Trust-Based Fast Authentication for Multiowner Wireless Networks

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 2,

FEBRUARY 2008

1

Trust-Based Fast Authentication for Multiowner Wireless Networks Jahan Hassan, Member, IEEE, Harsha Sirisena, Senior Member, IEEE, and Bjo¨rn Landfeldt, Senior Member, IEEE Abstract—In multiowner wireless networks, access points (APs) are owned and operated by different administrations, leading to significant authentication delays during handoff between APs. We propose to exploit the trust between the owners of neighboring APs for reducing the authentication delay. In the proposed authentication scheme, neighboring APs that trust each other share the security key for the visiting node to avoid lengthy authentication routines each time the visiting node switches APs. The performance of the proposed trust-based authentication scheme is evaluated using a Markov model. Using numerical experiments, we first study a basic scenario where mobile nodes are not aware of the trust networks that exist in a given neighborhood. Subsequently, we consider an advanced scenario where a mobile node functionality is augmented to discover the trust network so as to minimize roaming beyond the trusted APs. We find that, even with the basic implementation, the average number of full authentications needed for a roaming mobile reduces linearly as the likelihood of two neighboring APs trusting each other increases. With the advanced implementation, our experiments show that quadratic reduction is achieved. The Markov model is validated using discrete event simulation. Index Terms—Fast authentication, IEEE 802.11, interdomain authentication, handoff, Markov models.

Ç 1

INTRODUCTION

W

IRELESS Local Area Networks (WLANs) are rapidly becoming a core part of the enterprise network access. The IEEE 802.11 standardization has led to vendor interoperability and rapidly plummeting prices, making wireless access an economically tantalizing alternative to wired access. Currently, enterprise deployment incorporates support for mobility between access points (APs), as well as security and monitoring solutions. Mobility introduces a new set of problems not present in a wired infrastructure due to handoffs between network APs. The implication of having to undergo frequent handoffs to different APs is that, for communication security, the IEEE 802.11 standard requires the mobile node (MN) to undergo a full authentication process each time that it wants to connect to a new AP (nAP). The recent security ratifications from the IEEE Task Group i (TGi) defined several security remedies for WLANs in the standard IEEE802.11i [1]. The full authentication involves the use of the 802.1X port-based access control mechanisms, as well as authentication-based key derivation [2]. An authentication authorization accounting (AAA) server such as the Remote Authentication DialIn User Service (RADIUS) [3], [4] is to be used for authentication and key derivation. Following a successful

. J. Hassan is with the Advanced Networks Research Group, School of Information Technologies, University of Sydney, NSW 2006, Australia. E-mail: [email protected]. . H. Sirisena is with the Department of Electrical and Computer Engineering, University of Canterbury, Christchurch, New Zealand. E-mail: [email protected]. . B. Landfeldt is with the School of Information Technologies, University of Sydney, Sydney 2006, Australia. E-mail: [email protected]. Manuscript received 22 May 2006; revised 18 Jan. 2007; accepted 31 May 2007; published online 19 June 2007. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TMC-0139-0506. Digital Object Identifier no. 10.1109/TMC.2007.70720. 1536-1233/08/$25.00 ß 2008 IEEE

authentication, the MN and the AP are to undertake a fourway handshake protocol for deriving various keying materials. A keying material derived this way is then used in the encrypted (secure) communication sessions between an AP and the MN. Thus, the four-way handshake, which does not involve the AAA server, is a must in each secure association of an MN to the AP and cannot be avoided. The authentication process suggested in the 802.11i ratifications using the Extensible Authentication Protocol (EAP) over the Transport-Layer security (TLS) [2] can introduce significant handoff delays as it involves the exchange of a round of messages between the MN and the AAA server via the AP. It has been shown that a full EAPTLS authentication (that is, the full authentication) can take as long as 1.1 seconds [5], which is unacceptable to real-time services such as voice calls. The delay can only increase when the AAA server is located at the ISP’s site, which is topologically far from the AP site. This can be detrimental to real-time applications such as VoIP, especially in frequent handoff scenarios. Although the most commonly addressed handoffs are among the APs belonging to the same Extended Service Set (ESS) and the same administrative domain, handoffs within a single domain might not always be the case. There are possible scenarios where different service providers would collaborate to provide continuous connectivity to roaming users for supporting seamless services. In addition, the IEEE 802.11 has lead to price levels that are suitable for the mass consumer market. This has caused an explosive trend in the deployment of residential gateways (RGs) for home networking. It is predicted that the market for the RG hardware will reach $4.7 billion worldwide by 2005 [6]. The RGs combine the capability of fast data routing between a home network and the Internet, wireless access, and processing power. Published by the IEEE CS, CASS, ComSoc, IES, & SPS

2

IEEE TRANSACTIONS ON MOBILE COMPUTING,

The capacity offered by these RGs at various residential sites will not be fully utilized since the residential traffic patterns typically vary considerably over the course of a day. The unutilized capacity could be offered to visiting users with whom there exists a relationship to allow this. In residential premises, we see the potential emergence of a high-speed wireless access network consisting of numerous WLAN-sized cells. In this model, each WLAN site that is connected to the Internet via an individual RG can be considered as an individual domain as these sites are owned by individual residential consumers. An example of a current operational commercial system building on this principle is the FON [7] community, where individual subscribers share an excess capacity with the global FON community and FON itself provides billing support so that a used capacity is billed to a user’s own account. Examples where the contributors of the RGs or APs do not belong to any particular consortium and thus are not centrally administered include community networks such as Melbourne Wireless and wireless hotspot sites in city central business district areas. Various usage types of such privately owned wireless access for public use have been envisaged. For example, Thompson et al. have shown that, by pulling together the broadband capacity via the WLANs of neighboring households, Internet connectivity can be improved [8]. Landfeldt et al. [9] proposed the use of collaborative community networks by allowing others to use spare broadband capacity in exchange for utilizing others’ broadband connection while away from home to either simply access the Internet or to improve the Internet access capacity in a similar way as in [8]. Other researchers are also advocating similar ideas [10], [11], [12]. If the current deployment trend continues, in dense residential areas, it will be common to find a substantially large number of RGs within range. This also provides the opportunity for load sharing or load balancing among the RGs by handing off some visiting connections to other RGs within range when the original RG (oRG)’s link utilization or load increases and affects its home traffic. Therefore, we see stationary handoff scenarios emerging in the multiowner RG access network architecture. Depending on the load variation, there may be situations when, during an active session, a mobile visiting node (VN) will have to undergo frequent handoffs to new RGs (nRGs). Solutions currently found in the research and industry domain aiming at the reduction of the authentication delay, as discussed next in the related work section, target a single domain, where centralized control is an advantage. In the collaborating scenarios between service providers, this is not the case since each domain has its own authentication mechanisms that are closed to other parties. In the RG access network, such an architecture is not possible, either, since each RG is under its own authority and administration. Hence, in this paper, we propose a keysharing scheme based on a distributed “trust cloud” to facilitate fast authentication in interdomain handoffs. We aim to reduce as much as possible the number of full authentications needed during a session involving the AAA server. Note that there will be a minimum of one authentication per active session, and the rest of the handoffs can employ only

