Discussions 61

The Mobile IP working group is currently searching for a security solution that enables semi-secure, weak authentication between IPv6 Mobile Nodes and correspondent Nodes in the global Internet. A less than perfect security solution is necessary in this situation because strong authentication between previously unknown peers would require a global Public Key Infrastructure (PKI). This is neither possible nor desirable with the current Mobile IPv6 infrastructure. The purpose of the weak authentication mechanism is to establish a Binding Security Association (BSA) between the MN and the CN for the secure exchange of Binding Updates (BUs). There are various alternatives on how the

binding updates (BUs) can be protected, but most of them fall under the category of "Use IPSec for everything" or "Don't Use IPSec At All" [59].

Strong authentication may be offered as an alternative to weak authentication for certain networks or can be used simultaneously with the weak methods. Typical security technologies allow users to define on which IP addresses or networks certain methods should be used. However this opens an attack where the source address is modified to claim no security is needed because the packet source address has been forged to reside within the secure network [60]. This can fool the destination if it relies on addresses in its security policies.

The cost of strong authentication may exceed the benefits. Mobile IPv6 does not justify the introduction of global public key infrastructure for the sole purposes of authenticating nodes participating in the optimisations. In some cases the use of weak authentication, makes the cost of the attack to the attacker exceed the value of the data [61]. However binding updates are very valuable, but perhaps the use of a timestamp in conjunction with weak authentication may give the necessary delay that would render the information gained useless in the case of replay attacks.

The use of public key cryptography is essential as it is an effective way of determination the authenticity of the data especially in the case of digital signatures [4]. However the high cost of using PKI such as RSA in mobile devices is too steep for the technology to efficiently utilize. However the implementation of elliptic curve cryptography [21] can reduce the cost to resources without compromising its strength and effectiveness.

However it is possible to have an authentication protocol, which does not use public key cryptography such as the symmetric key protocol. This is the simplest of the binding update protocols and is not very resource intensive however the problem arises of how to distribute the keys with out them being intercepted.

Optimisations to the symmetric key protocol can allow it to be used with manually configured shared secret keys between the mobile and home agent where the agent maintains a database of issued keys. Another idea is to use a certificate based shared secret key agreement can be used to associate a node’s public key with its home address allowing the PKI infrastructure to authenticate the home address.

the shared key protocol can be extended dynamically establish the shared secret The BAKE/2 protocol [15]. However communications between nodes must be protected from eavesdropping by security not supplied by this protocol, such as IPSEC [12]. Another drawback is that the protocol does not defend against an attacker who can monitor the home agent to correspondent node route. It can however protect the correspondent node against denial of service attacks, which flood it with bogus messages. This prevents resource exhaustion because large amounts of processing power are not used to handle

yet to be authenticated messages. This protocol is suitable for communication between a mobile node and a non-mobile server but may not be suitable for communication with a mobile server.

The BAKE/2 protocol protects against dos attacks where the attacker uses the victims care of address to redirect high bandwidth traffic to it. Flow control protocols such as TCP do not defend against this attack because the acknowledgements can be forged. The protocol succeeds because it only completes with participants of it.

CAM-DH uses a combination the BAKE/2 protocol [15] with a digitally signed Diffie-Hellman key exchange. This protocol can be optimised if all of the asymmetric cryptographic operations that the mobile carries out can be delegated to the home agent, provided that the home agent is given access to the appropriate keys. Another optimisation can occur if the correspondent node is mobile, then all of the asymmetric cryptographic operations that the correspondent performs can instead be performed by the correspondent’s home agent.

The BAKE/2 and CAM-DH protocols prevent dos attacks by verifying that packets sent to a mobile’s claimed care of address reach a willing participant of the protocol preventing redirection attacks. These protocols also do not authenticate the care of address. If an attacker intercepts packets sent to the care of address then it will be able to complete the protocol and flood the unwilling care of address with data. Deriving the care of address and the home address from the nodes public key is alternative method of authenticating them however this was not used in BAKE/2 or CAM-DH because of restrictions imposed on them by the sub-networks.

The one thing that stands out of all of these security protocols is that in their very first message, they transmit the home address and care of address to the correspondent in plain sight. This gives away their location, which can be the bases for a number of attacks. A solution must be found to initiate a binding update without giving this confidential information away to potential attackers.

To address the issue of location privacy, [43] introduces the idea of an authorised –anonymous ID based scheme, which eliminates the need for a trusted server or administration. A cryptographic technique called blind signatures is used to generate an authorised anonymous ID, which is used to replay the real ID of the mobile device. To address location privacy issues, an architecture was designed on the Wireless Andrew 802.11 WLAN network which used a centralized location server which stored the location data of registered mobile users. It is suggested in [43] that a distributed architecture would be more appropriate, as a centralized architecture has drawbacks which include, location privacy of mobile users is not under the users control, central server is a single failure point, and a successful attack would compromise location privacy, and that a centralized architecture is not scalable. However this system requires initial authentication from an infrastructure that supports either the public key (PKI) or a Kerberos based system.

The work is not designed for mobile IP but it is related as mobile IP shares a similar structure. However they are essentially different in two ways. Mobile IP is concerned with packet forwarding and routing and this system is about providing a location service to the user. The second difference is that they operate at different layers as Mobile IP works at the network layer and this system works at the application layer.