2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11
Building up trusted identity management in mobile heterogeneous environment Peng Zhang, Hanlin Sun
Zheng Yan
Research Institute of Mobile Internet Xi’an University of Posts and Telecommunications, Xi’an, China
[email protected],
[email protected]
Department of Communications and Networking, Aalto University, Espoo, Finland School of Telecommunications Engineering, XiDian University, Xi’an, China
[email protected]
Abstract — Mobile Internet enables mobile users to access Internet services through mobile networks. Currently, cellular networks are converging with various wireless networks, e.g., WLAN, MANET, which forms a heterogeneous mobile environment. In such environment, it has been a big challenge for mobile operators and mobile service providers to offer seamless roaming and services among the networks. Previous work on solving the problem falls in specific network circumstance, which cannot be easily and widely applied in the heterogeneous environment. In this paper, we foresee the future of mobile networks into mobile cloud environment. Thus, we propose a generic and flexible solution based on cloud computing technology that can achieve various benefits, such as robustness, high availability, and so on. We present the architecture and procedures for building up the trusted identity management to achieve seamless roaming. Keywords - trust; identity management; mobile network; cloud computing
I.
Figure 1. Celluar/WLAN heterogeneous mobile networks
A typical advanced mobile user would expect mobile operators/mobile service providers to offer mobile services with the following key requirements:
INTRODUCTION
More and more mobile users are willing to access Internet services with their mobile devices. The most typical case happens with Apple iPhone users who are keen on using various mobile services, e.g., AppStore, Map, etc. It is reported that with “unlimited data plan” 3% Apple iPhone users account for over 40% AT&T network traffic, which even degrades the performance of AT&T network and its brand. On one hand, this phenomenon tells that there is huge potential for the growth of mobile Internet; on the other hand, the cellular mobile operators may hardly meet the demand of mobile users and the rapid growth of mobile traffic against their current investment plan on network deployment [1]. Meanwhile, various wireless technologies (e.g., IEEE 802.11n, Wifi, Bluetooth, ZigBee, etc) are evolving quickly and becoming popular as well. The shipment of electronic products with embedded WLAN capabilities surpassed 1 billion in 2011 and is expected to surpass 2 billion in 2015 [2]. These types of local/personal wireless networks together with cellular networks form a heterogeneous mobile environment. In such environment, mobile users would like to access mobile services anytime and anywhere. Figure 1 shows a heterogeneous wireless network.
•
Always on-line: this arises from the nature of Internet services that are accessible anytime.
•
Seamless roaming: since mobile users are moving from places to places, seamless roaming is a key issue especially for delay critical services such as voice, video, and so on.
•
Broadband access: various attractive mobile services (e.g., video, voice, map) have triggered the dramatic increase of mobile traffic. Providing broadband access for mobile users is a necessity of future mobile Internet.
•
Security and privacy: Mobile networks and mobile services should always ensure some certain level of security and protect the data privacy of mobile users.
•
User experience: User experience is becoming an essence on service offering. It is affected by numerous subjective and objective factors.
However, the above requirements can be hardly met in a heterogeneous mobile environment. For example, 978-0-7695-4600-1/11 $26.00 © 2011 IEEE DOI 10.1109/TrustCom.2011.117
873
•
through a WiFi access. With the loose coupling, the only integration point between networks is a common authentication framework.
Seamless roaming is difficult in such environment. This embodies two parts: one part is roaming among local wireless networks; the other part is roaming between WLAN and cellular networks. For the former part, a number of mechanisms have been proposed but are hardly applied due to many reasons [3]. For the latter one, there are already standards proposed by 3GPP, but not yet widely deployed. We will discuss the issue in Section 2.
•
Broadband access is difficult, e.g., a mobile user is watching a high definition video through a WLAN. When he/she moves out the WLAN network and has to switch to 2G/3G network, the mobile network may not offer the same speed at that time. This issue becomes more serious when a large number of mobile users are moving between WLAN and mobile networks. The dynamics of mobile traffic may heavily degrade the performance of mobile services.
