The Login Authentication Protocol (LAP) - The Proposed Authentication Protocols

3.2 The Proposed Authentication Protocols

3.2.1 The Login Authentication Protocol (LAP)

The trust between a client and a MAP is established via the client certificate and the MAP certificate. Since an agent is a trusted authority, a client certificate (or a MAP certificate) issued in advance by the agent is the proof of the authentication between the agent and the corresponding client (or MAP).

(1)C−→R: I_C (2)R−→C: TR (3)C−→R: TC, EPR(NC1, NC2, NC3) (4)R−→C: E_P_C(N_R₁, N_R₂, N_R₃) (5)C−→R: NR2 (6)R−→C: NC2,ΘC

(1) A clientC requests to join a network and associate with a MAP.C sends a request message containing its ID to MAP R.

(2) A MAPRreplies with a message which contains its MAP certificate to inform mesh clients and neighboring MAPs of its presence and ID. ClientC verifies the digital signature of the certificate agent A who issued the MAP certificate TR using A’s public key. (We assume that clientCand MAPRhave the public key certificate of the certificate agent.) C also verifies other information in the MAP certificate such as the ID of the certificate agent and the certificate expiry date.

(3) If the above verifications are successful, C extracts the MAP’s public key from the MAP certificateTR (see Section 3.1.2.2) and generates three noncesNC1,NC2 and

N_C₃. Cthen encrypts the noncesN_C₁,N_C₂ andN_C₃ using MAPR’s public keyP_R, and sends the encrypted messageEPR(NR1, NR2, NR3) andC’s client certificateTC

to MAPR. Upon receiving the message,R decryptsNC1, NC2 and NC3 using its private key, and verifies the digital signature of the certificate agent who issued the client certificateTC (using the certificate agent’s public key). R then verifies other

information recorded in the client certificate TC such as the ID of the certificate agent who issuedT_C and the certificate expiry date.

(4) If the above verifications succeed, MAP R retrieves the client’s public key from certificateTC (see Section 3.1.2.1), and generates a message containing three nonces

NR1, NR2 and NR3. R then encrypts three nonces NR1, NR2 and NR3 using the client’s public key P_C, and sends the encrypted message E_P_C(N_R₁, N_R₂, N_R₃) to client C. C will decrypt the message using its private key to get NR1, NR2 and

NR3. Both the client and the MAP then calculate their shared MAC keyKM AC =

N_C₁||N_R₁, where the operator || denotes a concatenation, and N_C₁ and N_R₁ are the nonces generated in steps (3) and (4). (The security of nonces NC1 and NR1, and thus inclusively keyKM AC, is ensured by the MAP’s and client’s public-private keys.)

(5) Client C then sendsN_R₂ to the MAPR. Upon receiving this message, MAPR has successfully authenticated the clientC, because onlyC has the knowledge ofNR2.

(6) To allow the client to authenticate the MAP, R sends NC2 (generated byC in step (2)) to clientC. The MAP also creates an intra-network transfer certificate ΘC for

C, and subsequently sends a message containing bothN_C₂ and the intra-network transfer certificate to C. After client C receives NC2 correctly, it is considered to have successfully authenticated the MAP because only R has the knowledge of

to another in the network.

Following are additional discussions of the above protocol.

(a) Although other clients could see and may attempt to use the intra-network transfer certificate, only the rightful owner of the certificate will be able to use it to pass the handover authentication procedure. The certificate has to be used in conjunc- tion with the key KM AC, which only the client owning the intra-network transfer certificate knows (see Section 3.2.2).

(b) We recommend SHA-2 hash functions for use in the hash-based MAC algorithm because they are employed in several widely-used security applications and protocols. SHA-2 is considered collision resistant [73].

If the size of the MAC output is L bits, the size k of the MAC key K_{M AC} should be longer thanL/2 bits. Key sizes of less thanL/2 bits would decrease the security strength of the function. Keys longer than L bits are acceptable but the extra length would not significantly increase the function strength [74]. Therefore, we recommend a key size of 160 bits, the same size as that of the SHA-2 outputs. As a result, the size of the noncesNC1 and NR1 (and of the other nonces) is 80 bits.

(c) Key management between a MAP and a client allows the MAP and the client to derive a shared key to be used after the authentication for secure data exchanges. We follow the framework of key management defined in IEEE 802.11i security standards [35]. That is, right after step (4) of the authentication procedure, both parties compute

a shared pairwise master key as follows:

P M K =NC3||NR3 (3.1)

After the login authentication is completed, the two parties use the pairwise master keyP M K to compute a shared key called pairwise transient key (PTK) as specified by the IEEE 802.11i security standards (see Section 3.2.3). The PTK will be used to encrypt packets exchanged between the client and the MAP. The generation and computation of the PTK is discussed in Section 3.2.3.

In document Efficient Security Protocols for Fast Handovers in Wireless Mesh Networks (Page 135-139)