VOL. 7, NO. 2,

FEBRUARY 2008

the local four-way handshake (fast) to derive the keying material. In our scheme, neighboring RGs that trust each other will share the key (Pairwise Master Key (PMK)) for a visiting device so that the key can be readily used in fast authentication (for example, a four-way handshake) when a handoff to a trusted RG takes place. This scheme will be well suited to community-oriented WLAN-based access networks where trust among neighbors is subject to a previous agreement such as belonging to the same ISP or indeed based on personal choices and relations. Based on the relations among the neighbors, each RG forms a “trust cloud” consisting of individual neighboring RGs that agree to take part in mobile device keysharing to support fast authentication. To the best of our knowledge, this kind of natural neighborhood trust has not been exploited before to benefit network operations by achieving fast authentication for handoffs. We propose two algorithms for mobile VNs to select the RG at handoffs: trust unaware, which needs no change in the MNs, and trust aware, which needs MNs to be augmented with trust cloud information. To study the benefits of our proposed scheme and explore how authentication overhead behaves against a number of parameters, we develop a Markov chain model, which we validate using discrete event simulations. Using our model, we find that, as the trust probability increases between a given pair of providers, the authentication overhead reduces linearly for the trust-unaware scheme but quadratically for the trust-aware scheme. We report other interesting findings in the paper, the focus being on the performance of the system in terms of authentication delay only without mobility considerations. We therefore investigate load-balancing scenarios between APs rather than handoffs due to mobility. The rest of the paper is organized as follows: In Section 2, we discuss proposals from the literature that target at reducing the handoff delays for mobile devices at various phases of the handoff procedure. In Section 3, we propose our trust-based fast authentication mechanism. We propose two handoff algorithms to work within the trust cloud model. In Section 4, we develop our analytical model using Markov chains, followed by the model validation using simulation studies and analytical results in Section 5. In Section 6, we explore asymmetric trust relations between RG pairs. We discuss practical implementation design issues in Section 7. Finally, we draw the conclusions in Section 8.

2

RELATED WORK

When an MN changes its attachment point from one AP to the next, connections at different communication layers need to be reestablished in order to continue the ongoing session. Although establishing the radio link to the nAP, which consists of a few phases, is the fundamental step for other layers to reconnect and support the session continuation, steps such as session handoff at the Internet Protocol (IP) layer also incur delays that hamper the session experience. Thus, there are various proposals in the literature that aim to minimize the delay at respective components of handoff. In the following, we first discuss some work that does not explicitly focus on reducing the

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

authentication delay. Although these are not directly linked to our work, we realize that efforts at all delay-contributing phases of handoff are needed to make the overall handoff fast enough to support delay-sensitive applications. Following this, we discuss some specific work on reducing the authentication delay at the radio link establishment phase of the handoff process. At the Network layer, the base proposal for network mobility, that is, Mobile IP (MIP) [13], has been extended by various researchers to support handoffs between different subnets of WLANs [14], [15]. The work reported in [14] expedites the foreign agent discovery phase by the use of a caching agent (a host) in the wired portion of the foreign network to cache the most recent foreign agent advertisement. An MN, upon entering the new network and establishing the link-layer connectivity with the nAP, sends a query to the caching agent by using a dummy well-known media access control (MAC) address that the caching agent itself sends out into the network. Thus, the MN does not have to wait to receive the advertisement from the foreign agent and can start the MIP procedure as soon as it has gotten the link layer connected and has received the reply message from the caching agent. The work presented in [15] extends the 802.11f Inter Access Point Protocol (IAPP) [16], where the APs act as mobility agents for the clients and the old APs and nAPs use the IP-IAPP mobility management procedure to arrange for traffic routing for the MN between them. Interested readers may also look at references such as [17] and [18] for other proposals on the IP-layer handoff delay reduction work in WLAN scenarios. At the radio-link layer, there are phases, namely, scanning, authentication, and association, each of which incurs a delay in the handoff procedure. Ramani and Savage [19] proposed SyncScan, which is based on synchronized scanning by the MNs of neighboring APs with periodic beacon transmission of the APs. This proposal aims at eliminating the individual scanning phase after the MN decides to hand off from the current AP; thus, there is no delay in scanning when the MN decides to hand off. The MNs have a single radio, as in most of the proposals and deployments today, and so, although the MNs perform periodic scanning, they miss out on the transmission on the currently attached channel. The authors propose a remedy for this. However, the authors consider the authentication delay to be negligible, which may not be the case for 802.11i (EAP/TLS) if no optimization is done to reduce the authentication delay. Brik et al.’s proposal [10], MultiScan, is a step forward from SyncScan, which requires the MNs to operate by using two radios. One radio is used for communicating with the currently attached AP, whereas the second idle radio is used to scan the neighborhood and attach with the best candidate. When it is time to hand off, there will be no time wasted, as the other radio is already attached to the handoff candidate AP and the communications only need to be redirected from the first interface (first radio) to the other. Because this proposal performs all the tasks that are necessary at the 802.11 handoff phase before the actual handoff takes place, it virtually eliminates the 802.11 handoff delay. Although this scheme provides a very promising way that is forward in solving the radio link

3

layer handoff delay, for the majority of the mobile devices that are in use today, we cannot employ this scheme as they have only one radio onboard and we still need schemes to reduce handoff latencies at various phases of the 802.11 handoff, including the authentication phase. In order to reduce the handoff delays due to the exchanges of authentication messages when an MN hands off to a nAP, preauthentication has been specified within the IEEE 802.11i standard. The scope of the preauthentication is, however, limited to a single network domain or ESS, making it inapplicable to interdomain roaming scenarios. The preauthentication, in fact, performs the full authentication (EAP-TLS) for the MN in advance to a group of APs that the MN may select one from (for handing off to candidate APs). When there is a large number of candidate APs, this mechanism does not scale and, in addition, puts an extra load on the AAA server. Proactive key distribution has been explored as a mechanism to provide fast authentication by predistributing the keys to candidate APs in a neighbor graph so that the AAA server does not have to be involved during handoff [5]. This scheme imposes extra functionality and load on the AAA server because it has to send requests to candidate APs asking whether they want the security key for the MN before it hands off to the APs. This centralized approach, where a single AAA server controls and manages the key distribution, will well suit the scenarios where the WLAN sites are all under the tight control of one central AAA server such that the server can derive and decide on the candidate APs for the MN’s next move. It was shown that the handoff delays can be shortened to 50 ms by using the scheme, which is fast enough, even for voice applications. In addition, Proactive Key Caching (PKC) is an extension of Airespace Inc.’s1 [21] wireless enterprise platform, which was developed along with Funk Software2 [23] and Atheros Communications [24]. In PKC, the MN can use the same master key to roam across an Airespace network, visiting one AP to the next. This eliminates the need for the RADIUS authentication: Only the four-way handshake will be required. Airespace has a centralized policy engine for creating and maintaining security parameters across the entire enterprise. The use of the central policy engine in the network also leads this solution to be centralized and suitable only for a single administrative domain.

3

TRUST-CLOUD-BASED FAST AUTHENTICATION

The model is a security keysharing scheme, which works on the basis of RG-to-RG trust. Unlike the implicit trust among the APs within a single administrative domain or an ESS, this trust is not implicit and is a translation from the trust among the RG-owners through a relationship with a third party such as an ISP or, indeed, through personal relationships if the community does not operate with a subscription-based model. In community networks, the network operation is dictated by personal preferences; thus, even if two RG owners share the same ISP, there is no guarantee 1. Airespace was later acquired by Cisco Systems [20]. 2. Funk Software has been acquired by Juniper Networks [22].

