credentials (such as the MU's name, domain name, and password) to the AAA ..... non-expired shared session key with the MU, a secret-key user authenticated ...
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
Two-factor Localized Authentication Scheme for WLAN Roaming Xiaodong Lin, Haojin Zhu, Pin-Han Ho, and Xuemin (Sherman) Shen Department of Electrical and Computer Engineering University of Waterloo, Canada {xdlin, h9zhu, pinhan, xshen}@bbcr.uwaterloo.ca Abstract - In the paper, we propose an efficient two-factor localized authentication scheme suitable for WLAN roaming. The proposed authentication scheme can greatly improve the security compared with the previously reported counterparts, where two independent factors, such as “what you know” and “what you have”, are utilized in the authentication process for a mobile user (MU). Some important issues specific to the wireless environment are considered in the design of the scheme, such as limited computation power, memory space, and battery capacity of mobile stations (MSs), and ping-pong movement problem when roaming across WLANs. The detailed implementation of the proposed scheme is presented, where some of the key performance measures and security are analyzed. Numerical results demonstrate that the proposed scheme can significantly outperform the legacy authentication schemes in terms of signaling overhead, power consumption, and authentication latency without losing the capability of preserving the system security. Keywords – Authentication, Roaming, Wireless (WLANs), Handoff, and Trusted Third Party (TTP).
I
LANs
INTRODUCTION
IEEE 802.11 based Wi-Fi hotspots, also known as public Wireless LANs (WLANs), have been on an upswing, and wireless Internet access has been readily available almost everywhere, especially in the heavily populated areas such as airports, restaurants, cafés, libraries, and hotels, etc. Unlike the traditional GSM (Global System for Mobile Communications) systems for cellular carriers, a typical Wi-Fi hotspot has a much smaller coverage and more restricted scalability, which have addressed much different design requirements in the efforts of interworking for Wi-Fi hotspots in terms of interoperability, scalability, and costeffectiveness. Imagine how complicated it could be when interworking is performed on thousands of self-managed hotspots [1] by numerous different WISPs for jointly providing a wide Internet access coverage in a metropolitan area. In general, a MU subscribes to a WISP, called home WISP, and signs up an account first in order to have access to the wireless Internet services at the hotspots managed by the WISP. However, the MU cannot use any hotspot managed by any other foreign WISP unless the foreign WISP and the home WISP have a cooperative roaming agreement which stipulates how each other’s MUs can access to the hotspots managed by each of them when the MUs roam across WLANs operated by the WISPs. One of the most important issues associated with WLAN roaming is the ability of providing a secure, light-weight, costeffective approach to authenticate MUs that requests for roaming, along with the consideration on the constraints of
wireless communication environments, such as limited computation power, memory and battery capacity of MUs, and ping-pong movement problem when roaming across WLANs. Two authentication and roaming architectures in the interworking of WLANs have been reported and widely employed. One is the authentication, authorization and accounting (AAA) server [2]. The visited network of a MU responds the roaming request by sending the MU’s credentials (such as the MU’s name, domain name, and password) to the AAA server of the MU’s home network. The AAA server of the home network then authenticates the MU based on its credentials and sends the authentication decision back to the visited network [3,4]. If successful, the MU will be granted with the access to the visited network. The second roaming architecture is roaming broker [5], which is trusted by all the WISPs in the metropolitan area, to exchange the roaming accounting information and deal with MUs’ authentication requests. Both authentication mechanisms are subject