A New Authentication Method for Vertical and Horizontal Handover in 3g-wlan Interworking Architecture

The interworking of the 3G and the WLAN technique provides a perfect connectivity solution in terms of data rate, service cost and area coverage. However the Vertical Handover (VH) from the 3G to WLAN and the Horizontal Handover (HH) between WLAN domains present an additional security challenge. The V/H handover must be fast and secure without impacting the security in both networks. Several authentication methods have been proposed to secure the VH and HH. The Extensible Authentication Protocol Key Agreement (EAP-AKA) is the authentication protocol adopted by the 3rd Generation Partnership Project (3GPP) to authenticate User Equipment by the 3G Home Networks. The EAP-AKA protocol suffers from several weaknesses, such as user identity display and high authentication delay. In this study we propose a new simplify authentication method and key agreement for vertical and horizontal handovers based on the existed method EAP-AKA. Performances analysis of the proposed method show superior results in comparison to the existing EAP-AKA method in terms of bandwidth consumption, signaling cost and authentication delay. The security property of the new method is verified by using the formal security analyzer Automated Validation of Internet Security Protocols and Applications (AVISPA) which has a high talent in finding potential attacks automatically in security protocols.


INTRODUCTION
The user authentication and accounting are the most important features in the network management (Rigney and Willens, 2000).All other services depend on it and no provider service can be used without a legal user authentication.The 3G mobile communication system is developed by the 3GPP for secure and high bandwidth communication.The architecture of 3G network defines a new mechanism to interwork the 3G with the WLAN networks (3GPP, 2008).The 3G network can use the WLAN technology as an access network and benefits of the low cost implementation and the high bandwidth connectivity.One of the big challenges for this interworking is to keep the high security level for different services.In 3G-WLAN architecture, the User Equipment (UE) connected to WLAN is authenticated firstly by the 3G home network (3GHN).This is due to the presence of the user information only in the 3G authentications servers (3GPP, 2004).The UE must be authenticated by the Home Subscriber Server (HSS), Home Location Registry (HLR) and Home Authentication Authorization and Accounting (HAAA).The 3G-WLAN architecture defines two types of handovers, vertical and horizontal handover.A vertical handover is a handover between heterogeneous networks, such as, the handover between 3G and WLAN Access Point (AP).A horizontal handover is a handover between 2 points in the same network technology (Shi et al., 2004).
The 3GPP architecture recommends using EAP-AKA to secure the 3G-WLAN inter-working and to authenticate UE attached to a WLAN (Arkko and Haverinen, 2006).The EAP-AKA method suffers from several weaknesses such as, UE identity disclosing, SQN synchronization and high authentication delay.In addition the EAP-AKA doesn't offer an implicit authentication mechanism to manage the UE horizontal handover between WLAN domains.The WLAN must always authenticate the UE on behalf of the 3GHN (Matsunaga et al., 2003).These have a negative impact on the handover delay, constraint the user mobility and decrease the Quality of Service (QOS).
In this study we propose a new authentication method to simplify the UE mobility in 3G-WLAN architecture.Our authentication method reduces the authentication steps, doesn't require any change to the existed 3G-WLAN architecture, match with the 3GPP recommendation and doesn't require any public infrastructure.The proposed protocol requires one round of full authentication between the local WAAA server and the 3GHN authentication server.Also we propose a new key framework which permits to authenticate the UE locally by the WAAA during the horizontal handover.In addition this method reduces the authentication delay and the number of authentication keys, achieves mutual authentication and protects the user identity.

