C: part in-clear target_name
V.4 FAST RE-AUTHENTICATION PROTOCOL ANALYSIS
A mobile node needs to receive re-authentication tickets after each inter-domain handover. If the user changes networks frequently, the delivery of credentials may cause a significant traffic overhead. In this section we introduce a scheme of authentication ticket distribution that minimizes the network load caused by re- authentication tickets distribution.
V.4.1 Security considerations
The operation of FAP is based on the result of the previous successful strong mutual authentication between the user and a network and does not depend on the used method. The protocol is supposed to be only used for user re-authentications during inter-domain roaming.
The proposed authentication protocol corresponds to requirements formulated in the RFC 4017 [97] to ensure protection of the user, the home and the visited network. Below we provide an analysis of security threats. We assume that due to the nature of wireless network all traffic is visible to a potential attacker.
Ticket interception. During the ticket acquisition phase an attacker may steal a ticket. The interceptor cannot impersonate the valid user with the ticket at the authentication phase because he is unable to decrypt the secret part and does not have enough information to reply to the Challenge message sent by the tFAPS (See Section V.2.5 ).
Impersonation. The user cannot authenticate a fake network unless the latter has decrypted the ticket. The exchange of Challenge and Response messages in the authentication phase serves for protection against the Man-in-the-Middle attack. To impersonate the valid user the attacker must have full access to the information kept on the user terminal.
Modification of information. We assume that the user and its home network share some secret and the anchor network signs the Ticket Response message during the ticket acquisition phase. So the user is able to detect data modifications. During the authentication phase the target network can verify the signature of the ticket and, if it is not valid, the tFAPS does not continue authentication.
Discovery of keys. The third party that has revealed the authentication key or a key derived from the key material cannot guess the information used for their generation because all keys are calculated using one-way pseudo-random function. The keys are mutually generated and are not transmitted between the FAPC and the FAPS. Denial of service attack. At the end of the authentication phase, the malicious node cannot carry out a DoS attack as the Failure message is signed with Ka and the FAPC
can authenticate its origin.
Service stealing attack. If the FAPS is compromised or one of the roaming shared keys is exposed then tickets can be created on its behaviour. To privilege its own subscribers and to prevent denial-of-service attacks a network may limit the number of users that can be served in a time period (e.g. per day or per hour) per partner.
V.4.2 Comparison with standard methods
In previous approaches like EAP-TTLS the target network must also communicate with the user's home network to authenticate the user. Table V.4 shows a comparison between the TTLS-MD5 authentication protocol, used for illustration purposes, and the proposed solution.
Table V.4: TTLS and FAP protocol operation comparison
TTLS-MD5 FAP reactive
Server certificate Yes No
RTT MN-target AS 6.5 2 RTT MN-home AS 2 1 RTT target – home AS 1.5 0 Symmetric encryption/decryption 4 6 Asymmetric encryption/decryption 2 0 Signature/verification 1 2
The idea of the method is similar to that used in the Kerberos protocol [123]: to access a service a client presents a ticket issued by the party trusted by both the service holder and the user. The Kerberos was not designed for inter-domain communications and the server is usually an intermediate between two authenticating parties while the proposed protocol facilitates direct communications between the client and the server.
Table V.5: Kerberos and FAP protocol operation comparison
Characteristics FAP Kerberos
Information kept by the client
Authentication Ticket Ticket Granting Ticket,
TGS session key Number of messages
exchanged (network access phase)
4 4 (with TGS)+3 (with NAS)
Number of entities involved in network access phase
Client, AP, AS Client, AP, TGS, NAS
Number of entities involved in secret acquisition phase
Client, Current AS, Home AS Client, Current AC, TGS, Home AC, TGS
Number of cryptographic operations performed by the server 1 encryption 1 decryption 1 PRF calculation 3 decryption 1 encryption Number of cryptographic
operations performed by the client
1 decryption 1 PRF calculation
2 decryption 1 encryption
The Kerberos protocol requires too much operation to be used for authentication purposes. The extension of Kerberos for inter-domain communication is based on referral tickets, where one network provides a user with the key of a partner. Each server should keep a large quantity of session keys for all its neighbour partners and users. A part of Authenticator is the user’s IP address that may have no meaning in the roaming scenario.
If we want to use Kerberos for authentication in the roaming scenario, the service is represented by network access. The mobile node authenticates with AC in the trusted domain and obtains Ticket Granting Ticket (TGT) (3 messages exchanged). After that
it communicates with TGS in order to receive a Client-to-Server Ticket and a Client- to-Server encryption key (4 messages exchanged). Having a ticket, a client starts communication with the server (network access server in our case) exchanging 3 messages.
To access services in a trusted domain, the Kerberos protocol uses referral tickets. The TGS gives a user a TGT and a session key for a TGS in the domain providing required service. The mobile node communicates with this TGS in a foreign domain and receives a session key and a Client-to-Server ticket to access an asked service.
