Toward Efficient Mobile Authentication in Wireless Inter-domain

Toward Efficient Mobile Authentication in Wireless Inter-domain Hahnsang Kim 1 , Walid Ben-Ameur 2 , and Hossam Afifi1

2

INRIA 1 2004, Route des Lucioles BP 93 06902 Sophia Antipolis, France [email protected] INT 2 9 rue Charles Fourier 91011 Evry, France [email protected]

Abstract Many hierarchical mobility schemes have been proposed for the Internet. They all seek to improve the hand-off especially when the mobile terminal is moving relatively far from its point of attachment. Some simulations have been presented for their models, but none has addressed security problems. Moreover, these solutions address only the improvement of mobility without studying the impact of authentication, yet authentication is part of security and it is mandatory in such schemes. This work introduces a mobile authentication mechanism for wireless inter-domain mobility allowing for the reduction of authentication exchange delay. The mechanism constitutes the AAA broker which plays a role of an auxiliary AAA server in the authentication procedures. We first design a binarybased authentication model for our AAA architecture and present a total authentication exchange cost minimizing function to lessen the authentication exchange delay. The paper also reports results showing that the performed evaluations prove the efficiency of our mobile authentication method for wireless inter-domain.

1

Introduction

The IETF AAA Working Group 1 has worked for several years to establish a general model for: Authentication (considered as the act of verifying a claimed identity), Authorization (considered as the act of determining if a particular right can be granted) and Accounting (considered as the act of collecting information on resource usage). These principles are applicable to all kinds of networks, in particular to the next generation wireless infrastructures targeted to public 1 See

URL: http://www.ietf.org/html.charters/aaa-charter.html

networks such as UMTS and CDMA-2000 [1] as well as local area networks like IEEE 802.11 [2]. Several protocols in the AAA Working Group have been tested and elected, yet no care has been taken of the probability of authentication latency due to the need of many exchanges. Let us take an overall look at potential delays each time the mobile terminal gets access to a new AP. Potential delays involve firstly computational delay of each authentication message which requires generation of keys or computation of crypt-algorithms, secondly media access delay due to messages sent by other NIC (Network Interface Card), and thirdly authentication exchange delay due to the long distance apart between an AP and an authentication center. Computational delay strongly depends on the power of workstation as well as a variety of cryptalgorithms. For example, Execution of one byte encryption, respectively, with RC5 [3] and with the DES (Data Encryption Standard) needs 23 and 45 clock cycles required on a Pentium [4]. So, in general, it takes 23ms and 45ms to execute 1000 octet packet encryption, respectively, with the DES and with RC5 on a 1Ghz Pentium. Looking at media access delay, when an 1500 octet packet arrives at an AP at 11Mbps while it is processing an association response, 1.1ms delay is caused between each packet, and 2ms and 6ms delays happen as at 6Mbps and 2Mbps, respectively. Thus, for 10 message exchanges, media access delay alone takes 10ms up to 60ms [5]. For authentication exchange delay, It takes 22ms to 25ms to authenticate a single user with a challenge-MD5 algorithm and if an authenticator and the corresponding authentication center are apart as much as 10ms of around trip time with an authentication packet, it take 42ms to 45ms for the total authentication procedure for a 4-way handshake [6]. Accordingly, each of potential delays needs to be improved. In particular, authentication exchange may suffer from a significant amount of delay due to a proportional long distance. We, in previous work [6], presented a new AAA authentication mechanism overcoming authentication exchange delay in a mobile ‘intra-domain’ by constituting ‘AAA broker’ being located most close to the authenticator. We also confirmed a significant effect of time gains as long as they are apart. In this paper, we attempt to extend the AAA mobile authentication method presented in previous work to wireless ‘inter-domain’. Whenever a mobile terminal moves from a domain to another, an AAA broker is expected to be located over two domains to lessen the latency of message exchanges. This work presents a cost minimizing function which allows one mathematically to determine the optimum position for the AAA broker, based on the Binary-Based Authentication (BBA) model and analyzes it with respect to the number of traversed APs. It also reports results that the optimum position is not heavily affected by a growing amount of traversed APs and enables a single AAA broker to manage a constant number of APs with optimization, which leads to minimize the total authentication exchange cost. The rest of the paper is organized as follows. Section 2 provides an overall look at three-layer authentication mechanism in terms of intra-domain and interdomain. Section 3 presents a BBA model and looks into optimum positions

for AAA brokers on the BBA model, which allows for minimizing the total authentication exchange cost. Section 4 analyzes the evaluation of optimization and section 5 concludes the paper and discusses future work.