4

IEEE TRANSACTIONS ON MOBILE COMPUTING,

that they would trust each other. This is the difference from neighborhood networks with federated networks such as FON. In our model, the serving RG of a VN will share the key of the MN that is currently attached with it within its trust cloud. Thus, depending on the number of RGs in the serving RG’s trust cloud, some of the RGs in the hotspot area will have the key of the VN ready to be utilized for fast authentication when the VN hands off to one of these RGs, and that RG will share the key further among its trust cloud RGs. In our model, the RG-RG trust is not necessarily transitive: If RG X trusts RG Y , and RG Y trusts RG Z, it does not necessarily mean that RG X trusts RG Z. Moreover, as this trust may have to do with personal preferences, it is not necessary to be symmetric: RG X trusting RG Y does not necessarily mean that RG Y trusts RG X. In our analytical modeling and initial simulations, we have assumed symmetry in the trust relationships between a given RG pair and also that trust is not transitive as it depends on the relationship or understanding between any given pair of RGs (or RG owners). However, we have also simulated with the symmetry being relaxed. Two RGs may have unidirectional or bidirectional trust relations in Section 6. Thus, we deviate from a nondirected trust graph to a directed one. It is clear that, by using the concept of trust clouds in the area, we will see packets of fastauthentication-enabled coverage areas and not a whole coverage area of federated fast authentication areas. Therefore, we would still require the strong authentication mechanism provided by the EAP/TLS in this setup as not all the handoffs will be able to utilize fast authentication. Definition 1. A trust link defines the trust relationship between any two given RGs. RGi and RGj have a trust relationship if they take part in keysharing for the VNs between them. Definition 2. A trust cloud is a collection of trust links for a given RG. Every RG has a different trust cloud. One RG can appear in many trust clouds, depending on its relationship with other RGs. We propose two handoff algorithms for VNs for selecting the handoff AP to facilitate fast authentication in the trust cloud model (trust cloud handoffs). The trustunaware algorithm is a simple one: It only requires a list of lightly loaded RGs within the range of a handoff candidate VN. This algorithm does not explicitly utilize the trust cloud information to achieve a fast authentication. Whether there will be a full or fast authentication is a matter of chance: If the nRG that the VN hands off happens to be in the trust cloud of the old RG, there will be a fast authentication. The trust-aware algorithm, however, requires two lists: RG_tl and RG_ul, as given in the algorithm listing. This algorithm actively seeks to utilize the fast authentication. To study the performance of the trust cloud authentication scheme, we will compare the results with that of the “trustless” scenarios, where there is no trust-based keysharing among the RGs. Algorithm 1: Trust-Unaware Handoff (VN, RG_l). Requires: Algorithm executes on VN. RG_l is the list of lightly loaded RGs

1 2 3 4 5 6

VOL. 7, NO. 2,

FEBRUARY 2008

if RG_l nonempty then hand off to the first RG from RG_l endif if RG_l empty then terminate session //premature termination endif

Algorithm 2: Trust-Aware Handoff (RG_tl, RG_ul). Requires: Algorithm executes on VN. RG_tl is the list of lightly loaded trusted RGs. RG_ul is the list of lightly loaded untrusted RGs. 1 if RG_tl nonempty then 2 hand off to the first RG from RG_tl (fast auth) 3 endif 4 if RG_tl empty then 5 if RG_ul nonempty then 6 hand off to the first RG from RG_ul (full auth) 7 endif 8 if RG_ul empty then 9 terminate session //premature termination 10 endif 11 endif

4

SYSTEM MODEL

In order to study the benefits of the proposed trust cloud handoff algorithms for fast authentication support, we have developed an analytical model using Markov chains [25].

4.1 System Description The scenario that we model is a VN trying to complete a series of communication sessions by utilizing the unused capacity of nearby RGs within its wireless communication range (RG hotspot). There is a total of N RGs in the hotspot. The VN can sense the current load of each RG from their beacons and can only associate with an RG that is lightly loaded. An RG is modeled as a two-state Markov chain, where the states of an RG alternate between heavily loaded and lightly loaded. The time spent in each state is exponentially distributed with the means selected to obtain a given fraction of time that an RG spends in the heavily h , where Lh and Ll are the mean loaded state as L ¼ LhLþL l values for the sojourn times in the heavily and lightly loaded states, respectively. In this paper, we do not propose any new definition for the RG load. There are several works in the literature on load balancing that define load metrics for wireless APs. Although the load metric used in the Global System for Mobile Communications (GSM) networks is the number of calls per cell, this is not suitable in WLANs because the amount of traffic generated by each WLAN user is different. Therefore, it has been argued that a load metric for WLAN based on the amount of generated traffic is more practical [26]. Velayos et al. have proposed using the throughput per AP, including both uplink and downlink traffic (in bytes per second) as the load metric [27]. We employ a similar metric. To distinguish between heavy and light load at the RG, we assume that each RG maintains a threshold value for the metric and the crossing of the actual value of the

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

5

Fig. 1. Types of trust topology ðN ¼ 10Þ.

metric with the threshold determines whether the load level is high or low. By selecting a low threshold, the RG owner can deny (new) VN connections to maintain the application quality of the home users. During low-activity or idle-usage periods by the home users, the threshold can be set to a value that allows visiting connections. If an RG switches its state from lightly loaded to heavily loaded while a VN session is in progress through that RG, the VN session will have to hand off to another lightly loaded RG by using one of the trust cloud handoff algorithms or the trustless one described in the previous section. If no lightly loaded RG is available, the session is prematurely terminated. We measure the session completion rate as the fraction of sessions that completed without being prematurely terminated due to the lack of lightly loaded RGs within range. The activity of the VN is modeled by using the wellknown on-off process. When the VN completes a session or a session is prematurely terminated, the VN enters a silence mode before initiating another session. The session and silence mode durations are exponentially distributed. The mean session duration is denoted by S. Once the VN enters the silence mode, its security association with a given RG becomes invalid (an inactivity timer is implemented within each RG, upon expiration of which the security associations of the VN become invalid). Consequently, the VN must go through the full security association process (full authentication involving the AAA server) at the start of each new session even if it continues with the current RG. The primary performance variable that we measure is the number of times that a full authentication is needed for a session on the average, since the goal is to reduce this metric. This number is basically 1 (for the initial association) plus the number of handoffs that require full authentication. Trust probability and trust distribution are two key parameters that can affect the number of full authentications needed to complete a given session. Trust probability refers to the probability that any two RGs within the range of a VN will trust each other. The higher the probability, the more the chance that the VN has to successfully hand off to an RG without requiring a full authentication. The notion of trust distribution is less obvious. For the same trust probability, different distributions are possible. We simulated two different trust distributions: Random and Power Law. With Random, the existence of trust between any pair of RGs is equally likely with a given probability P . We control the trust probability by adjusting

Fig. 2. State transitions of the trust cloud continuous Markov process.

P . Since trust is a phenomenon that “connects” two RGs in some way (for example, if there is a trust link between two RGs, a security key can be shared between them), Power Law may capture this “trust connectivity” distribution more realistically.3 The difference between the Random distribution and Power Law distribution is visually illustrated in Fig. 1 for a scenario where the VN has 10 RGs within its range with the same trust probability, giving 12 pairs of RGs trusting each other for sharing of security keys. Our analytical model is based on the Random trust distribution; however, we have performed simulation studies for Power Law in addition to the Random trust distribution.