EAP-AKA AUTHENTICATION METHOD
Generally the UE makes a general scan in a specific frequency and searches a beacon packet with SSID.When a beacon is detected, the service SSID checker is started and compares the received SSID with the saved one.In positive check, both parties perform the authentication and the association procedures.It is likely that the WLAN reuse the 3GPP USIM authentication method.The Fig. 1 shows the 3G-WLAN interworking architecture.
Extensible Authentication Protocol (EAP) is an authentication protocol defined by the IETF (Internet Engineering Task Force) (Aboba et al., 2004).The success of the EAP is the distinction between the EAP protocol and the used EAP methods.The principal function of the EAP protocol is the protection of the confidential data (login, password, certificate, etc.) used in the authentication operation.The EAP method takes in charge the authentication process and the generation of the session keys.The protocol EAP is not attached to a particular EAP authentication method.This flexibility gives an important advantage to the EAP protocol face to the other authentication protocol, because in case of security fail, we change only the authentication method without changing all the protocol.EAP-AKA is the authentication technique adopted by the 3GPP for the 3G-WLAN architecture.It is based on challenge-response mechanisms and a pre-shared secret key K between the UE and the HSS.The EAP-AKA provides a mutual authentication, generation of cipher and integrity keys (Arkko and Haverinen, 2006).It can be divided in two types of authentication.EAP-AKA full authentication is invoked the first time user equipment is attached to a wireless network.EAP-AKA fast re-authentication mechanism is executed in 3G-WLAN handover or when a UE is attached to a new AP.The UE re-authentication is done by the HAAA based on the previously received AV from the HLR/HSS and on the number of re-authentications allowed time.All the authentication operation is handled by the UE and the 3GHN.The WLAN uses 802.11 and RADIUS protocols to forward the authentication packets between the UE and the authentication server HAAA in 3GHN.Integrating 3G and WLAN networks requires authentication of UE to the 3G service when it enters a WLAN for the purpose of registration, accounting and generation keys (3GPP, 2006).The authentication protocols architecture is shown in Fig. 2.
The authentication procedure shown in Fig. 3 is based on the deployment of EAP with 802.11.The authentication process starts after UE association with an AP.In the first step, The UE sends an EAPOL (EAP over LAN) message to start the initiation of 802.1X authentication.In steps 2 the AP requests the UE identity and in step 3 the identity of the UE (IMSI stored in the USIM card) is obtained with EAP response messages from the UE.After receiving the UE identity the WAAA initiates a RADIUS dialog with 3GHN authentication server HAAA and forwards the Access-request message that contains the identity reported by the UE (step 4).The HAAA uses the received UE identity to obtain the address of the HLR/HSS that contains subscription information.In steps 5, the HAAA retrieves a number of authentication vectors from the HLR/HSS.The AV is generated by using a total of 10 functions to perform the entire necessary feature (3GPP, 2005).Each AV is composed by a Random Number (RAND), an Expected Response (XRES), a Cipher Key (CK), an Integrity Key (IK) and an Authentication Token (AUTN).The AUTN token is composed by a sequential number SQN, Authentication Management Field (AMF) and an integrity check value MAC.Each AV is valid only for one authentication operation.In steps 6 and 7 the HAAA challenges the UE through the WAAA by sending an authentication request to the UE with the RAND number and the AUTN token.By using the pre-shared key K, the received SQN, RAND and the authentication algorithm EAP-AKA supports a fast re-authentication mechanism invoked in the case of 3G-WLAN HH (Arkko and Haverinen, 2006).The UE re-authentication is done by the HAAA based on the previous received AV from the HLR/HSS and on the number of reauthentication allowed by the service provider.The Fig. 4 presents the EAP-AKA re-authentication schema.