•
Security and privacy are problematic in the heterogeneous mobile network too. Since cellular networks are standardized well and normally operated by a relative small number of operators in a region, security and privacy are normally well treated. In contrast, WLAN networks can be operated by a large number of parties that may not have good security and privacy applied. Many WLAN operators do not have agreement with other mobile operators, thus cannot support interworking and roaming between them.
The roaming between Wifi and cellular networks has also attracted academic attention. Some study focus on WLAN/cellular integrated networks [5-7]. Guo et al. proposed a seamless and proactive End-to-End mobility solution for roaming across heterogeneous wireless networks [5]. The proposed system integrates a connection manager that intelligently detects the condition of the wireless networks and a virtual connectivity-based mobility management scheme that maintains connection’s continuity using the end-to-end principle. Shi et al. proposed a service-agent-based roaming architecture for the heterogeneous mobile networks [6]. The proposed system does not require the inefficient peer-to-peer roaming agreements to support seamless user roaming between the WLAN hotspots and the cellular networks. Lim proposed architecture for seamless 3G/WLAN roaming [7]. However, the proposed solutions are quite complicated, which requires relatively high effort for cellular operators and WLAN providers to cooperate together on integration work. Some study focus on roaming for public WLANs [8-10]. Lin et al. proposed a novel localized authentication scheme for WLAN roaming [8]. Huhtanen in [9] presented the application of Radius authentication framework for WLAN roaming across education networks. However, the proposed system is hierarchy based, which is inflexible and complicated. As summary, the existing solutions can hardly meet the new demand of the rapid growth of mobile Internet. Novel solutions are needed.
In this paper, we focus on solving the interworking and roaming issue in the heterogeneous environment. We adopt the concept of cloud computing to build up a trusted identity management system. The system provides a flexible and generic architecture to carry out authentication and authorization among heterogeneous mobile networks. The system aims to ease the adoption of seamless roaming in such environment. Furthermore, the system can provide advanced features to improve user experience based on network statistics, e.g., in the case of several WLAN networks available, the system can provide information about the specification and performance history of the networks, so as to help the selection of the best WLAN network. Note that the system will not solve all the mentioned issues that could be addressed separately.
Meanwhile, cloud computing is becoming a promising technology that has changed the architecture of IT infrastructure and service offering, e.g., Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), etc. Cloud computing offers a number of advantages such as scalability, agility and cost reduction, in comparison of traditional IT infrastructure [10]. Especially, cloud computing is seen as the future of mobile [11].The research work on cloud computing falls in various aspects such as cloud computing architecture, middle-ware design, cloud services, resource management [12]. In this paper, we present a novel solution that applies cloud computing technology to solve the WLAN/Cellular integration issue. We have not seen similar work to be best of our knowledge.
The rest of the paper is organized as follows. Section 2 gives a brief overview of related work. Section 3 introduces the architecture of the system and Section 4 describes the procedures on data handling and roaming request. The conclusions and future work are given in the last section. II.
III.
RELATED WORK
For the interworking between cellular and Wifi networks, 3GPP has specified two solutions: tight coupling and loose coupling [4]. The tight coupling specifies the rerouting of cellular network signaling through WiFi access networks. This makes WiFi access network as a de-facto 3GPP RAN. The tight coupling solution requires significant integration work. The loosing coupling solution utilizes Wifi networks to transfer IP data between a mobile device and operator’s core network
CLOUD-BASED TRUSTED IDENTITY MANAGEMENT SYSTEM FOR WLAN/CELLULAR ROAMING
A. System architecture This section presents the cloud-based trusted identity management system for WLAN/Cellular roaming. The system mainly solves the authentication and authorization issue among roaming. Figure 2 shows the system architecture.
874
Cloud based identity management system (AAA)
concern for operators to use a cloud service on security purpose. We alleviate the problem in the way that the system does not store the user information unless it is separately agreed with the operators. In this case, the system will only provide basic information for operators/providers to find out a suitable partner for roaming purpose. If a trust agreement is well established, the system can work as an intelligent broker to support AAA service. In addition, secure tunnels are to be established between each party to ensure the security of communication.