4.2 Analytical Model Fig. 2 shows the state-transition diagram for the continuoustime Markov process that describes the protocol. The state labeled 1 denotes the first RG visited by the VN. The subsequent inner states are labeled according to the following convention. State Kt or Ku , K ¼ 2; 3; . . . ; denotes the Kth RG visited by the VN with the subscript t or u indicating whether the Kth RG is trusted or untrusted, respectively. States Tkt and Tku represent terminations of sessions either because all the session data are transmitted or the session ends prematurely because a lightly loaded RG, trusted or untrusted, is unavailable. A list of symbols and their meanings, which we used in our analysis, is given in Table 1. The probability rates, as indicated in Figs. 2 and 3, are now determined. In both the trust-unaware and trust-aware cases, the session termination probability rate from state 1 or from a state Kt or Ku is 1 LN1 ; þ S Ll where the first term is the inverse of the mean session duration and represents natural terminations and the second term is the transition probability rate of premature terminations, which is given by the inverse of the mean sojourn time of an RG in a lightly loaded state times the probability of all the remaining RGs being heavily loaded. 3. The Power Law distribution has been identified in routing topologies, interdomain topologies [28], the World Wide Web [29], [30], and so on.

6

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7, NO. 2,

FEBRUARY 2008

TABLE 1 A List of Symbols Used in the Analysis

4.3 Trust-Unaware Algorithm The transition probability rates into state Kt from state 1 when K ¼ 2 or from either state ðK  1Þt or state ðK  1Þu when K > 2 is P ð1  LN1 Þ  ¼ ; Ll

Fig. 3. Model validation: authentication per session versus S for the trust-aware scheme.

Hence, in view of (3), ðKt ; sÞ ¼

ð1Þ

where the numerator is the probability that a lightly loaded RG is available, and moreover, the RG randomly attached to it belongs to the trust cloud of the ðK  1Þth RG. Similarly, the corresponding transition probability rates into state Ku are found to be ð1  P Þð1  LN1 Þ  ¼ : Ll

ð2Þ

It follows, by inspection of the Markov chain, that ðKt ; tÞ  ¼ ¼ Constant; ðKu ; tÞ 

ð3Þ

where ðx; tÞ denotes the probability of being in state x at time t. We can therefore merge states Kt and Ku into a single state K, as the individual probabilities ðKt ; tÞ and ðKu ; tÞ can be deduced from ðK; tÞ by using (3). By considering probability flows, we obtain the differential equations governing ðK; tÞ as d ð1; tÞ ¼ ð1; tÞ; ð1; 0Þ ¼ 1; dt d ðK; tÞ ¼ ðK; tÞ þ ð þ ÞðK  1; tÞ; dt ðK; 0Þ ¼ 0; K  2;

ð4Þ

ðKu ; sÞ ¼

ð5Þ

ð þ ÞK2 ðs þ ÞK

;

ð7Þ

:

ð8Þ

where the Final Value Theorem of Laplace Transforms has been used to evaluate the integral by using the facts that if Z t  :ð1; tÞdt; iðtÞ ¼ 0 1 s :ð1; sÞ,

and that the value of the integral is then IðsÞ ¼ ið1Þ. Third, we observe that full authentications are also needed for transitions to state Ku from either state ðK  1Þt or state ðK  1Þu for K  3. The probability of the first of these transitions is the integral of the corresponding transition probability rate, that is,

0

1 1 ¼ þ : S Ll 

ðs þ ÞK

We now proceed to finding the mean number of full authentications. First, a full authentication is needed when attaching to the very first RG, that is, on entering state 1. Second, a full authentication is needed when transiting from state 1 to state 2u . The probability of this occurrence is the integral of the transition probability rate from state 1 to state 2u , that is, Z 1 1  ð9Þ :ð1; tÞdt ¼ lim s: ð1; sÞ ¼ ; s!0 s  0

Z

where

ð þ ÞK2

1

1 ð þ ÞK3 fðK  1Þt ; tÞgdt ¼ lim s: :: s!0 s ðs þ ÞK1 ð þ ÞK3 ¼ : K1

ð10Þ

The Laplace transform of ðK; tÞ is easily found from the ODEs (4) as

Similarly, the probability of the second of these transitions is found to be

ð þ ÞK1

 2 ð þ ÞK3 : K1

ðK; sÞ ¼

ðs þ Þ

K

;

K  1:

ð6Þ

ð11Þ

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

 ¼ 0;

Summing (9), (10), and (11) and adding 1 for the full authentication needed when attaching to the very first RG, the mean number of full authentications is obtained as ( ) 1  X ð þ ÞK3  2 ð þ ÞK3 þ Afull ¼1 þ þ  K¼3 K1 K1 ð12Þ  ¼  after summing the infinite geometric series and simplifying.

4.4 Trust-Aware Algorithm The Markov chain has the same structure, as shown in Fig. 2, as in the trust-unaware case but with different transition probability rates. First, consider the transition to state 2t from state 1. This transition will occur unless all the RGs in the trust cloud of the current RG are heavily loaded, in which case the VN will lose connection with its serving RG, and the session will have to prematurely terminate. Because the mean number of RGs in this trust cloud is P ðN  1Þ, the transition probability rate may be approximated by ¼

1  LP ðN1Þ ; Ll

ð13Þ

where the numerator is the probability that a lightly loaded RG exists in the trust cloud of the current RG. Equation (13) is an approximation because the actual number of RGs in the trust cloud is a random number with mean P ðN  1Þ. If such a trusted RG does not exist, then the VN seeks a lightly loaded untrusted RG, that is, a transition to state 2u . Hence, the transition probability rate to state 2u may be approximated by LP ðN1Þ f1  Lð1P ÞðN1Þ g ¼ Ll P ðN1Þ L  LN1 ¼ ; Ll

ð14Þ

where the numerator is the probability that a lightly loaded trusted RG does not exist, but a lightly loaded untrusted RG does, noting that the mean number of untrusted RGs is ð1  P ÞðN  1Þ. Next, consider the transition probability rates into state Kt from states ðK  1Þt and ðK  1Þu when K > 2. A little thought reveals that both of these rates are equal to , which is given by (13). Similarly, the transition probability rates into state Ku from states ðK  1Þt and ðK  1Þu when K > 2 are each equal to , which is given by (14). Finally, it is obvious that the mean number of full authentications for the trust-aware algorithm is given by the same expression (12) as for the trust-unaware algorithm, except that the values of  and  are now given by (13) and (14), respectively.

4.5 Trustless Scenarios As a baseline, we determine the mean number of full authentications when none of the RGs is trusted. In this case, every handoff will incur a full authentication. This is the special case of P ¼ 0 in which, from (1) and (2), we have

7

¼

ð15Þ

1  LN1 : Ll

Substituting in (12) and also using (5), we get Afull ¼

1 S 1 S

þ L1l N1

þ LLl

ð16Þ

:

In all cases, (16) also gives the total number of authentications, A_total, whether full or partial.

4.6 Session Completion Rate Although the mean number of full authentications per session is our primary metric of interest, another metric that has a bearing on the results is the session completion rate. Because of the load variations at the RGs, some sessions will not be able to complete, as the VN will not find a lowloaded RG at some of the handoff times. Thus, some of the handoff attempts will result in premature session terminations. Therefore, we measure the session completion rate as the ratio of completed sessions to total initiated sessions. From the Markov model, the transition rate to each of the ðN1Þ termination states is S1 þ L Ll , in which S1 represents terminations of completed sessions. Thus, we obtain the session completion rate as follows: session completion rate ¼ ¼

5

1 S 1 LðN1Þ S þ Ll

1

1þ

ð17Þ

: SLðN1Þ Ll

NUMERICAL RESULTS

Our analytical model assumes a random distribution of trust among the RGs that are within the range of the VN. We conducted three sets of experiments to investigate the impact of session duration ðSÞ, level of RG load ðLÞ, and trust probability ðP Þ on the performance of the different handoff algorithms proposed in Section 3. We considered hotspots of 20 and 50 RGs within the range of the VN. Before presenting the various numerical results, we perform model validation by means of simulation studies. We first briefly describe the simulator and then give two representative graphs that validate our analysis.