Some types of attacks benefit of the full/fast EAP-AKA authentication drawbacks, such as UE identity disclosing, SQN synchronization and high reauthentication delays.These weaknesses are due to the necessity of transmitting the UE identity in clear text to the HAAAA and to multiple exchanged messages between the UE and 3GHN.To cover the user identity issue, the 3GPP proposed to use two temporary identities.Pseudonym ID used in full re-authentication and re-authentication ID used in fast re-authentication process (3GPP, 2006).This solution needs to handle 3 identities by UE which include an additional management's complicity and authentication delay.The fast re-authentication raises less operation numbers than the full EAP authentication.The experimentation done in Kwon et al. (2006) shows that the fast reauthentication can reduce the full authentication delay by 46%.However the EAP-AKA fast re-authentication method still suffers from some additional delays.This is due essentially to the fact that the HAAA is constantly busy by answering authentication requests from other UE.All these weaknesses impact the application running in the UE and have a negative impact on the Quality of Service (QOS).
The IEEE recommends using the EAP-TLS as an authentication method for UE handover in WLAN architecture.Unlike IEEE, the 3GPP recommends using the EAP-AKA in horizontal handover for 3G-WLAN architecture.A Number of solutions are proposed to bypass this divergence.Long and all (Long et al., 2004) propose to use a public key cryptography to authenticate the UE by the home network in interworking architecture similar to 3G-WLAN. Lee et al. (2005) propose to modify the 3G-WLAN interworking architecture to perform a location aware handover.This proposal protocol predicts the UE movement and performs a fast authentication during the handover.Lim et al. (2009) propose to modify the role of the AP by playing some UMTS base station functionalities.This solution needs to change the 3G-WLAN interworking architecture.The proposed solution in Kambourakis et al. (2004) proposes to change the EAP-AKA method to reduce the reauthentication delay.This protocol can modify the 3G-WLAN architecture.Another authentication method EAP-SKE is proposed in Salgarelli et al. (2003).This method is based on a pre-shared key between the UE and wireless and needs one round of exchanged message between the WAAA and the HAAA, but doesn't solve the UE identity problem.Others solutions are propose to reduce the HH delays inside the WLAN architecture.For example, the proposed protocol in Hur et al. (2007) proposes to predict the target AP by using the neighbor graphs performs a key distribution and using the EAP-TLS as authentication method.The authentication protocol in Pack and Choi (2002) proposes to predict the UE mobility and preauthenticates the UE by the target AP before the HH.All these authentication protocols need to change the 3G-WLAN architecture, increase the authentication delay and introduce unnecessary distribution of authentication keys.In the next section we propose a new authentication method which reduces the authentication delay and provides a secure vertical and horizontal handover.