3rd party identity management system (AAA) Cloud API
Home Agent /AAA
Foreign Agent /AAA
VLR /AAA
HLR /AAA
Access controller
Access controller
BS controller
BS controller
Access Point
Access Point
Base station
Base station
Mobile device
Mobile device
Mobile device
Mobile device
Home WLAN
Visiting WLAN
Visiting Cellular
Home cellular
•
B. System description Figure 3 shows the internal architecture of the system. As shown in the figure, the system is based on cloud computing technology, e.g., using virtual machine, cloud services, so that the system can scale well. On the application level, the system includes several key components: Cloud API provides interfaces for external parties to access the system, e.g. via Radius/Diameter, EAP; AAA Manager specifies the policies on WLAN/cellular roaming and replies to roaming requests; Network Statistics Data Handler collects network statistics of WLANs and cellular networks, especially the system provides possibilities for mobile devices to report network information; Data Analyzer aggregates network statistics and obtains the network topologies so as to support roaming; Data Manager manages the rules for accessing the sensitive data so that the data won’t be disclosed to any other irrelevant party.
Figure 2. System architecture of cloud-based trusted identity management
As shown in the figure, WLAN networks and cellular networks connect to the cloud-based identity management system to perform the authentication, authorization and accounting (AAA) for WLAN/cellular roaming. The system defines a set of cloud API to provide AAA as a service. The system can support various authentication methods by defining different APIs. The system owns some advantages: The system is cloud based, so that it can scale well from local area to global wise. This provides an economic and efficient way for numerous WLAN providers to work together and with cellular operators.
•
The system is designed for flexibility. It supports 802.11x and Extensible Authentication Protocol (EAP) as well as Universal Authentication Method (UAM). The system provides a set of APIs that can fulfill various requirements from different parties. Thus, the system can best fit into the heterogeneous mobile environment.
•
Management UI
Cloud API
•
The system can provide comprehensive features for operators/providers to improve the quality of service and user experience. E.g., the system can work with another cloud based QoS aware system that can provide QoS information of network statistics. However, the design of the cloud-based aware system is out of the scope of the paper. Readers can refer to [13].
AAA manager
Data manager
Network statistics data handler
Data analyzer
Cloud services
Virtual machine
Data storage
Figure 3. Internal architecture
Meanwhile, in order to build up the system, there are several issues that must be addressed: •
The effort in cellular side is relatively high because cellular operators normally are not willing to develop equipment or integration by themselves. But this view has changed steadily since the convergence between mobile networks, IP networks, and TV networks may affect the dominant position of mobile operators. Thus, mobile operators have to take more proactive actions, e.g., China Mobile announced its Big Cloud platform, Mobile Market, etc.
This system differs from previous solutions mainly in two aspects:
Trust between the system and each WLAN provider or cellular operator must be set up. Generally, it is a
875
•
The system is based on cloud computing technology that can scale well. Previous solutions are normally complicated and limited to specific environment.
•
The system allows mobile devices to report network statistics data to the server side. By collecting the data, the system can build up network map of WLAN and cellular networks. This approach is very different from traditional telecommunication mechanism, but follows the practices for Internet services that users play a key role for service offering and the growth of the services.
IV.
system may work as a broker. Once the authentication succeeds, the mobile device can set up data connection via the foreign WLAN. Mobile device
3G AAA server
WLAN Foreign Agent
Cloud ID system
Roaming request Respond best WLAN AP
PROCEDURES
Auth Request
Auth Request
In this section, we firstly explain the procedures of network statistics data handling, and then we depict the working flows of the system in heterogeneous environment by giving different roaming scenarios.
Auth Respons Auth Response
A. Procedures of network statistics data handling Data connection Identity Management System Mobile device
Data handler
Data analyzer
Data storage
Report network status
Figure 5. Cellular -> WLAN roaming request flow Store
Aggregate /data mining
Roaming request
WLAN Home agent
Mobile device
Query best network
WLAN Foreign Agent
Cloud ID system
Roaming request Respond best WLAN AP
Respond best network AP
Auth Request
Auth Request
Figure 4. Procedures on data handling
Auth Respons
Figure 4 shows the simplified procedures on data collection, analysis and usage. The figure does not depict the authentication procedures for roaming requests that are to be described as followed.