5.1 Model Validation We have developed a discrete event simulator in C. The load switching of the RGs from low load to high load, session arrival, and completion of the VN are modeled by events that are scheduled to occur at a future time. The session duration of the VN and the low-load and high-load durations of the RGs follow the same properties as in the analytical model. Our main goal is to study the savings made on the full authentications per session. For this, we study the mean number of full authentications per session by using our trust cloud fast authentication algorithms and compare it with the mean number of full authentications per session that would have been required if our protocols

8

IEEE TRANSACTIONS ON MOBILE COMPUTING,

Fig. 4. Model validation: authentication per session versus S for the trust-unaware scheme.

Fig. 5. Session completion rate versus S.

were not used. We refer to the latter scenarios as “no-trust” or “trustless” handoffs. Authentication requirements are generated when a VN hands off from one RG to the next. When the load of the serving RG changes from low to high, the VN has to hand off to another RG. The handoff algorithm to be used is selected through the input file and is either trust aware or trust unaware, as described in Section 3. For each set of parameter values, we ran the simulation many times, with different seeds for the random number generator to ensure that the reported results, that is, the mean values, achieve a 10 percent relative precision or better with a 95 percent confidence. To achieve this confidence level, we repeated each simulation more than 20 times in most cases. Figs. 3 and 4 are two representative graphs showing the results from both the analytical and simulation studies for the proposed handoff algorithms and for the trustless scenarios. We find that there is a close match between the analytical and simulation results, thus validating our analysis. The subsequent graphs for the random topologies contain analytical results only, whereas we also report some results for the Power Law topologies by using simulation studies.

VOL. 7, NO. 2,

FEBRUARY 2008

Fig. 6. Session completion rate versus L.

5.2 Results Figs. 3 and 4 clearly demonstrate that having trust relationships among the (owners of) RGs significantly reduces the full authentication requirement during an ongoing session. The network condition that these figures represent is quite extreme in the sense that the overall RGload level is very high (0.8), whereas the trust probability is very low (0.2). The implications of these extreme values are 1) there will be more handoffs during a session, as the lightly loaded state of an RG is short lived and thus changes frequently to the highly loaded long-lived state, 2) when the VN needs to hand off because of its serving RG’s load becoming high, fewer RGs will be available to take new connections, as most of them will be in heavily loaded states, and 3) there will be very few trusted RGs for handing off to. Even under these extreme situations, we find that, although the number of full authentications required per session continues to climb as a function of session duration for the trustless handoffs, it grows at a lower rate for the trust-unaware handoffs and even more so for the trustaware handoffs. At this point, it is important to explain the behavior of the session completion rate, which is calculated by using (17). The session completion rate has a bearing on the required number of handoffs during a session, which, in turn, relates to the number of authentications required per session. The total number of handoffs during a session is governed by the load level of the RGs. The handoff success, that is, being able to successfully associate with a nRG at handoff time, dictates the session completion rate. These are interrelated variables and have a direct impact on the mean number of full authentications during a session. Figs. 5 and 6 are two representative graphs showing how the session completion rate varies with the mean session time and mean level of RG load. Situations when the load level on the RGs is higher are of interest because, at lower overall loads at the RGs, the VNs will undergo fewer handoffs than those at higher loads. The lower the level of load on the RGs, the lower the total number of handoffs during a session, and therefore, the higher the chances of being able to complete the session and not having to terminate at the RG switch. We observe from these figures that, at lower load levels

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

9

Fig. 7. Full authentication versus S.

Fig. 9. Full authentication versus L for lower P value.

Fig. 8. Full authentication versus L for higher P value.

Fig. 10. Full authentication versus P .

ðL < 0:7Þ, when S ¼ 900 seconds, almost all the sessions complete successfully without having to terminate prematurely. It is to be noted that the session completion rate does not vary with the trust probability P . It is directly linked to only the load level L and the mean session duration S. In Fig. 5, we observe that the session completion rate drops as the mean session time grows at higher load levels, which is L ¼ 0:8 in this instance. With the trust-aware handoffs, the VN would try to keep switching between the lightly loaded RGs that have a trust relationship, no matter how many times the handoff is performed. Hence, the number of full authentications remains lower. This is particularly true when there are enough lightly loaded RGs available that are in the trust domain of the RG that the VN is currently associated with (Fig. 7). In that case, the trust-aware handoff achieves the ideal performance of being close to the lower bound of one full authentication per session. For the trust-unaware handoffs, the performance is not as good as for the trustaware handoffs but is much better than for the trustless handoffs, more so due to the high level of trust probability ðP ¼ 0:7Þ, which also holds true for Fig. 10. The level of resource availability or the level of load on the RGs has an interesting and rather counterintuitive effect on the requirement of full authentication. Intuitively, one

would expect that heavily loaded RGs would cause an active session to hand off more frequently, causing a higher number of full authentications. For the trustless handoffs, however, Fig. 8 shows that the number of full authentications drops from 4 to  2:8 when the load factor L is increased from 0.3 to 0.9. This can be explained by the fact that, with a very high load factor, many sessions will terminate prematurely due to the lack of RGs in a lightly loaded state, reducing the number of full authentications per session at the expense of lower session completion rates (see Fig. 6). This phenomenon manifests itself in the performance of the trust-unaware handoff algorithm as well. We can see the same effect of the load factor on the trust-unaware handoffs. When the load factor changes from 0.3 to 0.9, the mean number of full authentications per session drops from 1.6 to 1.4. The trust-aware handoff algorithm, however, performs at an ideal level of close to the minimum, that is, one full authentication per session at the high trust probability of 0.9. Fig. 9 shows the behavior of the trust cloud handoffs as the load level is increased when the value of trust probability is very low ðP ¼ 0:2Þ. The mean number of full authentications per session is pushed up from 1.6, as in Fig. 8, to 3.4 in this figure because of the very low value of P . The extreme combination of the a value of P and a high value of L impacts the trust-aware handoffs

10

IEEE TRANSACTIONS ON MOBILE COMPUTING,

Fig. 11. Full authentication versus mean session time ðSÞ (50 nodes).

Fig. 12. Full authentication versus L (50 nodes).

as well, and we see that, as the value of L increases, the performance of the trust-aware handoff algorithm deviates from its ideal behavior but still remains the best among the three algorithms compared. Having established the clear benefits of trust cloud handoffs against the trustless ones, we proceed to further experiments to compare the two trust cloud handoff algorithms, that is, trust aware and trust unaware. Fig. 10 shows how trust probability affects these two algorithms. The number of full authentications for the trust-aware handoffs remain close to the lower bound of one authentication per session at a higher trust probability ðP >¼ 0:7Þ, but the performance of the trust-unaware handoff starts to drop drastically as the trust probability is reduced. When the trust probability is really low ðP ¼ 0:2Þ, being aware of an RG’s trust domain can save the VN 1.05 full authentications per session on the average. The most interesting finding here is that, as P increases, the authentication overhead reduces linearly for the trust-unaware scheme but quadratically for the trust-aware scheme. To rule out any effect of the number of RGs in a hotspot, we repeated the above experiments for a hotspot of 50 RGs. Figs. 11, 12, and 14 confirm that the results discussed so far generally hold, even when the number of RGs is increased by more than twofold. The only noticeable difference is the

VOL. 7, NO. 2,

FEBRUARY 2008

Fig. 13. Fraction of full authentication versus L (50 nodes).