to a significant amount of signaling efforts among the roaming MUs, the visited networks, and the home networks or the roaming broker. Therefore, there is desire for a light-weight authentication mechanism in order to reduce the signaling overhead due to roaming. Localized authentication can serve the above design requirements, where an initial mutual authentication (also known as two-way authentication) between a roaming MU and his visited network can be performed without any intervention of the MU’s home network. Several studies have been reported for the attempt of achieving localized authentication for WLAN roaming. In [6], an authentication protocol based on a public-key certificate structure was proposed for WLAN interworking. The efficiency of the scheme comes from the fact that the signaling overhead between the AAA server and the WISPs can be avoided. A localized AAA protocol to retain the mobility transparency as a protocol supporting network mobility and to reduce the cost of the AAA procedure was designed in [7]. In addition to providing mutual authentication, the proposed AAA protocol prevents various threats such as replay attack, man-in-the-middle attack, and key exposure. In this paper, we propose a novel localized authentication scheme for roaming and interworking between WLANs of different WISPs. Our work is different from those in [6,7] in the sense that an embedded two-factor authentication mechanism is implemented to determine whether the roaming MU is authentic without any intervention of the MU’s home network as well as authenticated key exchange in case the MU is authentic. A two-factor authentication mechanism is considered as a stronger authentication
1-4244-0353-7/07/$25.00 ©2007 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
method than the previously reported schemes, where two independent ways are adopted to ensure a MU to be a legitimate user, such as “something you know” as one, and ”something you have” or “something you are” as the other. In addition, the proposed localized authentication scheme caches the session key of each residing MU at the WLAN domain during in the handoff phase of the roaming MU to any neighbor network, which can effectively mitigate the impact due to the ping-pong movement problem. The rest of this paper is organized as follows. In section II, a two-factor localized authentication scheme for WLAN roaming and interworking is presented. In section III and IV, the security and efficiency of the proposed scheme are analyzed and discussed, respectively. Finally, Section V concludes the paper and briefs our future work. II
PROPOSED SCHEME
In this section, we introduce an efficient two-factor localized authentication scheme for roaming operations for interworking of WLANs with multiple WISPs. The proposed localized authentication scheme aims to achieve efficient mutual authentication and session key exchange operations between MUs and access points (APs).
identity, respectively. Based on the authentication architecture, a smart card is issued by the TTP to each MU, which contains necessary authentication credentials for the MU and can serve as an electronic pass for the MU to roam across hotspots of different WISPs. The proposed localized authentication scheme consists of the following four phases: the initialization phase, the authenticated key agreement and login phase, the handoff phase, and the password change phase. A •
Initialization Phase TTP Initialization
TTP randomly chooses two primes, denoted as pT and qT, that satisfy p T , q T ≡ 3(mod4) , and a random number a0 such a
that the Jacobi symbol 0 = −1 where nT = pTqT. Further, nT the TTP selects a randomly chosen large prime p and a generator g of the multiplicative group Z *p . Let H(.) be a collision-resistant hash function. The quadruplet (a0, nT, p, g) together with the hash functions H(.) are published as the public key, and the duplet (pT, qT) is kept as the private key. •
WISP Initialization