Auth Respons
B. Authentication procedures for roaming request Figure 5 shows the working flow of cellular->WLAN roaming request. Based on network statistics information, the Cloud ID system provides the best available WLAN AP to the mobile device. This approach reduces the time on looking for suitable APs. Once the mobile device gets the AP, it sends authentication request to the WLAN as foreign agent. The foreign agent can proceed with the request through the ID system to the 3G AAA server. As described earlier, the ID
Data connection
Figure 6. WLAN -> WLAN roaming request flow
876
Figure 6 shows the working flow of WLAN->WLAN roaming request. The diagram is similar to Figure 5 except WLAN Home Agent replaces 3G AAA server.
I.
[4]. 3GPP TR 43.902, 2007 [5]. C. Guo, Z. Guo, Q. Zhang, W. Zhu, ĀA Seamless and Proactive End-to-End Mobility Solution for Roaming Across Heterogeneous Wireless Networksā, IEEE Journal on Selected Areas In Communications, Volume 22, Issue 5, pp. 355-370, 2004 [6]. M. Shi, H. Rutagenmwa, X. Shen, J. W. Mark, A. Saleh, ĀA Service-Agent-Based Roaming Architecture for WLAN/Cellular Integrated Networksā, IEEE Transactions on Vehicular Technology, Volume56, Issue 5, pp. 355-370, 2007 [7]. C. Lim, D. Kim, O. Song, C. Choi, ĀSHARE: seamless handover architecture for 3G-WLAN roaming environmentā, Wireless Networks, Volume 15, Issue 3, pp. 353-363, 2009 [8]. X. Lin, H. Zhu, P. Ho, X. Shen, ĀTwo-factor Localized Authentication Scheme for WLAN Roamingā, IEEE International Conference on Communication (ICC), pp. 11721178, 2007 [9]. K. Huhtanen, ĀUtilizing eduroamTM architecture in building wireless community networksā, TERENA Networking Conference, 2008 [10]. T. Smura, ĀRoaming considerations for the Finnish Public WLAN Marketā, Innovation Dynamics in Mobile Communications, pp. 35-41, 2005 [11]. S. Perez. “Why Cloud Computing is the Future of Mobile”, http://www.readwriteweb.com/archives/why_cloud_computing_ is_the_future_of_mobile.php. August 2009 [12]. T. Dillon, C. Wu and E. Chang, “Cloud Computing: Issues and Challenges”, 24th IEEE International Conference on Advanced Information Networking and Applications. April 2010 [13]. P. Zhang, Z. Yan, “A QoS-aware system for mobile cloud computing”, IEEE International Conference on Cloud Computing and Intelligence System, Beijing, September 2011
CONCLUSIONS AND FUTURE WORK
The rapid growth of mobile Internet brings challenge to cellular network operators that their network investment can hardly meet the demand of traffic increase. Meanwhile, highspeed WLANs have been widely deployed, which leads to a heterogeneous mobile environment. In this environment, mobile users would like to access mobile services seamlessly. This paper presents a novel trusted identity management that can facilitate AAA for the seamless roaming. The system is based on cloud computing technology that can scale well to global wise. Especially, the system can collect network statistics data that can be used for improving the network selection and roaming. Our future work will prototype the system and will evaluate the system in real environment.
REFERENCES [1]. K. Lee, I. Rhee, J. Lee, Y. Yi, S. Chong, “Mobile data offloading: how much can WiFi deliver?” Proceedings of the ACM SIGCOMM 2010 conference on SIGCOMM, pp. 425-426 [2]. “Over 1 Billion Devices to have Embedded Wireless Networking”, ECN Magazine, 2011 [3]. Y. Matsunaga, A. S. Merino, T. Suzuki, R. H. Katz, ĀSecure Authentication System for Public WLAN Roamingā, ACM Mobile Networks and Applications, Volume 10, Issue 3, pp. 355-370, 2005
877