PROPOSED AUTHENTICATION METHOD
A seamless handover is needed to enable the integration of heterogeneous networks technologies into common system architecture.In this section, we present a new authentication method to secure the vertical handoff from 3G to WLAN network and the horizontal handover inside the WLAN or between WLAN domains.The proposed approach eliminates the need of communication between the target WLAN network and 3GHN to verify the UE identity during V/H handover process.Our method is based on the preparation of authentication keys by using the Elliptic Curve Cryptosystem (ECC).And involves a sequence of messages exchanged at the beginning between the UE, the target network (TWLAN) and the 3GHN.The proposed method offers a mutual authentication mechanism and guaranty the confidentiality of data by using a hybrid cipher cryptosystem.
The ECC security is based on the hardness of Elliptic Curve Discrete Logarithm Problem (ECDLP).The ECC offers a better performance compared with other public-key cryptosystems, it can attain the same security level with a smaller key size.The elliptic curve equation is defined as the form of Ep (a, b): y 2 = x 3 + ax + b (mod q) with the order n over Fq, where a, b ε Fq, q> 3 and 4a 3 + 27b 2 ≠ 0 mod p; (Hankerson et al., 2004).Given an integer x ε F * q and a point P ε Eq (a, b), the point multiplication x*P over E q (a, b) can be defined as x*P = P+P+P+…..+P (x time).As mentioned the security of ECC is based on the ECDLP defined in the following definition: "Given two points P and Q over Ep (a, b), the elliptic curve discrete logarithm problem (ECDLP) is to find an integer I ε F * q such that Q = I * P The integer I is called the discrete logarithm of Q to the base P, denoted I = logP Q (Hankerson et al., 2004).The most naive attack to solving the ECDLP is exhaustive search which can be circumvented by selecting elliptic curve parameters with n sufficiently large to represent an infeasible amount of computation (n≥280).Until today the ECC resist to all known attacks (Li et al., 2008).
We assume the following directives in the proposed method: • A secure channel between the HAAA server and the HSS.• A secure channel between the WAAA servers and the HAAA server.• A secure channel between the WAAA servers.
• A WAAA is responsible for a multiple Aps with secure channel between the WAAA and APs.• The UE can identify the identity of AAA server and AP.• Each operator service selects a finite field F q over a large odd prime q>2 160 and defines an elliptic curve equation E q (a, b) : y 2 = x 3 + ax + b (mod q) with Fig. 5: Modified EAP-AKA authentication protocol the order n over F q , where a, b εF q , q > 3 and 4a 3 + 27b 2 ≠ 0 mod q.And selects a public point Q with the order n over E q (a, b).To hide the UE identity (IMSI) during the first UE authentication, the UE generates a temporary identity.The HSS will generate the next local user ID to be used in the next UE authentication.Also the HSS determines the life cycle of the main local authentication key.
Modified EAP-AKA full authentication method: Our protocol consists of seven steps shown in Fig. 5.
Step 1: After UE detection, the AP sends an EAP request identity to the UE.
Step 2: To protect the user identity (IMSI), the UE generates a temporary ID TE that can be computed in this way: • UE randomly selects an integer r UE εZ * q and computes R UE = r UE * U E , R UE '= r UE * U H • The encryption key is TK UH = d E * R UE ' and the temporary user ID is ID TE = E TKUH (IMSI, TK UH ) • The UE sends to the AP an EAP response message composed by (ID TE || R UE ) Step 3: The AP forwards the EAP response message to the WAAA, which forwards it to the HAAA.Upon reception of this message, the HAAA first calculates the local decryption key TK UH by: TK UH = d H * R UE and retrieves the user IMSI by decryption of the received ID TE (D TKUH (ID TE ) = IMSI).Then the HAAA contacts the HSS server to obtain the authentication vector which is built in this way.
The HSS generates a random number RAND, randomly selects an integer r H ε Z * q , computes R H = r H * U H , R H '= r H * U E and creates the encryption key TK HU = d H * R H '. The TK HU is used with the help of AKA functions (f0-9) to generate the authentication vector AV composed by: The HSS sends the AV and the TK HU to the HAAA which forwards it to the WAAA.Intra-horizontal handover: UE roams to a Target AP (TAP) when receiving poor signal-strength from the currently associated AP in the same WLAN domain.
The WAAA locally authenticates the UE on behalf of HAAA by using the previous received key TKHU.The Fig. 6 describes the proposed intra-HH authentication protocol: Step 1: After UE detection, the TAP sends an EAP request identity to the UE.Step 6: After receiving the EAP success message, the UE and the TAP generates a TSK key (Transient Session Key) by using the 4-way handshake protocol.