2

Overview

We in this section introduce the three-layer AAA authentication mechanism and the authentication procedures in inter-domain. 2.1

Three-layer AAA Authentication Mechanism

Our previous work [6] has presented the three-layer AAA authentication mechanism composed of the AAA server(an authentication center), the AAA broker (mediator), and the AAA client (a terminal front end). • AAA Server serves as an authentication center. It manages database of all users’ information like IDs, secret keys and corresponding allowed resources, etc. It generates a set of AV (Authentication Vector) pairs and may authenticate users with them. It is authorized to elect one of AAA brokers which is located in the middle of the authentication procedure. • AAA Broker serves as an auxiliary AAA server. It is selected by the AAA server by participating in the authentication procedure. It is not permitted to generate AVs, yet able to store AVs sent by the AAA server. It is authorized to challenge the MN and verify if it is to be granted a permission. It inherits all allowances of proxy agents [7] to enforce policies. • AAA Client serves as a terminal server like NAS (Network Access Server) for PPP access or Access Point router for IEEE 802.11 networks. It is the front end of security associations established for the authentication procedure. The operation procedures of the three-layer mechanism are as follows. The AAA server generates a set of AV (Authentication Vector) pairs, each of which consists of IDs of identifying mobile terminals or users, random tokens to challenge users, and expected responses to be used for authenticating users. The AAA server may verify users’ authenticity by matching an expected response and a response made by users when no AAA broker exists. The AAA broker is elected among proxy agents qualified with the ability to serve as an auxiliary AAA server. It stores AVs sent by the AAA server and challenge the user with a token extracted from one of the stored AVs. The AAA client computes the token with its secret key to generate and send a response. On receipt of the challenge response, the AAA broker verifies whether it is matched with the expected response or not. The terminal finally receives the reply with the success/reject message. When the mobile terminal arrives at a new AP within intra-domain and requests reauthentication, the AAA broker challenges it with

one of the remaining AVs and verifies its authenticity. We see that the reauthentication request is not forwarded to the AAA server, instead managed by the AAA broker. This method shows a good performance, compared with conventional AAA methods like EAP/Diameter in such an environment where the AAA client and the AAA server are separated geographically far and the AAA broker is in the same domain as the AAA client [6]. However, if the terminal moves frequently over different domains, the AAA broker should be relocated to cope with reauthentication for inter-domain. Accordingly, the performance of mobile authentication in inter-domain depends on where the AAA broker will be best located.

2.2

Authentication in Inter-Domain

Figure 1 describes authentication procedures for the MN moving in inter-domain. When the MN enters in a new domain (a), it requests reauthentication from the AAAH via the AAA broker2 and the m-AAA broker (the AAA broker located in the middle of the authentication procedure). The two AAA brokers participate in the election of a primary AAA broker in this authentication procedure (1). In this case, the AAA server selects the m-AAA broker as the primary one with the help of calculation of an exchange cost minimizing function which will be presented in the following section and sends a set of newly generated AVs to it. On receipt of AVs, the m-AAA broker challenges the MN with one of them and verifies its response (2). When the MN arrives at another new AP in the same domain (b), reauthentication is performed by the m-AAA broker (3), (4). If the MN moves to another new domain (c), in the same way as (1), it requests reauthentication (5). In this case, it is the m-AAA broker that copes with this reauthentication request since it still keeps valid AVs of the MN (6), which is also determined by the cost minimizing function. Accordingly, the key point for efficient authentication in inter-domain is to evaluate how well the primary AAA broker is elected. That is, the authentication performance strongly depends on where the primary AAA broker over domains is to be located.

3

Optimization

We begin this section with the description of a binary-based model for the threelayer AAA authentication mechanism. We then present the cost minimizing function that allows one to calculate an optimum point to the AAA broker upon this model. The binary-tree based model that we have chosen in several available types of topology is suitable in the first step for realizing our three-layer AAA authentication mechanism. Yet, it is needed to be generalized into 2 − 3 tree or further n tree based model, the effort of which will be included in future work.