WISP has to set up a mutual agreement with the TTP such that a registered MU can log in and access the wireless Internet services provided by the WISP. For completing the roaming process, the WISP has to perform the following operations: a) WISP randomly chooses pw, qw that satisfy p , q ≡ 3(mod4) , and sends nw = p w q w to the TTP with W W its chosen identity IDW while (pW,qW) is kept as its private key. The TTP checks the legitimacy of the identity and makes sure of the uniqueness of the WISP identity. If fails, the WISP has to choose another identity in order to proceed further. b) The TTP computes c1 first: H ( IDW , nW ) if ( ) =1 0, nT c1 = H ( IDW , nW ) 1, if ( ) = −1 nT Figure 1. The Proposed System Infrastructure. Four parties are involved in the proposed scheme: the MUs, the trusted third party (TTP), WISPs, and hotspots, and their relationship are shown in Fig. 1. The MUs can request for wireless Internet access by subscribing to the TTP, which has a mutual agreement with each WISP such that a subscribed MU can access the hotspot operated by the corresponding WISP. In addition to the role taken by the roaming broker, the TTP also serves as a trusted certificate authority (CA) server to issue certificates to WISPs and MUs. The certificate issued to a MU or a WISP is a digital signature signed by the TTP on its public key as well as the linkage between the public key and the MU’s or WISP's
The TTP computes t 0 = a 0 c1 * H ( IDW , n w ) , and derives c2 such that: t t if ( 0 ) = ( 0 ) = 1 0, pT qT c2 = t t 1, if ( 0 ) = ( 0 ) = −1 pT qT c2 Then, the TTP computes r0 = ( −1) ⋅ a0c1 ⋅ H ( IDW , nW ) , and derives s 0 such that s02 ≡ r0 (mod nT ) . c) The TTP sends ( a 0 , nT , nW , IDW , s0 , c1 , c 2 ) to the WISP, which completes the WISP initialization. •
Hotspot Initialization
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
A hotspot needs to be initiated by the corresponding WISP. For illustration, we assume that each hotspot has a single AP, which makes the terms “AP” and “hotspot” interchangeable. First of all, the WISP chooses a1 such that the Jacobi symbol a1 = −1 where nW = pW qW . Then, the nW
hotspot takes the following actions: a) The hotspot randomly chooses pA, qA that satisfy p A , qA ≡ 3(mod4) , and sends n A = p A q A to its home WISP with its chosen service set identifier, SSID, while the duplet (pA,qA) is kept as the private key of the hotspot. The WISP checks the legitimacy of the identity and ensures the uniqueness of the identity of the hotspot. If not, the hotspot has to choose another SSID that is legitimate and unique in order to proceed further. The WISP is responsible for identity check of its managed hotspots. b) The WISP computes c3 first: 0, c3 = 1,
if ( if (
H ( SSID, n A ) ) =1 nW
H ( SSID, n A ) ) = −1 nW
Then the WISP computes t1 = a1c3 * H (SSID, n A ) , and derives c4 such that 0, c4 = 1,
if (
t1 t ) = ( 1 ) =1 pW qW
if (
t1 t ) = ( 1 ) = −1 pW qW
Then, the WISP computes r1 = (−1) c4 ⋅ a1c3 ⋅ H ( SSID, n A ) ,
and derives s1 such that s1 2 ≡ r1 (mod nW ) c) The WISP sends ( a 0 , nT , nW , IDW , s 0 , c1 , c 2 , a1 , n A ,
SSID , s1 , c3 , c 4 ) to the hotspot, which completes the hotspot initialization. •
MU Registration
The roaming MU needs to subscribe to the TTP directly or through the home WISP in order to gain the wireless Internet access. In the registration phase, the MU has to provide its billing information in order to continue the existing services. The registration process is detailed as follows: a) The MU randomly chooses a password PW and computes H(PW), and picks up a random identity IDu. Then, the MU computes Pu = g H ( PW ) mod p . Afterward, the MU sends its credentials to the TTP for a registration, along with the two parameters Pu and IDu, through a secure channel (e.g., SSL). The user credentials submitted by the MU could include the billing address and payment method, etc. The identity should be unique for every MU. b) The TTP computes c5 first:
0, c5 = 1,
if ( if (
H ( IDu , Pu ) ) =1 nT
H ( IDu , Pu ) ) = −1 nT
Then the TTP computes t 2 = a 0 c5 * H ( IDu , Pu ) , and derives c6 such that 0, c6 = 1,
if (
t2 t ) = ( 2 ) =1 pT qT
if (
t2 t ) = ( 2 ) = −1 pT qT