Inter-horizontal handover:
The inter-HH is the same as the intra-HH with the difference that the target AP exists in another WAAA domain.As shown in Fig. 7 the authentication procedure is completed without the need of the authentication vector from the HAAA.The protocol proceeds as follows: Step 1 : After UE detection, the TAP sends an EAP request identity to the UE.
Step 2 : The UE sends to the target WAAA his temporary identity ID NTE .
Step 3: The TWAAA checks the received ID NTE and classifies the request as an inter-HH if the ID NTE postfix not matches with his ID.Then the TWAAA sends an authentication request with the ID NTE to the previous UE authentication server PWAAA.The PWAAA validates the user ID NTE and checks the lifetime of TK HU .The PWAAA sends the TK HU to the TWAAA if it's not expired; else it forwards the authentication request with the permanent ID and TWAAA ID to the HAAA.Then the authentication method continues in the same way as intra-HH in step 4, 5 and 6.

SECURITY ANALYSIS
To avoid the domino effect problem (Housley and Aboba, 2006), unnecessary distribution of key must be avoided.For this all generated keys must be used in a specific context.The UE secret key is hold only by the UE and the 3 GHN.The UE and the WAAA can share the authentication key with the help of the HAAA and without knowing the secret key of each other.The Fig. 8 shows the key hierarchy of the proposed authentication method.The TK HU key is specific for the WLAN authentication.It's generated only by the UE and the HSS, because only the UE and the HSS have access to the UE key (d E , U E ).The TK WU key is generated by the UE and the WAAA to be used as A new key TK WU is generated for each reauthentication operation.Also our method simplifies the authentication mechanism in UE, because the same authentication mechanism is used for the vertical and horizontal handover.To avoid the replay attacks, all keys are used one time.The TK HU is newest because the r H is randomly generated in each full EAP-AKA authentication.The same thing for the fresh key TK WU generated from the TK HU and r w .
The proposed protocol satisfies all network security requirements defined by the 3GPP.In particular UE identity protection, secure key management and mutual authentication.In this section we will analyse the security of our proposed protocol:

PERFORMANCE ANALYSIS
This section compares the performance of our method with the existed EAP-AKA standard method.The performance comparison is based on the bandwidth consumption and authentication delay for UE movement between 3G, WLAN1 and WLAN2.As descripted in Fig. 9, firstly, the UE is connected to the AP1 in WLAN1.After this, the UE moves to the AP2 in the same WLAN1 domain by executing an intra-HH.Then he performs an inter-HH to the AP3 in WLAN2 and moves after to AP4 by an intra-HH.To cover the UE movements two authentication scenarios are proposed: Scenario 1: This scenario uses the existed authentication protocol adopted by the 3G-WLAN architecture.The UE performs EAP-AKA authentication in all authentication stages.Scenario 2: In this scenario, we propose to use our modified EAP-AKA, intra-HH and inter-HH authentication methods.

Bandwidth consumption:
The UE is authenticated by the HAAA in the EAP-AKA.However in our proposed method, the user authentication is delegated to the local WAAA authentication server.This can reduces the bandwidth consumption between the HAAA and the WAAA by 50% compared to the full EAP-AKA.Also our protocol doesn't require any SQN synchronization between the UE and the 3GHN, which can reduce the bandwidth consumption.

Authentication signaling cost:
In this section we evaluate the signalling cost of both authentication scenarios.The signalling cost can be defined as the total authentication signalling message traffic during a communication session (Choi et al., 2007).Practically two network nodes are separated by a set of H hops.We assume that the number of hops between the UE and the AP is HUE-AP = 1, HAP-WAAA = 1 is the number of hops between AP and WAAA, 4 is the number of hops between WAAA1 and WAAA2 HWAAA-HAAA= 4, HWAAA-HAAA= 4 is the number of hops between WAAA and HAAA and HHAAA-HLR= 1 is the number of hops between HAAA and HLR.Therefore, the number of exchanged message in standard EAP-AKA NEAP-AKA = 26, Nmodif(EAP-AKA) = 18, Nintra-HH = 9 and Ninter-HH = 17.The authentication signalling cost for both scenarios is: The Average message size 'R' is set to 200 bytes.Nr = Ts/Tr is the average number of UE movements during a session.The average session time "Ts" is set to 2000s.Tr is the average WLAN resident time, it varies between 10 and 100s.The Fig. 10 shows the authentication signalling cost for both authentication scenarios.As we can see a higher resident time implies a low signalling cost.And the scenario 2 reduce the authentication signalling cost by 50, 96% relative to the scenario 1. Improved performance results can be reached when increasing the life cycle of authentication key Tk HU.The mutual authentication and secrecy of keys of our protocols was checked by using OFMC and CLATSE.All tests are passed and no attacks or vulnerabilities were found, which confirm the secure key management and mutual authentication service of the proposed protocols.The Fig. 15a and b show the messages returned by OFMC and CLATSE verification tools.Our protocols achieves mutual authentication, assures the confidentiality of shared keys Tk HU and TK wu between UE and WAAAs and is safe to use by both verification check tools.

