio

6

(a) Handover Latency vs. Sϕ .

700 600

500

400

0.14 0.12

0.1

0.08

300

0.06

200

0.04

100

0.02

0

7

0.16

2

3

4

5 The session to mobility ratio

6

0 100

7

(b) Number of Loss or Buffered Packets vs. Sϕ .

110

120

130

140 150 160 170 The radius of the network area (m)

180

190

200

(c) Handover Failure Probability vs. R.

CR IP T

100

800

TLS TA HOTA SPAM SPFP

0.18

The handover failure probability

150

TLS TA HOTA SPAM SPFP

900 The number of packet loss / buffered packets

TLS TA HOTA SPAM SPFP

200

The handover latency (ms)

0.2

Fig. 10: Analysis of Handover Latency, Packet Loss/Buffering, and Handover Failure. [4]

[5]

J.-H. Lee, T. Ernst, and T.-M. Chung, “Cost Analysis of IP Mobility Management Protocols for Consumer Mobile Devices,” IEEE Transactions on Consumer Electronics, vol. 56, no. 2, pp. 1010–1017, May 2010. J.-H. Lee, J.-M. Bonnin, I. You, and T.-M. Chung, “Comparative Handover Performance Analysis of IPv6 Mobility Management Protocols,” IEEE Transactions on Industrial Electronics, vol. 60, no. 3, pp. 1077–1088, March 2013. D. Simon, B. Aboba, and R. Hurst, “The EAP-TLS Authentication Protocol, IETF RFC 5216,” March 2008. J.-H. Lee, J.-H. Lee, and T.-M. Chung, “Ticket-Based Authentication Mechanism for Proxy Mobile IPv6 Environment,” in Systems and Networks Communications, 2008. ICSNC ’08. 3rd International Conference on, Oct 2008, pp. 304–309. [Online]. Available: http://dx.doi.org/10.1109/ICSNC.2008.25 J.-H. Lee and J.-M. Bonnin, “HOTA: Handover optimized ticketbased authentication in network-based mobility management,” Information Sciences, vol. 230, no. 0, pp. 64–77, May 2013. [Online]. Available: http://dx.doi.org/10.1016/j.ins.2012.11.006 M.-C. Chuang, J.-F. Lee, and M.-C. Chen, “SPAM: A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks,” Systems Journal, IEEE, vol. 7, no. 1, pp. 102–113, March 2013. [Online]. Available: http://dx.doi.org/10.1109/JSYST.2012.2209276 I. You, Y. Hori, and K. Sakurai, “Enhancing SVO logic for mobile IPv6 security protocols,” Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, vol. 2, no. 3, pp. 26–52, 2011. ——, “Towards formal analysis of wireless LAN security with MIS protocol,” International Journal of Ad Hoc and Ubiquitous Computing, vol. 7, no. 2, pp. 112–120, 2011. [Online]. Available: http://dx.doi.org/10.1504/IJAHUC.2011.038997 I. You, J.-H. Lee, and K. Sakurai, “Dssh: Digital signature based secure handover for network-based mobility management,” Computer Systems Science & Engineering, vol. 27, no. 3, pp. 112–120, May 2012. M.-C. Chuang and J.-F. Lee, “SF-PMIPv6: A secure fast handover mechanism for Proxy Mobile {IPv6} networks,” Journal of Systems and Software, vol. 86, no. 2, pp. 437–448, 2013. [Online]. Available: http://dx.doi.org/10.1016/j.jss.2012.09.015 Y. Fang, I. Chlamtac, and Y.-B. Lin, “Channel occupancy times and handoff rate for mobile computing and pcs networks,” IEEE Transactions on Computer, vol. 47, no. 6, pp. 679–692, Jun. 1998. F. V. Baumann and I. G. Niemegeer, “An evaluation of location management procedure,” in Proceedings of the International Conference on Universal Personal Communications (UPC), ser. UPC ’04, September 2004, pp. 359–364. H. Zhou, H. Zhang, and Y. Qin, “An authentication method for proxy mobile ipv6 and performance analysis,” Security and Communication Networks, vol. 2, no. 5, pp. 445–454, 2009. J.-H. Lee, S. Pack, I. You, and T.-M. Chung, “Enabling a Paging Mechanism in Network-based Localized Mobility Management Networks,” Journal of Internet Technology, vol. 10, no. 5, pp. 463– 472, Oct. 2009. S. Pack, J. Choi, T. Kwon, and Y. Choi, “Fast-handoff support in

7

M

AN US

first forwarded from the pMAG to the nMAG and then the MN receives the buffered packets from the nMAG when its handover completes. We now see the analysis result of the handover failure probability in Fig. 10(c). As R increases, an MN’s residence time increases so that the MN has more time to finish its handover, i.e., reducing the handover failure probability of the MN. In Fig. 10(c), we confirm that EAP-TLS is under the influence of R and the ticket-based authentication schemes such as TA and SPAM are also under the influence of R. However, R cannot have influence upon the performance of the proposed SPFP and HOTA that adopt the fast handover function allowing the predictive registration based on the L2 trigger.