Then, the TTP computes r2 = ( −1) c ⋅ a 0 c ⋅ H ( IDu , Pu ) , and derives s2 such that s 2 2 ≡ r2 (mod nT ) c) The TTP provides a smart card as an electronic pass to the MU through a secure channel. The smart card contains the parameters ( p, g , a0 , nT , Pu , IDu , s 2 , c5 , c6 ) . Different from the previously reported counterparts [6,7], the proposed system employs a two-factor authentication mechanism to determine whether the roaming user is authentic. The MU provides its confidential information for authentication while roaming across hotspots. Since the confidential information is on the user’s side, leakage of the credentials may occur due to insufficient privacy protection or any malware such as keylogger, which results in weakened security guarantee. To compensate this weakness, the second factor of authentication, a smart card, can serve this purpose. This is based on the fact that if an adversary wants to impersonate a legitimate subscriber, the adversary has to not only know the authentication credentials of the legitimate subscriber, but also hold its smart card. It is well-known that the smart card industry has already made a significant progress in counteracting various attacks, such as physical attacks [8]. Obviously, by introducing an additional factor in the authentication process of MUs by way of the smart card device, the security of authentication scheme can be much improved. 6
B
5
Authenticated Key Agreement and Login Phase
In this phase, a MU authenticates itself to an AP whenever the MU wants to gain wireless Internet access. Let AP have a service set identifier denoted as SSID. The access process to the AP from the MU is described as follows. Step 1: AP-> MU The AP broadcasts its public parameters, ( a0 , nT , nW , IDW , s0 , c1 , c 2 , a1 , n A , SSID, s1 , c3 , c 4 ) . In this case, the MU can easily ensure the security of the AP’s public key nA after validating the WISP’s signature on it and the TTP’s signature on the WISP’s public key. S 0 2 = (−1) c2 ⋅ a 0 c1 ⋅ H ( IDW , nW ) mod nT 2 S1 = (−1) c4 ⋅ a1 c3 ⋅ H ( SSID, n A ) mod nW
If the validation fails, the MU aborts the login process since the MU could be subject to impersonation by the AP. Step 2: MU->AP
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
The MU inserts its smart card into the smart card reader of the mobile device and enters its password, PW. The smart card will perform the following operations: 1) calculate H(PW), and 2) generate two random numbers x and r1, where x is a k-bit number as the MU’s key contribution. The smart card then randomly chooses a key kma, and encrypts the key kma by using the following relation: 2
l1 = k ma mod n A Afterwards, the smart card encrypts its identity IDu, x, r1,
H(PW), s2, c5, c6 and T by using the following relation: l 2 = E k ma ( IDu , x, r1 , H ( PW ), s 2 , c5 , c 6 , T )
where Ek (m) means encryption of message m by using any implicit secure symmetric encryption algorithm under the key of k, T is the current date and time of smart card reader. Then, the MU sends a login request l1 , l 2 to the AP for the authentication process. Step 3: AP->MU With a login request, the AP decrypts l1 with its private key (pA, qA) to obtain the key k ma , and then obtains ( IDu , x, r1 , H ( PW ), s 2 , c5 , c6 , T ) by decoding l 2 using newly deciphered key k ma . Then, the AP takes the following actions: 1. The AP checks the format of IDu, and will reject this login request if it is not correct. 2. The AP checks if the timestamp T is reasonable, and if so continue. Otherwise, it stops. 3. s 2 = (−1) c ⋅ a0 c ⋅ H ( IDu , g H ( PW ) mod p) mod nT is verified at the AP. If it holds, the AP accepts the login request. Otherwise, the login request will be rejected. 4. The AP randomly chooses a k-bit number y as the AP’s key contribution, and computes d = E x ( SSID || y) . Then, the AP sends d back to the MU with a random challenge m. Step 4: MU->AP After the MU receives (d, m), the MU decrypts d by using symmetric-key decryption: E x−1 (d ) = SSID || y and verified SSID. Then, a session key is obtained by the following: K = H ( IDU || SSID || x || y ) . Then, the MU randomly chooses a number k such that 0 < k < p − 1 and gcd(k, p – 1) = 1, and computes r = g k (mod p) . Note that the above step can be performed in advance, and the result can be stored at the MU’s side in order to speed up login process. Then, the MU computes w = ( H (m) − H ( PW )r )k −1 (mod p − 1) . If w = 0, the MU starts over again by choosing a different k. Afterward, the MU computes cu = E K ( w, H ( PW ), r ) and sends cu to the AP. Step 5: AP 6