V.4.3 Compared to ticket-based authentication proposals
The proposed Fast re-Authentication Protocol (FAP) implements the concept of recommendation credentials but it differs from approaches described in [124, 125, 126, 127, 128] in some points. Firstly the protocol provides user authentication before any interaction with a visited network, which enforces network protection. As the authentication ticket may be created both by the home and by the visited network the approach tries to extend the mobility region for the mobile user. The proposed authentication ticket does not require any management due to its short validity period. We propose a mobile node-driven authentication scenario, which eliminates communication between different networks.
Table V.6 summarizes the security and management features of the proposed and previous protocols.
Table V.6: Comparison of Ticket-Based Approaches
Related work Characteristics Hong [124] Wang [125] Long [126] Polito [127] Ohba [128] FAP Communication target – home AS No No No If cache miss Yes, reactive No Communication
target – current AS Yes No No
If cache
miss No No
PKI No Yes Yes Private No No
Mutual authentication
Yes,
optional Yes Yes Yes Yes Yes
Related protocol/Level Mobile IPv6/ Network Mobile IP/ Network SSL/ Link, Applicatio n EAP/ Link EAP/ Link EAP/ Link Issuer of credentials Visited Home/
Visited Home Home
Home /Broker
Home/ Visited Management of
credentials No Yes Yes Yes Yes No
Key material
derivation Yes No Yes Yes Yes Yes
RTT 2*/3** 1.5 4.5 2.5 1*/2.5** 2
*Proactive mode, **Reactive mode
The proposed Fast re-Authentication Protocol also implements the concept of recommendation credentials but it differs from approaches described above in some points. First of all, the protocol provides user authentication before any higher layer interaction with a visited network, which enforces network protection. As the authentication ticket may be created by both the home and the current network the approach extends the mobility region for the mobile user. The proposed authentication ticket does not require any management due to its short validity
period. We propose a user terminal-driven authentication scenario, which eliminates communication between different networks. Table V.6 summarizes listed approaches.
V.4.4 Summary
In this section we have presented a Fast re-authentication Protocol for inter-domain roaming. FAP localizes the authentication process, eliminates the need for heavy management of user credentials and minimizes communications between different domains. The aim of the proposed solution is to minimize authentication time and consequently the overall time for inter-domain handover. In-session inter-domain communication is still needed for management and ticket acquisition reasons. However, these interactions are not critical for the handover process. FAP allows mutual generation of key material, which serves to produce session encryption keys. The protocol is supposed to be implemented for the first authentication in a new target administrative domain. All subsequent authentications within the same domain may be optimized using intra-domain fast re-authentication methods such as described in [14, 109, 111, 114, 117].
The knowledge of the client’s neighbourhood of the current network of attachment may be used to reduce the number of tickets generated and sent to each user. If the FAPS knows the current location of its subscriber and it knows which partners adjoin its network, it only generates and sends tickets for these partners.
We have presented the optimized distribution of tickets for fast authentication protocol. The proposed solution reduces network load at the ticket acquisition phase and makes it possible to serve a greater number of highly mobile users. We have introduced the reactive mode of FAP operation, in which a home network creates a neighbour table containing information about the presence of a physical path between its roaming partners.
We have implemented Fast re-Authentication Protocol as a new EAP method to avoid modifications at the access point and minimize modifications on the authenticator side. The aim of our experiments has been to study the performance of the authentication phase of the protocol. In our simulations we estimated the time for neighbour table creation and the impact of reactive mode of ticket acquisition on the authentication latency as functions of the number of subscribers and their type of mobility.
V.5 CHAPTER SUMMARY
In this chapter we have introduced two approaches to improve security related signalling during handover. We have started with a proposal for compound user authentication in a visited network, which addresses the problem of long authentication latency in the scenario where service access authentication is decoupled from network access authentication. The proposed approach makes the authentication to a service transparent for a user. The modus operandi is based on the combination of standard protocols such as 802.1X and, for example, PANA.
The handover process still takes a long time and does not allow real-time applications to run without soft handover support. It has been assumed that handover latency may be reduced by the use of pre-authentication schemes defined for PANA.
Following analysis of the vulnerabilities and performance of inter-domain pre- authentication carried out in [M. Komarova, “Problem Statement for Authentication Signalling Optimization”. IEEE 802.21 MIHS Project; DCN 21-07-0387-00-0000, 2007] the pre-authentication approach has been considered costly and non-scalable. Thus a new method for fast authentication has been proposed.
The Fast re-Authentication Protocol eliminates the need for communication between the target and the mobile node’s home network during handover execution. The authentication process is based on the use of lightweight authentication tickets containing information about the previous authentication result. Our approach is considered to be independent of the underlying wireless technology and the authentication method implemented in the previous network of attachment.
In order to decrease the number of tickets issued for the mobile node by its home network, the optimized scheme for ticket distribution has been proposed. The neighbour table constructed dynamically by each authority having roaming partners and serving mobile users not only allows pre-authentication signalling optimization but may also serve to provide a mobile user with information for target network selection in a handover.
We implemented the fast re-authentication mechanism on a test platform, which is described in Section V.2.6. Our experiments have shown how the proposed approach can decrease inter-domain authentication latency. As we have implemented the proposed protocol as a new EAP method, it can be easily integrated with the compound link-layer and network-layer authentication approach.
We studied the effectiveness of the proposed ticket distribution scheme by a series of simulations that are described in Annex A.