3.1

Binary-Based Authentication Model

As shown in Figure 2, the Binary-Based Authentication model (BBA model) is a binary tree-based three-layer authentication architecture consisting of three entities: the AAA server on the top of tree, the AAA brokers or proxy/relay agents in the middle, and AAA clients or APs on the bottom. AAA clients here can be on the same level of APs. Otherwise, they are located over APs. a terminal node is followed by the next one in a time-sequence order. In addition, the MN is assumed to traverse APs in a constant speed. An authentication exchange cost between all adjacent nodes is assumed to be 1. So, 2 is cost to exchange an authentication message between nodes apart in two level difference. A constant value N is a maximum cost which corresponds to an authentication exchange from each terminal node to the top. Parameter L represents the number of terminal nodes traversed and parameter P represents the number of visited groups which is derived from the division of L as far as the MN goes forward. A group is a unit of a group of terminal nodes managed by a single AAA broker and given the number of terminal nodes in a group, the position level of the AAA broker, nx is determined. Accordingly, the cost minimizing function to be presented in the following computes an optimum P which allows for minimizing total exchange cost.

Figure 2: Description of Parameters Figure 1: Mobile Authentication in on BBA Model Inter-domain 3.2

Formula for Optimization

Subsequently, let us look into the total exchange cost for (re)authentication each time the MN traverses APs. Two cases are possible to consider: one that the AAA broker exists in the middle of the authentication procedure and composes a group managed by it, a broker-based subtree, and the other that the AAA broker becomes the AAA server, that is, no broker exists in the authentication procedure. The exchange cost of L in the first case is represented as (L − 1)

ln L + N, ln 2

(1)

L where ln ln 2 is cost of exchanges from the terminal nodes L to the AAA broker, which corresponds to the height of a broker-based subtree composed of L, and N is a maximum cost of exchanges from terminal nodes to the top of the whole tree, that is, from APs to the AAA home server. The exchange cost in the second case is represented as

N × L.

(2)

All the messages from L have to go to the top of the whole tree, the AAA home server and take the maximum cost N because no broker exists in this authentication procedure for the whole L of traversed APs. Thus, equation 2 corresponds to cost for the conventional authentication method. In general, if L is divided into P pieces like L1 + L2 + ... LP , each of which is managed by a single broker, the total exchange cost for L is expressed as (L1 − 1)

ln L1 ln LP + ... + (LP − 1) + P N, ln 2 ln 2

and if a convex function f (x) is defined as P (x − 1) lnx ln2 , it is derived as follows, 1 P

≥

(f (L1 ) + f (L2 ) + ... f (LP )) + P N f ( P1 × (L1 + L2 + ... LP )) + P N.

By the fact that L1 + L2 + ... LP = L, we deduce that 1 P

≥

(f (L1 ) + f (L2 ) + ... f (LP )) + P N f ( PL ) + P N,

which is a lower bound of the total exchange cost. Moreover, this lower bound is achieved if L1 = L2 = ... = LP = PL . So, if P is fixed and if all P pieces are of equal size, the total exchange cost is minimized. Therefore, given the L of traversed APs and a maximum cost of N , the cost minimizing function is obtained with respect to P as fC (P ) = (L − P )

ln PL + P N. ln 2

(3)

Equation 3 satisfies the first case 1 and the second case 2, respectively, with P = 1 and P = L. As a result, given the L of traversed APs and the maximum cost of N , how to minimize total exchange cost depends on how well it is partitioned into P and, for the purpose, it is to find P holding an optimum value allowing for minimizing the value of equation 3. 3.3

Analysis

We now intend to find a P approximating to the optimized P which allows us to minimize the function 3 of the total authentication exchange cost. The approximation of P is processed in the following.

The derivative of fC (P ) with respect to P is represented as fC0 (P ) = N +

− ln( PL ) + 1 − ln 2

L P

and the second derivative is + PL2 ln 2 which is strictly positive. It means that the first derivative fC0 (P ) is an increasing function. L−L Then, let us consider fC0 (1) = N + 1−ln at P = 1 as a base case. If ln 2 0 0 fC (1) ≥ 0, then we deduce that fC (P ) > 0 for any P > 1 by the fact that fC0 (P ) is the increasing function, which implies that fC (P ) is also an increasing function. That is, at P = 1, it allows one to obtain the minimum value of fC (P ) L L and it is true only if fC0 (1) ≥ 0, i.e., N ≥ L−1+ln . If N < L−1+ln , there exists ln 2 ln 2 0 a value of P satisfying fC (P ) = 0, which implies fC00 (P ) =