5
Upon receiving cu, the AP can correctly recover ( w, H ( PW ), r ) by using newly generated session key K. Then, the AP checks if g H ( m ) ≡ β r r w , where β = g H ( PW ) mod p . If it holds, the AP accepts the MU is a legitimate user, and accepts the MU to login the system. The AP also establishes a session key K with the MU. An entry of (sessionID, IDU , K , m, w, H ( PW ), r , Tu , Lifetime) , called user information record (UIR), is kept in the AP’s local database, where Tu records the usage of the MU’s wireless Internet service at AP, Lifetime serves as a timer controlling how long the entry is active. If the timer hits 0, the entry is expired. Afterward, the confidentiality and integrity of communication between the MU and the AP are protected by the session key K. Also, the corresponding entry ( sessionID, SSID, K , Lifetime) is kept in the MU’s local cache table, which aims to reduce the impact of pingpong movement problem. C
Handoff Phase
While a communication session is on, the MU may move from the AP to an adjacent hotspot, AP2, operated by the same or different WISPs. The handoff procedure is performed between the MU and AP2 to ensure that the ongoing service is not interrupted while preventing any unauthorized access. In order to reduce the impact of pingpong movement issue, a mechanism of caching of session key is devised to further improve the efficiency of the proposed localized authentication scheme. Whenever an MU requests for a handoff into an access point which has a non-expired shared session key with the MU, a secret-key user authenticated key agreement protocol will take place instead of a full authentication procedure, shown as follows: Step 1: AP2-> MU The AP2 broadcasts its public parameters, (a0 , nT , nW , IDW , s 0 , c1 , c2 , a1 , n A , SSID, s1 , c3 , c4 ) . In this case, the MU can easily ensure the security of AP2’s public key nA after validating WISP’s signature on it and the TTP’s signature on WISP’s public key. S 0 2 = ( −1) c2 ⋅ a 0 c1 ⋅ H ( IDW , nW ) mod nT 2 S 1 = ( −1) c 4 ⋅ a1 c3 ⋅ H ( SSID, n A ) mod nW If the validation fails, the MU will abort the login process since the MU could experience the attack of impersonation of an AP. Step 2: MU-> AP2 Based on the SSID of AP2, the MU looks for the session ID and session key of the AP2 cached in its cache table. If there does not exist a non-expired session key, a regular authenticated key agreement and login process will be performed. Otherwise, the MU chooses a random nonce n1 and a random k-bit number x’ as the MU’s new session key contribution. Then, the MU computes y1 = MAC K ( sessionID || n1 ) and e1 = EK ( x′) , where K is the cached old session key between the MU and AP2. Then, the MU sends (sessionID, n1, y1, e1) to the AP2.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
Step 3: MU-> AP2 AP2 checks if the session with the session ID as sessionID expires. If so, it requests the MU to perform an authenticated key agreement and login process. Otherwise, it verifies MAC K ( sessionID || n1 ) by using cached session key. If succeeds, the AP2 continues and recovers x’. Otherwise, it is aborted. Then, the AP2 chooses a random nonce n2 and a random k-bit number y′ as the AP2’s new session key contribution. Then, the AP2 computes y 2 = MAC K ( SSID || n1 || n2 ) and e2 = E K ( y′) . Then, the AP2 sends (n2, y2, e2) to the MU. Step 4: MU Upon receiving (n2, y2, e2), the MU verifies MAC K ( SSID || n1 || n2 ) . If succeeds, the MU continues and recovers y′ . Otherwise, it is aborted. Afterward, both the MU and AP2 can calculate the new session key K ′ = H ( IDU || SSID || x′ || y′) , and the MU’s user information record at AP2 will be updated with the newly generated session K′ as well as at MU. It can be observed that the simplified version of authenticated key agreement protocol only uses symmetric-key encryption and keyedhash message authentication codes, which are very fast operations compared with asymmetric-key encryption.