C ONCLUSION

AC

CE

PT

ED

In this paper, we have presented a new ticket-based secure handover protocol for F-PMIPv6, called SPFP. The proposed scheme uses a ticket containing authentication materials to minimize the number of authentication related message exchanges with the AS while supporting the fast handover function. As analyzed, SPFP supports various security requirements such as mutual authentication, key exchange, confidentiality, integrity, defence ability against a malicious MAG, prevention of session key domino effects, and resistance against DoS attacks. In addition, as concerns about location privacy are increasing nowadays, SPFP supports the MN’s anonymity for preserving location privacy during movements of the MN in a PMIPv6 domain. SPFP has been analyzed in terms of authentication latency, handover latency, number of loss packets or buffered packets, and handover failure probability. Also, the protocol’s correctness has been proved with BAN Logic.

[6] [7]

[8]

[9]

[10]

[11]

[12]

[13]

[14] [15]

R EFERENCES [1] [2] [3]

S. Gundavelli, K. Leung, V. Devarapalli, K. Chowdhury, and B. Patil, “Proxy Mobile IPv6, IETF RFC 5213,” August 2008. H. Yokota, K. Chowdhury, R. Koodli, B. Patil, and F. Xia, “Fast Handovers for Proxy Mobile IPv6, IETF RFC 5949,” September 2010. M. Burrows, M. Abadi, and R. Needham, “A Logic of Authentication,” ACM Trans. Comput. Syst., vol. 8, no. 1, pp. 18–36, Feb 1990. [Online]. Available: http://doi.acm.org/10.1145/77648.77649

[16] [17]

[18]

ACCEPTED MANUSCRIPT 11

AC

CE

PT

ED

M

AN US

CR IP T

ieee 802.11 wireless networks,” Commun. Surveys Tuts., vol. 9, no. 1, pp. 2–12, Jan. 2007. [19] T. Clancy, M. Nakhjiri, V. Narayanan, and L. Dondeti, “Handover Key Management and Re-Authentication Problem Statement, IETF RFC 5169,” March 2008. [20] J.-H. Lee, Y.-H. Han, S. Gundavelli, and T.-M. Chung, “A comparative performance analysis on Hierarchical Mobile IPv6 and Proxy Mobile IPv6,” Telecommunication Systems, vol. 41, no. 4, pp. 279–292, 2009.

ACCEPTED MANUSCRIPT 12

Ilsun You received his M.S. and Ph.D. degrees in Computer Science from Dankook University, Seoul, Republic of Korea in 1997 and 2002, respectively. He was an Associate Professor in the School of Information Science at the Korean Bible University. He is now with Soonchunhyang University, Asan, Republic of Korea. His main research interests include network security and authentication. He is a member of the IEICE, KIISC and KSII.

AC

CE

PT

ED

M

AN US

Jong-Hyouk Lee is a security engineer, holding a PhD in Computer Engineering. He worked to develop secure and efficient vehicular communication systems at INRIA, France from 2009 to 2012. He was an Assistant Professor at TELECOM Bretagne, France from 2012 to 2013. He is now leading the Protocol Engineering Lab. at Sangmyung University, Republic of Korea. In November 2014, Dr. Lee was selected as the Young Researcher of the Month by the National Research Foundation of Korea (NRF) Webzine in November 2014. He received the 2015 Best Land Transportation Paper Award from the IEEE Vehicular Technology Society. He was a tutorial speaker at the IEEE WCNC 2013, IEEE VTC 2014 Spring, and IEEE ICC 2016. He is a technical program chair of the IEEE ICCE 2017 and 2018. Dr. Lee is a senior member of the IEEE. He is an associate editor of the security and privacy areas of the IEEE TRANSACTIONS ON CONSUMER ELECTRONICS, and IEEE CONSUMER ELECTRONICS MAGAZINE. Research interests include Mobility Management, Blockchain, Authentication, Privacy, and Malware.

CR IP T

B IOGRAPHY