Fig. 14. Full authentication versus P (50 nodes).

impact of the availability of more RGs for the trust-aware handoffs. This algorithm yields a significant improvement, as compared to Fig. 3 ðN ¼ 20Þ, and the number of full authentications per session is lower for hotspots with a larger number of RGs. The other two handoffs, trust unaware and trustless, are impacted by the increase in available RGs within range in the opposite way than for the trust-aware handoff algorithm. These result in more full authentications per session at higher load levels ðL >¼ 0:8Þ. This is more significant for the trustless handoffs. The reason for this increase is that there are more candidate RGs to hand off, so at higher load levels, the session completion rate increases, as compared to the case of N ¼ 20. This phenomenon can be explained as follows: With a larger number of RGs within range, sessions have a higher probability of completing without being terminated prematurely, which means that the expected session lifetime increases. With an increased session lifetime, there is an increased probability of handoffs within a session and, hence, a possible increase in the number of full authentications per session. This is mainly valid for the trustless and trust-unaware handoffs, as compared with the trust-aware handoffs (see Fig. 12). However, this is more apparent with the trustless scenarios. With the trust-unaware scenarios, the behavior does not change noticeably. The fraction of full authentications per session for the trust cloud handoff

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

11

Fig. 17. Random trust topology ðN ¼ 10Þ, trust symmetry relaxed.

Fig. 15. Full authentication versus mean session time S (20 nodes, Power Law).

sessions with a mean duration of less than 900 seconds. This insight is useful, since from a practical-deployment point of view, there is more overhead involved in implementing trust awareness (see Section 7 for a practical implementation of the trust cloud handoff algorithms).

6

Fig. 16. Full authentication versus mean session time S (50 nodes, Power Law).

algorithms, as compared to the trustless scenarios, are reported in Fig. 13. This figure shows that, when the trust probability is high, 0.8 in this case, the trust-aware handoff algorithm requires only about 0.25 full authentications of the trustless algorithm. Trust unaware, on the other hand, saves a 0.6 fraction of full authentications per session for a mean session duration of 900 seconds. To further assess the validity of these results in more practical contexts, we repeated these experiments for a trust distribution that, instead of being random and uniformly distributed among all RGs in the hotspot, obeyed a Power Law. We used the power law outdegree (PLOD) [31] Power Law topology generator, which exploits the second of the four power laws [28] defined by Faloutsos et al., that is, the law of outdegree exponent. We selected the parameters  and  required by this law such that the total number of edges resembled that of the P ¼ 0:2 random topology case. We found that the benefit of the trust cloud versus the trustless handoffs remains strong (see Figs. 15 and 16). One interesting result for the Power Law trust distribution, however, is that whether the VN is aware or not of the trust domain of the RG, it is still associated with produces of little difference in terms of reducing the number of full authentications during a session. This is especially true for

EXPLORING ASYMMETRIC TRUST

Until now, our simulation and analytical results and discussions were based on the assumption of symmetric trust between a pair of RGs: If RG X trusted RG Y , RG Y also trusted RG X. However, other scenarios are possible, where this may not strictly be the case. Example scenarios include areas covered by multiple providers: Small business owners such as Starbucks, big providers such as T-mobile, and nonprofit providers such as the city council. Consider the following scenario: There is an overlap between a public network in a coffee shop and a council-operated open wireless mesh network. The council is providing a free service to the public, and the coffee shop provides access to paying customers. The council-operated network is willing to provide handoff to any customers moving in or out of the network, but the coffee shop network only allows handoff from itself to the mesh network. This is because the coffee shop does not allow customers to enter the network without paying but encourages session continuity for customers leaving the premises. Thus, there may be situations when RG X (or provider X) trusts RG Y for the keysharing, but RG Y does not do the same for RG X. To capture these scenarios in our proposal, we relax the symmetric trust assumption: There will be cases where two RGs trust each other symmetrically, and there will be cases when they do not. Now, the trust topology graph becomes a directed graph, as shown in Fig. 17. For example, we see that RG 3 has a symmetric relationship with RG 9 but an asymmetric one with RG 0. In the symmetric trust model, we had considered trust by using the same uniform random probability P for each pair of RGs. When we relax the symmetry, we can envisage several ways of drawing up the trust links: 1) using the same uniform random probability P but drawing the trust links in the forward and backward directions (from X to Y and from Y to X individually (asymmetric and uniform), 2) using two different random probability values (P 1 and P 2 for the forward and backward directions (asymmetric and nonuniform)), and 3) using randomly selected probability values for every RG. In our next set of simulations, we have explored cases 1 and 2, as case 3 is the general case of case 2.

12

IEEE TRANSACTIONS ON MOBILE COMPUTING,

Fig. 18. Full authentication versus mean session time S for symmetric and asymmetric trust.

VOL. 7, NO. 2,

FEBRUARY 2008

Fig. 20. Full authentication versus mean session time S. The trust symmetry is relaxed.

Fig. 19. Full authentication versus mean session time S. The trust symmetry is relaxed.

Fig. 18 shows a comparison of the symmetric and asymmetric trust relations in a hotspot area covered by 20 RGs. In this simulation, we have used the trust probability value P of 0.2 for both the symmetric and asymmetric scenarios. As this value is the same for all these cases, we see no difference in the performance. The impact of asymmetric trust relations comes into play when we consider different probability values in deciding trust links in the forward and backward directions for a given pair of RGs. The results then deviate from the case of the symmetric trust model. We can observe this in Fig. 19, where we have selected two different trust probabilities for the forward direction ðP1 ¼ 0:2Þ and the backward direction ðP2 ¼ 0:1Þ. In this figure, as the two trust probability values are very close to each other, although we see a difference between the asymmetric uniform and nonuniform cases, the differences are not large. In Fig. 20, we see that the asymmetric nonuniform trust model achieves fewer full authentications per session. In the uniform cases, we used P ¼ 0:2, whereas, in the nonuniform cases, we used P1 ¼ 0:2 and P2 ¼ 0:8. Thus, we see that the handoffs benefit from the nonuniform asymmetric trust model as the probability values are different, and the trust clouds improve because of the higher probability value P 2.

Fig. 21. Authentication message flow in the trust cloud model.

7

PRACTICAL IMPLEMENTATION

For the trust cloud handoff schemes to work, we need to consider the keysharing mechanisms among the trust cloud RGs, the ticket distribution to the VNs, and also the level of security provided by the proposed algorithms. In the following, we provide possible directions that are subject to verification by practical implementation. For the trustaware algorithm, the VNs will be given the trust cloud information by its serving RG. In the trust-unaware scenarios, though, the VN is not given the trust cloud information; thus, no modification is needed for the VN’s handoff policy. Fig. 21 shows authentication-related message flows among relevant entities for the trust cloud model. This figure is designed with the assumption of the IEEE 802.11 being the standard in use; however, this assumption does not limit the applicability of our model to other systems as long as they have some kind of local handshake protocols

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

Fig. 22. Overview of authentication using trust cloud.

that can establish secure channels between the VN and the RG in the same way as in 802.11i’s four-way handshake. Fig. 22 shows the decision-making flowchart at the RG when a VN wants to attach to it.