D
Password Change Phase
This phase is activated whenever the MU intends to change its password. The MU can easily change its password by submitting its new password to the TTP through a secure channel. This phase works as shown in the following steps: Step 1: The MU inserts its smart card into the smart card reader of a terminal and enters a new PW* to replace the old password PW ; Step 2: The smart card computes H(PW) and H(PW*). * Then, the MU computes Pu* = g H ( PW ) mod p . Afterward, the MU submits ( Pu , IDu , s 2 , c5 , c6 , Pu* ) to the TTP for the password change through a secure channel, e.g., SSL. Step 3: The TTP performs the following operations: a) s 2 = (−1) c6 ⋅ a 0 c5 ⋅ H ( IDu , g H ( PW ) mod p) mod nT is verified. If it holds, the TTP accepts the password change request. Otherwise, the password change request will be rejected. b) The TTP computes c5* first: 0, c 5* = 1,
if ( if (
H ( IDu , Pu* ) ) =1 nT
H ( IDu , Pu* ) ) = −1 nT * 5
Then, the TTP computes t 2* = a0 c * H ( IDu , Pu* ) , and derives c6* such that 0, c 6* = 1,
if (
t 2* t* ) = ( 2 ) =1 pT qT
if (
t 2* t* ) = ( 2 ) = −1 pT qT
*
*
Then, the TTP computes r2* = (−1) c6 ⋅ a0 c5 ⋅ H ( IDu , Pu* ) , 2 and derives s 2* such that s 2* ≡ r2* (mod nT ) c) The TTP sends ( p, g , a 0 , nT , Pu* , IDu , s *2 , c *5 , c *6 ) back to the smart card at the MU’s side. Step 4: Upon receiving the updated parameters from the TTP, the smart card replaces the old parameters with the new ones. Thus, MU’s password gets changed. III
SECURITY ANALYSIS
The security of the proposed scheme is analyzed as follows. (1) Prevention of replay attack: With a replay attack, an adversary replays the intercepted login message in order to impersonate as a legitimate user. Obviously, it cannot work in the proposed scheme because of the time interval check in Step 3. If timestamp T included in a login request message is not reasonable, it means the time interval for transmission is larger than a pre-defined threshold, so the AP will reject the login request. (2) Prevention of impersonation attack: According to our application scenarios, an impersonation attack can be either on a legitimate MU or on an AP. The mutual authentication mechanism has been used in the proposed scheme to prevent the impersonation attack in both situations. Firstly, an adversary cannot impersonate a legal login request even it has intercepted any previous login message. To forge a valid login, the adversary needs to have both the valid smart card and the corresponding password. Note that the password is difficult to derive by using the knowledge of public parameter Pu, where Pu = g H ( PW ) mod p , and PW is the password. The security guarantee relies on the difficulty of computing discrete logarithms over finite fields, which is considered as a NP complete problem. Furthermore, the one-way hash function is used to hide the real user password, which is computationally infeasible to reveal the user password by only knowing H(PW), which is the hash value of the password. Thus, the adversary cannot forge a valid login and impersonate a legitimate MU. Secondly, the proposed localized authentication protocol prevents an impersonation attack upon the AP. A malicious attacker could broadcast bogus beacons to attract the legitimate users in its radiation range, which could possibly defraud the legitimate users for their authentication information. In the proposed protocol, a highly efficient mutual authentication is devised to resist this attack, where the MU sends a challenge 2 l1 = k ma mod n A and l 2 = E kma ( IDu , x, r1 , H ( PW ), s 2 , c5 , c6 , T ) to the AP after verifying the public key of the AP. Only a real AP with the knowledge of factorization of nA can compute IDu , x, r1 , H ( PW ), s1 , c5 , c6 , T and respond correctly with d = E x ( SSIDA || y) by using the secret key x, which is contained inside the challenge c from the MU. The security guarantee relies on the difficulty of integer factorization, which is considered as a NP complete problem as well.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
(3) Prevention of password guessing attack: It is difficult for any adversary to derive the user password without knowing the private key of the AP. Moreover, an adversary cannot perform an off-line password guessing attack because a random number r1 is introduced: l 2 = E kma ( IDu , x, r1 , H ( PW ), s 2 , c5 , c 6 , T ) . (4) Multiple Factor Authentication: In reality, it is very likely that the password of the MU is leaked. However, even if the adversary knows the MU’s password, its still cannot forge user login. To create a forged login, the adversary needs the information stored in the MU’s smart card, which is hard to get. The smart card provides an extra layer protection in the authentication procedure. Additionally, once the user comes to know that its password is leaked, the user can easily invoke the password change protocol and changes its password. (5) Privacy of communication between the MU and AP: The communication between the MU and the AP is protected by a secret session key K such that an adversary cannot know the content without the knowledge of the key K. To obtain K, the adversary needs to know not only the MU’s key contribution x but also the AP’s key contribution y. For the MU’s key contribution x, only a party with the knowledge of factorization of nA can decrypt l 2 = E kma ( IDu , x, r1 , H ( PW ), s 2 , c5 , c 6 , T ) , which is an integer factorization problem. For the AP’s key contribution y, only a party with the knowledge of the MU’s key contribution x can decrypt d = E x ( SSIDA || y) , which is still equivalent to an integer factorization problem. In summary, the proposed scheme can resist the reply attacks, impersonation attack, password guessing attack, and protect privacy of communication between the MU and AP. It also achieves multiple factor authentication for better guarantee of security. IV
PERFORMANCE EVALUTION
We conducted a series of experiments through qualitative discussions and computer simulation to evaluate the proposed authentication scheme, particularly in the aspects of impacts and impairment on the authentication latency and additional energy consumption during the handoff process. In the experiment, the resources at the MU’s and AP’s sides are taken asymmetric. At the MU’s side, the used MS has limited power and computational capacity. On the other hand, an AP is physically stationary with unlimited power and sufficient computational capacity.