•
Each authentication server HAAA has a known public encryption key U H = d H * Q (with d H indicates the private key and ''*" denotes the point multiplication over E q (a, b)).• Each authentication server WAAA has a preshared key with the HLR server, composed of (of (U w , d w ) (U w = d w * Q). • Each UE has a pre-shared secret key with the HLR server, composed of (U E , d E ) (U E = d E * Q).

Fig. 6 :
Fig. 6: Intra 3G-WLAN authentication protocol Step 4: After receiving the AV from the HAAA, the WAAA sends an EAP request message composed by the RAND and AUTN to the UE.Step 5: Upon receiving the EAP request message, the UE computes the authentication key TK HU = d E * R H , CK and IK, next authentication ID, a local MAC HU and verifies it with the received one.The authentication procedure is stopped in the case of negative verification.Otherwise, the UE produces a response (RES) and a message integrity check MAC = f1(RES || IK) that are sent back to the WAAA as an EAP response message.Step 6: The WAAA receives the EAP response message and verifies the received RESP with the expected one XRESP.In positive check, the WAAA derives the session key MSK from the TKHU and sends an EAP success message to the UE.In addition the WAAA sends the MSK to the AP.Step 7: After receiving the EAP success message, the UE and the AP generates a TSK key (Transient Session Key) by using the 4-way handshake protocol.Horizontal handover: Since the 3GPP don't specify a particular protocol for HH in 3G-WLAN interworking architecture.In the next section we propose a new authentication protocol for inter and intra Horizontal Handover based on our modified EAP-AKA.The Intra-HH is executed when the currently associated AP and the target AP are in the same WLAN domain.The inter-HH is achieved when the currently associated AP and the target AP are in different WLAN domains.The

Step 2 :
The UE sends to the WAAA the previous received temporary identity ID NTE .Step 3: Upon receiving the UE identity ID NTE .The WAAA checks the received ID NTE .The WAAA classifies the request as an intra-HH if it has the same ID as the ID NTE postfix.The WAAA then validates the key lifetime of TK HU , generates a random number RAND W , randomly selects an integer r W ε Z * q and computes R W = r W * R W '= r W * TK HU , the authentication key TK WU = U W * R W '. Also the WAAA computes the next UE local ID ID NTE = (ID WLAN || fTK UH (ID NTE , ID WLAN , TK WU )), the message integrity token check MAC W = f1(RAND W || ID NTE || TK WU ) and sends to the UE an EAP request message with RAND W , R W , MAC W through the TAP.Step 4: After receiving the EAP request message, the UE computes the authentication key TK WU = d E * R W , next authentication ID, a local MAC WU and verifies it with the received one.

Fig. 7 :
Fig. 7: Inter 3G-WLAN authentication protocolThe authentication procedure is stopped in the case of negative check, otherwise the UE replies with an EAP response message with the RAND W and a message integrity check MAC U = PRF (RAND W || TK WU ).Step 5: The WAAA receives the EAP response message from the UE and verifies if the received RAND W is identical with the generated one.In positive check The WAAA derives the session key MSK from the TK WU (MSK = SHA1 (TK WU , ID NTE || ID TAP || ID WAAA ) and sends an EAP success message to the UE and sends the MSK to the AP.Step 6: After receiving the EAP success message, the UE and the TAP generates a TSK key (Transient Session Key) by using the 4-way handshake protocol.

Fig. 8 :
Fig. 8: Modified EAP-AKA key hierarchy possession of the correct TK HU .The UE authenticates the authentication server WAAA by verifying the calculated MAC w with the received one.The WAAA authenticates the user by checking the RAND W with the generated one.•Man in the middle attack protection(Hwang et al., 2008): The user identity is protected by using a onetime generation key.The attacker cannot retrieve or modify the user identity, only the UE and the WAAA server can retrieve it.In addition all encryption key is randomly generated for each request and response packets and no key is transformed in clear.Finally all messages are protected by a message integrity code MAC.Therefore our protocol can resist to the man in middle attack.• Protection to the replay attack: Our protocol is robust to the replay attack because the RAND W and r W are generated randomly for each new reauthentication and are used one time.