7.1 Communication in the Trust Cloud Trust clouds are formed using the trust cloud formulation protocol, which itself is not the focus of this paper. However, it is important to mention that the mentioned protocol, which is executed in a distributed manner at each RG, will formulate each RG’s trust cloud by using the information collected from the RG beacons received from other RGs within range and the home RG’s preferences, which dictate the trust relations. We emphasize that it is not necessarily the case that all the RGs within range will belong to the trust cloud of a given RG; thus, we do not assume that all RGs trust each other, or RGs taking services from a particular ISP will have to trust each other. This is a flexible setting, as the owner preferences will dictate the trust cloud formulation, which is not governed by the ISP itself. RGs of a given trust cloud must have the capability of communicating securely with each other over the Internet. To this end, IP security (IPsec) and digital certificate-based authentication can be used. The presence of a broadband provider (the ISP) is a great facilitator in verifying the keys or certificates in this model, as the RGs can obtain and verify digital certificates by getting help from their ISPs. If public-key-based source authentication is used during the formulation of an RG’s trust cloud, the RG can verify via the ISP that the key indeed belongs to the RG that claims the public key to be its own. The verification information, for example, the public key and verification result, of a trust cloud member RG should be kept in the RG’s record. Once this is done, the RG can keep on using the information to verify the received messages from its trust cloud member RG. When there is a new trust cloud member, the relevant information for the new member needs to be obtained. 7.2 Distribution of Keys and Tickets After the original (or initial) RG (oRG) has completed the full EAP-TLS authentication for the VN ending in a fourway handshake (the first “connection established” phase in Fig. 21), the RG and the VN will have encryption keys derived for data protection. The oRG will have a PMK for the MN, which it will share with its trust cloud RGs right after the connection is established with the VN. Thus, the

13

key is shared with the trusted RGs in a proactive manner before the VN needs to hand off, that is, before the RG load gets heavy in our example scenarios. The oRG will send a message containing the following information to its trust cloud RGs: fT ID; V NID; P MK; time-out; dSigoRGg. The TID is a unique identification for the ticket that the VN will receive from the oRG and present to the nRG for fast authentication when it hands off to a trusted nRG. The TID is formulated by incorporating the VNID, oRGID, and the time stamp ðTID ::¼ fVNIDkoRGIDktimestampgÞ. As the time stamp will change, depending on when the ticket is issued, the uniqueness of the TID is guaranteed even for tickets issued by the same RG for the same VN. The dSigoRG is the digital signature of the RG for information authentication. The field “time-out” is used to limit the validity of using the same PMK for the VN at different RGs. The value will typically be in the order of session duration. This is an extra measure to limit the misuse of the PMK by rogue RGs. The ticket handed to the VN from the oRG contains the information fT ID; trust cloudg. Transmission of this information is protected, as it takes place over the secure channel established following the authentication process between the VN and the RG. Even though the communication of the ticket from the VN to the nRG is visible to other VNs, it cannot be exploited by other VNs to get access, as the PMK, which is needed for the four-way handshake, is not known to them. The trust_cloud field is absent in the ticket if the VN is using the trust-unaware handoff mechanisms. This makes the ticket size smaller, and there is less complexity at the VN as it does not have to process the trust cloud information and no change in the handoff policy is needed.

7.3 Security Considerations When a new connection is initiated by a VN, the oRG obtains the PMK from the RADIUS server using TLS. The ISP’s RADIUS server gives out keys to only those clients (RGs) with which it can establish trust via a shared secret. The trusted oRG, in turn, will only share the PMK with nRGs that it has a trust relationship with. It is the responsibility of the trust-group formulation protocol to ensure that rogue RGs are not included in the trust clouds. Sharing of PMKs among the trust cloud RGs takes place over the wired portion of the network using a secure communication, as mentioned before. Therefore, untrusted RGs do not have access to the PMKs, and PMKs sent from untrusted RGs will not be accepted. As an added precaution, digital signatures are used to protect a key sender’s authenticity. Thus, denial-of-service (DoS) attacks based on the use of wrong PMK at the nRGs are avoided. To consider the cases where RGs send false certificates and signatures to exhaust resources at those RGs, it is likely that the certificates do not change frequently; thus, the verified certificates during the trust cloud formulation shall be valid for a considerable duration. If the certificate is different from that stored at the RG for a member trust cloud RG, the RG will have to get help from its ISP to verify the new certificate. If such verifications are required often for an RG, a security trigger is to be raised at the RG, and the suspected RG shall be left out of the trust cloud. In case the RG is captured physically by an adversary, the use of time-out for

14

IEEE TRANSACTIONS ON MOBILE COMPUTING,

the stored PMKs can guarantee that the MNs will not be able to get connected to the captured RG unless the time-out value is tampered with. However, these types of attacks are applicable to all systems and are not exacerbated by the trust cloud approach. We do not discuss an exhaustive list of DoS attacks here for the same reason, but we focus on the security of features that are specific to our scheme. VNs receive the ticket from the oRG in an encrypted communication that is established following the authentication process between the VN and the oRG. Overhearing attacker VNs cannot recover the PMK, as they do not have the decryption keys to decrypt the secure messages between the oRG and the VN. When the VN needs to hand off to a nRG, which has the VN’s PMK from the oRG, the four-way handshake proves the existence of the shared key at the nRG, proving the authenticity of the VN and the nRG to each other.

8

CONCLUSION

AND

FUTURE WORK

In this paper, we have investigated the novel concept of trust clouds for security keysharing of a VN to achieve fast authentication at handoffs between APs belonging to different administrations. The performance of the trustbased authentication scheme has been studied by constructing a Markov model. Using numerical studies, we have evaluated the performance of the concept for a basic implementation where the MNs are not aware of the trust network in the neighborhood, and, then, for an advanced implementation, where the MNs are aware of the trust. We have studied the impact of trust probability, session duration, and level of RG load on the reduction of full authentication requirements. The trust cloud approach requires a significantly smaller number of full authentications per session. From the experiments, our results show that the reduction is linear for the basic implementation as the trust probability increases and 2. a quadratic reduction is achievable in the advanced scenario. These results are very encouraging and highlight the potential reductions in handoff times that are possible by using the scheme. In this paper, we did not propose protocols for building and maintaining trust clouds and made no assumptions about any particular way of doing so. We assumed that trust cloud member information is available at the RGs, and we focused on exploring the benefits of trust cloud keysharing. In the future, we intend to investigate the coupling of the trust cloud model with mobility management protocols and the overall behavior of the system when used to support mobility. 1.

FEBRUARY 2008

REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9]

[10]

[11] [12] [13] [14] [15]

[16] [17]

[18]

[19] [20] [21] [22] [23] [24] [25] [26] [27] [28]

ACKNOWLEDGMENTS The authors would like to thank the anonymous reviewers for the insightful and constructive feedback on our manuscript. This work is funded by the Smart Internet Technology CRC (http://www.smartinternet.com.au).