A
Authentication Latency
In the proposed scheme, fast authentication can be achieved based on the following three facts: firstly, the delay can be largely reduced due to the adoption of a localized authentication strategy. Secondly, the proposed scheme is based on the ElGamal signature scheme [10] and Rabin cryptosystem [11]. The ElGamal signature scheme has been well-known for its capability of pre-computation of some intermediate values, which speeds up the signature
generation process. The ElGamal signature generation operation can be very fact by going through only a single large modular multiplication. In the proposed scheme, only the ElGamal signature generation operation is implemented at the MU’s side. The Rabin cryptosystem can be executed in an extremely high speed at one side due to its asymmetric computational cost, where the encryption (or signature verification) operation is extremely fast, while the decryption (or signature generation) operation is comparably slow and requires a large amount of computation effort [11]. In the proposed scheme, only two signature verification and one encryption operations of Rabin cryptosystem are used at the MU’s side, which can be executed very fast. Table I shows the execution time of encryption and verification operations of Rabin cryptosystem, and the signature generation and verification operations of ElGamal signature scheme. TABLE I. Latency (in millisecond) of cryptographic operations of Rabin cryptosystem and ElGamal signature scheme ElGamal Rabin1024 1024 Signature with 2.26 no pre-compu. Encryption 0.015 Signature with 0.46 pre-compu. Verification
0.015
Verification
2.74
* We evaluate the computational costs of cryptographic operations of Rabin cryptosystem and ElGamal signature scheme on an Intel Pentium 4 3.0 GHz machine with 1GB RAM running Fedora Core 4 based on cryptographic library MIRACL [12]. By observing Table I, we can see that the computing time at the MU’s side is negligible. Furthermore, by way of caching the session keys during roaming users’ handoff phase, the delay could be further reduced since only symmetric-key encryption and keyed-hash message authentication code operations are required, which is very fast and can be easily implemented.
B
Energy Cost
The energy efficiency is investigated for the proposed localized authentication scheme. Since the AP has no power limitation, we only take the MU’s energy consumption into consideration. We assume that the symmetric-key encryption algorithm, hash function and keyed-hash message authentication code algorithms adopted in the system are AES, MD5 and HMAC. Table II (in the bottom of the paper) shows the energy consumption of various cryptographic operations involved in the proposed scheme, where the energy consumption of various cryptographic operations involved in the proposed scheme is summarized. Let E denote the total energy cost of one authentication procedure, which includes the following three components:
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.