N ln 2 = ln(

1 P

L L ) + − 1. P P

Considering that ln PL ¿ PL , we deduce that it approximates to PL ≈ 1 + N ln 2. Accordingly, we summarize that the approximated P which allows for minimizing the function fC (P ) is yielded as follows, ½ L L for N < L−1+ln 1+N ln 2 ln 2 P ≈ (4) L−1+ln L 1 for N ≥ , ln 2 L where N is greater than ln ln 2 corresponding to the height of a broker-based subtree since N is the height of the whole tree. That is, P is satisfied with values of approximated M ax( 1+NL ln 2 , 1). Next, let us look into the gain of our method from the conventional authentication method in terms of the total exchange cost. The gain is obtained from the difference of the two costs as follows,

G = fC (L) − fC (P ) = (L − P )(N − If N < G is

L−1+ln L , ln 2

ln PL ). ln 2

then P is replaced by the approximated (L − ≈

L 1+N ln 2

and the gain

ln(1+N ln 2) L ) 1+N ln 2 )(N − ln 2 L(N ln 2−ln(N ln 2)) . ln 2

We see the gain of our method increases as either L or N increases. If N ≥ L−1+ln L , then P is replaced by the approximated 1 and the gain G is ln 2 ≈

L (L − 1)(N − ln ln 2 ) (L − 1)N

which also increases as either L or N increases. Consequently, our method shows that the higher L or N , the more profit of authentication time is gained.

4

results/evaluation

This section reports results obtained by evaluating the cost function of equation 3 and by comparing the approximated P presented in 4 with the optimized P which is calculated given the related parameters, L and N . It shows not only a good performance of our method compared with a conventional authentication method, but also the proof of a good approximation of P . Figure 3 shows the evaluation results that given L = 2000 traversed APs, the total exchange cost is calculated as the growing variation of a maximum cost N with respect to a variety of P . Three different types of P are measured: OptP which represents the optimized P computed given L and N , the approximated P which is represented as 1+NL ln 2 and 1, and any greater value than 1 for L P . Looking at the approximated P , in N ≥ L−1+ln , the plot for P = 1 ln 2 is obviously matched with the optimized curve of OptP . It is observed that P = 1+NL ln 2 apparently produces lower total exchange cost than OptP , but it is no meaning because the generated value of the P = 1+NL ln 2 becomes less than L , the curve generated by the approximated P is similarly 1. In N < L−1+ln ln 2 formed along with the optimized curve. For example, in case of N < 1000, the two curves are almost matched, which means that the approximated P can be substituted for the optimization. In N ≥ 1000, a little difference between the approximated P and the OptP s is found, which can be absorbed, compared with P = 2 and P = 3. In P > 1, it finds some points close to the OptP at N = 1300, but others cause a huge exchange cost. 4

5

L = 2000

x 10

4.5

N = (L−1+lnL)/ln2

P=3 P=2

4

Fc : total exchange cost

3.5 P = L/(1 + N ln2)

3

P=1 2.5

2 Opt P

1.5

1

0.5

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

N : a maximum cost

Figure 3: Comparison of Cost with a growing N with respect to a variety of P at L = 2000 Figure 4 shows the performance comparisons between total exchange costs

computed by a non-optimizing conventional method and our optimizing method with a 4-way handshake. The conventional challenge-response based authentication method requires all requests to arrive at the AAA server, which takes a maximum cost for every request corresponding to the case of P = L. We measured and compared the total exchange cost for each method as the increasing L of traversed APs. We see that our optimizing method has an enormous effect on the gains of authentication cost, the difference of which is greater as the increase of a maximum cost N . In addition, we also confirm that the approximated P brings the same effective result as the OptP . For example, given L = 1000, at N = 15, 70% of gain for authentication cost is obtained and at N = 1500, it reaches 99%. Figure 5 shows the evaluation comparison of the optimum positions for the AAA brokers computed with the approximated P and the OptP . Looking at the cases of N = 15 and N = 30, it is interesting that the level of broker is constant as around three and four regardless of the increasing L of traversed APs and also the approximated P simulates well the OptP . In other words, the acceptable approximation results are observed. In N = 15, the 2.5 level given by the approximated P allows the AAA broker to be deployed to the 3 level in real, which is the same level as given by the OptP . In addition, we confirm that the optimum positions for the AAA brokers are kept constant in spite of the increase of traversed APs. In other words, the optimum position for the AAA broker can be predictable regardless of how many APs have been passed or will be visited ahead.