VOL. 7, NO. 2,

[29]

IEEE 802.11i: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Medium Access Control (MAC) Security Enhancement, IEEE, June 2004. IEEE Standard 802.1X-2001, IEEE Standard for Local and Metropolitan Area Networks: Port-Based Network Access Control, IEEE, June 2001. C. Rigney, S. Willens, A. Rubens, and W. Simpson, Remote Authentication Dial in User Service (Radius), IETF RFC 2865, June 2000. C. Rigney, W. Willats, and P. Calhoun, Radius Extensions, IETF RFC 2869, June 2000. A. Mishra, M.H. Shin, and W.A. Arbaugh, “Pro-Active Key Distribution Using Neighbor Graphs,” IEEE Wireless Comm., vol. 11, no. 1, pp. 26-36, Feb. 2004. Allied Business Intelligence (ABI), http://www.alliedworld.com/ servlets/Home, May 2006. Fon, http://en.fon.com/, Apr. 2006. N. Thompson, G. He, and H. Luo, “Flow Scheduling for End-Host Multihoming,” Proc. IEEE INFOCOM, 2006. B. Landfeldt, J. Hassan, A.Y. Zomaya, S. Manitpornsut, and R. Subrata, “Titan: A New Paradigm in Wireless Internet Access Based on Community Collaboration,” Proc. Int’l Wireless Comm. and Mobile Computing Conf. (IWCMC ’06), pp. 331-336, 2006. V. Brik, A. Mishra, and S. Banerjee, “Eliminating Handoff Latencies in 802.11 WLANs Using Multiple Radios: Applications, Experience, and Evaluation,” Proc. ACM/Usenix Internet Measurement Conf. (IMC ’05), 2005. A. Raniwala and T.C. Chiueh, “Architecture and Algorithms for an IEEE-802.11-Based Multi-Channel Wireless Mesh Network,” Proc. IEEE INFOCOM, Apr. 2005. R. Karrer, A. Sabharwal, and E. Knightly, “Enabling Large-Scale Wireless Broadband: The Case for TAPs,” Proc. Second Workshop Hot Topics in Networks (HotNets ’03), Nov. 2003. IP Mobility Support, IETF RFC 2002, C. Perkins, ed., Oct. 1996. S. Sharma, N. Zhu, and T.C. Chiueh, “Low-Latency Mobile IP Handoff for Infrastructure-Mode Wireless LANs,” IEEE J. Selected Areas in Comm., vol. 22, no. 4, pp. 643-652, May 2004. I. Samprakou, C. Bouras, and T. Karoubalis, “Fast IP Handoff Support for VoIP and Multimedia Applications in 802.11 WLANs,” Proc. Sixth IEEE Int’l Symp. World of Wireless Mobile and Multimedia Networks (WoWMoM ’05), pp. 332-337, 2005. IEEE 802.11f, Recommended Practice for Multi-Vendor Access Point Systems Supporting IEEE 802.11 Operation, P802.11f, IEEE, Jan. 2003. C.-H. Wu, A.-T. Cheng, S.-T. Lee, J.-M. Ho, and D.-T. Lee, “BiDirectional Route Optimization in Mobile IP over Wireless LAN,” Proc. 56th IEEE Vehicular Technology Conf. (VTC 2002-Fall), pp. 1168-1172, 2002. J. Samprakou, C.J. Bouras, and T. Karoubalis, “An Optimized Handoff Scheme for IP Mobility Support in IEEE 802.11 WLANs,” Proc. Seventh ACM Int’l Symp. Modeling, Analysis and Simulation of Wireless and Mobile Systems (MSWiM ’04), 2004. I. Ramani and S. Savage, “SyncScan: Practical Fast Handoff for 802.11 Infrastructure Networks,” Proc. IEEE INFOCOM, pp. 675684, 2005. Cisco Systems, Inc., http://cisco.com, May 2006. Airespace Inc., http://www.airespace.com, year? Juniper Networks, http://www.juniper.net/welcome_funk.html, Apr. 2006. Funk Software, http://www.funk.com, year? Atheros Communications Inc., http://www.atheros.com, Apr. 2006. G. Grimmett and D. Stirzaker, Probability and Random Processes, third ed. Oxford Univ. Press, 2001. G. Bianchi and I. Tinnirello, “Improving Load Balancing Mechanisms in Wireless Packet Networks,” Proc. IEEE Int’l Conf. Comm. (ICC ’02), pp. 891-895, Apr. 2002. H. Velayos, V. Aleo, and G. Karlsson, “Load Balancing in Overlapping Wireless LAN Cells,” Proc. IEEE Int’l Conf. Comm. (ICC ’04), pp. 3833-3836, June 2004. M. Faloutsos, P. Faloutsos, and C. Faloutsos, “On Power-Law Relationships of the Internet Topology,” Proc. ACM Ann. Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm. (SIGCOMM ’99), pp. 251-262, citeseer.ist.psu.edu/ michalis99powerlaw.html, 1999. B.A. Huberman and L.A. Adamic, “Evolutionary Dynamics of the World Wide Web,” technical report, Xerox Palo Alto Research Center, Feb. 1999.

HASSAN ET AL.: TRUST-BASED FAST AUTHENTICATION FOR MULTIOWNER WIRELESS NETWORKS

[30] S.R. Kumar, P. Raghavan, S. Rajagopalan, and A. Tomkins, “Extracting Large-Scale Knowledge Bases from the Web,” The VLDB J., pp. 639-650, citeseer.ist.psu.edu/kumar99extracting. html, 1999. [31] C.R. Palmer and J.G. Steffan, “Generating Network Topologies that Obey Power Laws,” Proc. Global Telecomm. Conf. (GLOBECOM ’00), pp. 434-438, citeseer.ist.psu.edu/palmer00generating. html, Nov. 2000. Jahan Hassan received the bachelor’s degree in computer science from Monash University, Melbourne, in 1995 and the PhD degree in computer science from the University of New South Wales, Sydney, in 2004. She is a research fellow in the School of Information Technologies, University of Sydney. She was a member of the technical program committee of the 31st IEEE Conference on Local Computer Networks (LCN 2006), 2007 IEEE International Conference on Communication (ICC), 2007 IEEE International Symposium on Wireless Pervasive Computing (ISWPC), 2006 IADIS International Conference on Applied Computing (IADIS AC 2006), and 2007 IADIS International Conference on Wireless Applications and Computing (WAC). She served as a reviewer of many conference proceedings and journal papers. Her research interests include mobile and wireless networking architectures and wireless network security. Her current project focuses on the fast authentication techniques for multiprovider access networks. She has published widely in peer-reviewed conference proceedings and journal papers. She is a member of the IEEE.

15

Harsha Sirisena received the BSc (Eng) degree (with honors) from the University of Ceylon, Peradeniya, Sri Lanka, and the PhD degree from the University of Cambridge, Cambridge. He is a professor of electrical and computer engineering at the University of Canterbury and has held visiting appointments at the Australian National University, Canberra, Lund University, Lund, Sacania, Sweden, National University of Singapore, Singapore, University of Minnesota, Minneapolis, and University of Western Australia, Perth. He has served on the program committees of several international conferences and is an editor-in-chief of the International Journal of Wireless and Optical Communications. His research interests are next-generation wireless and wireline networks, including performance analysis, congestion control, and resiliency. He is the author of over 150 publications in refereed international journals and conference proceedings. He is a senior member of the IEEE and a member of the IET. Bjo¨rn Landfeldt received the bachelor’s degree from the Royal Institute of Technology, Stockholm, Sweden, and the PhD degree from the University of New South Wales, Kensington, in 2000. In parallel with his studies in Sweden, he was running a mobile computing consultancy company, and after his studies, he joined Ericsson Research, Stockholm, as a senior researcher, working on mobility management and QoS issues. In November 2001, he took up a position as a Cisco senior lecturer of internet technologies in the School of Electrical and Information Engineering and the School of Information Technologies, University of Sydney. He is also a research associate at the National ICT Australia (NICTA) and the Smart Internet CRC. He is currently serving on the editorial boards of international journals, is a program committee member of many international conferences, and is supervising eight PhD students. His research interests include wireless systems, systems modeling, mobility management, QoS, and service provisioning. He has published more than 50 publications in international books, journals, and conference proceedings and received many competitive grants such as Australian Research Council (ARC) Discovery and Linkage Grants. He is the holder of eight patents in the US and globally. He is a senior member of the IEEE.

. For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.