(1) various cryptographic operations, (2) the cost of transmission, and (3) receiving exchanging messages between the MU and the AP. There are two types of authentication processes in the proposed scheme. One is the regular authentication process, which happens during the MU’s login phase or handoff phase without non-expired cached session key with the AP. The other is the caching session key authentication process, which occurs during the MU’s handoff phase with nonexpired cached session key with the AP. Based on the Table II, the energy consumed in the two types of authentication is estimated as 367.48 mJ and 31.24 mJ, respectively, where the energy consumption in an authentication procedure with the caching session key mechanism can be significantly reduced. This verified that the proposed caching session key mechanism can mitigate the impact of the ping-pong movement problem when a MU roams across WLANs. Note that the ping-pong effect cannot be completely eliminated by employing any motion prediction model in the handoff schemes due to diversified user movement patterns and environmental factors such as the layout of buildings. V
CONCLUSIONS
In this paper, an efficient two-factor localized authentication scheme for WLAN roaming has been proposed. The proposed scheme takes advantages of Rabin cryptosystem and ElGamal signature scheme, and is considered as a stronger authentication scheme than all the counterparts, where two independent factors are adopted to determine whether an MU is authentic. The proposed scheme also considers the constraints in the wireless communications environment such that limited computation power, memory and battery capacity of mobile stations (MSs), and ping-pong movement problem when roaming across WLANs. We have demonstrated the merit gained by the proposed scheme through extensive discussions and security analysis. Numerical results demonstrate that the proposed authentication process can not only achieve negligible latency but also significantly reduces the energy consumption at the MU’s side without losing the capability of security assurance. As the future research, we plan to develop an analytic model to study the efficiency of the
proposed localized authentication scheme when MUs roam across WLANs. REFERENCES [1] K. Ohira, Y. Huang, Y. Okabe, K. Fujikawa, and M. Nakamura, “Security analysis on public wireless Internet service models,” in Proceedings of the 3rd ACM International Workshop on Wireless mobile applications and services on WLAN hotspots, Cologne, Germany, 2005. [2] C. D. Laat, G. Gross, and L. Gommans, “Generic AAA architecture,” Internet Draft, March 2000. [3] B. Anton, B. Bullock, and J. Short, “Best current practices for wireless Internet service provider (WISP) roaming,” Wi-Fi Alliance, Feb. 2003, available at http://www.weca.net/ OpenSection/wispr.asp [4] GSM Association. “WLAN roaming guidelines,” April 2003, available at http://www.gsmworld.com/documents/wlan/ ir61.pdf [5] J. Leu, R. Lai, H. Lin, and W. Shih, “Running Cellular/PWLAN services: practical considerations for Cellular/PWLAN architecture supporting Interoperator roaming,” IEEE Communications Magazine, Vol. 44, No.2, pp.73-84, February 2006. [6] M. Long, C.-H. Wu, and J. D. Irwin. “Localized authentication for wireless LAN Internetwork roaming”, in Proceedings of IEEE Wireless Communications and Networking Conference, Atlanta, GA USA, March 2004. [7] S. Baek, S. Pack, T. Kwon, and Y. Choi, “A localized authentication, authorization, and accounting (AAA) protocol for mobile hotspots,” in Proceedings of the Third Annual Conference on Wireless On Demand Network Systems and Services, Les Ménuires, France, January, 2006. [8] M. Hendry. Smart card security and applications. Artech House Publishers (June 1997) ISBN: 0890069530 [9] N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K. Jha, “A study of the energy consumption characteristics of cryptographic algorithms and security protocols”, IEEE Transactions. on Mobile Computing, Vol. 5, No. 2, pp. 128143, March-April 2006. [10] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions information Theory, Vol. 31, No. 4, pp. 469-472, 1985 [11] S. Seys and B. Prenee, “Efficient cooperative signature: a novel authentication scheme for sensor networks,” in Proceedings of SPC 2005, LNCS, Spring-Verlag, Vol. 3450, pp. 86-100, 2005. [12] Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL). Available at http://indigo.ie/~mscott/
Table II: Energy Cost of Cryptographic Operations (in mJ) Rabin-1024 ElGamal signature MD5 scheme - 1024 7.98 N/A 0.59 uJ/Byte 1024 N/A 128
AES
Encryption Cost 1.21 uJ/Byte Ciphertext Overhead N/A (bits) Verification Cost 7.98 338.02 N/A N/A Signature Overhead 1024 2024 N/A N/A (bits) Signature generation 1596 313.60 N/A N/A cost * The cost of receiving one byte is 28.6µJ, and the cost of transmitting a byte is 59.2 µJ. [9]
HMAC 1.16uJ/Byte 128 N/A N/A N/A