P = L/(1 + N ln2)

1 0.5 0

Opt P 0

500

1000

1500

3

1 0

2000

P = L/(1 + N ln2)

2

Opt P 0

500

L : # of traversed APs 6

x 10

2.5

2 Fc : total exchange cost

Fc : total exchange cost

3

P=L

2 1.5 1

Opt P; P = L/(1 + N ln2)

0.5 0

0

500

1000

1500

2000

L : # of traversed APs

1500

500

1000

1500

L : # of traversed APs N = 1500

x 10

12

P=L

1 0.5

P = 1; Opt P

0

0

N = 8000

1.5

0

1 0

2000

P = L/(1+N ln2)

L : # of traversed APs 7

N = 1500

1000

3 2

500

1000

1500

L : # of traversed APs

2000

P = L/(1 + N ln2)

4 2 500

1000

P = L/(1 + N ln2)

2 1

0

1500

L : # of traversed APs

500

1000

1500

2000

L : # of traversed APs

Opt P

0

3

N = 8000

12

8

0

Opt P

4

0

2000

10

6

N = 30

5

Opt P log2(L/P) : level of broker

1.5

P=L

4

N = 15

4

5

log2(L/P) : level of broker

P=L

2

N = 30

x 10

log2(L/P) : level of broker

6 Fc : total exchange cost

Fc : total exchange cost

4

N = 15

x 10

log2(L/P) : level of broker

4

3 2.5

2000

Opt P

10 P=1

8 6 4 2 0

0

500

1000

1500

2000

L : # of traversed APs

Figure 4: Cost Comparison with a Figure 5: Evaluation of Optimum growing L of to P and N position for the AAA broker

5

conclusions

Authentication exchange delay is critical in wireless networks since acceptable hand-off latency for real-time services is limited. This work mathematically studies optimizing mobile authentication in particular for wireless inter-domain. It reports results showing that our authentication method on the binary-based

model improves the capacity of authentication exchange latency tolerance by finding the optimum position for the AAA broker, which is calculated with the help of the cost minimizing function. In addition to the function, we presented the analysis of an approximation to the optimization, which shows a good estimate of the optimum position for the AAA broker. Evaluation results show the optimum level of AAA broker which is maintained constant as a result is determined, not heavily affected by the number of traversed APs in inter-domain. Our method for the total exchange cost contributes to a good performance absorbing the impact of the distance between the authenticators and the authentication center. Our future work will include efforts to deal with two aspects. One is to improve adaptability of our authentication method toward more generalizing the authentication model like 2-3 tree based or further n-tree based one. The other is to fortify the security level of our scheme. As briefly mentioned in the last of section 2, to figure out the validity of ancient AVs, it is expected to apply lifetime settings including the desired start time, the requested expiration time, and requested renew-till time.

Acknowledgments This research was supported by @IRS++ project associated with RNRT and VTHD++.

References [1] “Wireless IP Network Standard,” in 3GPP2 P.S0001-B. Partnership Project 2 (3GPP2), Oct. 2002.

3rd Generation

[2] “Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications,” in ANSI/IEEE Std 802.11: 1999(E). ISO/IEC 880211, 1999. [3] R. Rivest, “The RC5 Encryption Algorithm,” in 2nd Workshop on Fast Software Encryption. Springer-Verlag, Dec. 1994. [4] W. Stallings, Cryptography and Network Security: Principles and Practice, ser. ISBN 0-13-869017-0. Prentice-Hall, 1999. [5] N. Cam-Winget, D. Smith, and K. Amann, “Proposed new AKM for Fast Roaming,” in doc.:IEEE 802.11-03/008r0. IEEE 802.11 Working Group, Jan. 2003. [6] H. Kim and H. Afifi, “Improving Mobile Authentication with New AAA Protocols,” in IEEE International Conference on Communications 2003 (ICC’03), Anchorage, USA, May 2003. [7] D. Mitton et al., “Authentication, Authorization, and Accounting: Protocol Evaluation,” RFC 3127, June 2001.