No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Ticket-Based Re-Authentication Scheme for Fast Handover in Wireless Local Area Networks
Abstract
Fast re-authentication schemes for mobile stations are essential during handover between access points in wireless local area networks. Although lots of research resources have been put into the reduction of re-authentication latency, these schemes developed so far seem to either suffer from heavy overhead or have weak security. This paper proposes a novel ticket-based approach to deal with the problem. The mobile station receives handover tickets from the authentication server as a proof of authorization, and it presents the corresponding ticket when associating with a new access point. The proposed scheme reduces handover delay during the re-authentication phase to the delay of 2-way handshake between an access point and a mobile station. Furthermore, this scheme gives less burden over the entities comparing with other proactive key pre-distribution schemes while satisfying 802.11i security requirements.
... In our previous works [7], we presented a handover authentication protocol by using tickets for wireless mesh networks. Li et al. [8] and Li et al. [9] also presented their handover authentication protocols by using tickets to improve performance. In these protocols [7][8][9], entities pre-apply different kinds of tickets from ticket agents who are trusted by entities to issue and manage tickets. ...
... Li et al. [8] and Li et al. [9] also presented their handover authentication protocols by using tickets to improve performance. In these protocols [7][8][9], entities pre-apply different kinds of tickets from ticket agents who are trusted by entities to issue and manage tickets. In the handover authentication process, entities authenticate each other by exchanging tickets. ...
... After receiving it, MR 1 sends it to neighbor routers. Due to the characteristics of the group signature, the proposed protocol can effectively protect the users' privacy comparing with the protocols proposed in the paper [7][8][9]. ...
Abstract Wireless mesh network (WMN), as a new generation of wireless network technology, has raised increasing concerns in recent years. Due to the strong mobility nature of the clients in WMNs, the handover events frequently occur. Therefore, taking into consideration the openness of the wireless communication channel, the handover authentication protocols for WMNs have to be both efficient and secure, which remains a challenge. In this paper, an anonymous batch handover authentication protocol is proposed using group signature technique to pre-distribute handover keys. Unlike existing protocols based on group signature, the proposed protocol does not involve group signature correlation operations in the handover authentication phase, hence achieving a better performance.
... Pro-active authentication protocols (Mishra et al., 2004;Park et al., 2007) attempt to minimize the authentication latency during the handover process by distributing pairwise master keys (PMK), proofs of successful log-in authentications, to potential target access points of a mobile client before the client moves to another access point. Ticket-based authentication protocols (Kassab, 2007;Li, 2010) also try to minimize the authentication latency during the handover process by using tickets as proofs of successful login authentications. ...
... Ticket-based authentication Li (2010) proposes a ticket-based authentication protocol to support fast handover in wireless local area networks (WLAN). It is a pro-active key distribution approach. ...
... EAP-TLS is a popular authentication protocol for IEEE 802.11based wireless networks and represents the multi-hop handover authentication approach. Kassab's (Kassab, 2007) and Li's (Li, 2010) algorithms are representative of the ticketbased approach and the closest to ours. Kassab's and Li's algorithms work in a similar manner. ...
We propose new authentication protocols to support fast handover in IEEE 802.11-based wireless mesh networks. The authentication server does not need to be involved in the handover authentication process. Instead, mesh access points directly authenticate mobile clients using tickets, avoiding multi-hop wireless communications in order to minimize the authentication delay. Numerical analysis and simulation results show that the proposed handover authentication protocol significantly outperforms IEEE 802.11 authentication in terms of authentication delay. (c) 2013 Elsevier Ltd. All rights reserved.
... A broadcast authentication process during handover allows AS to authenticate the clients while maintaining every MAP [11,12]. To minimise the latency during the handoff process, efficient authentication protocols were proposed to minimise the communication and computational cost [13][14][15][16][17][18]. Along with external attacks, internal attack such as wormhole attack could be launched in WMNs with various modes, which include using high power transmission, tunnelling using encapsulation and out-of-band channels [19]. ...
Wireless mesh networks (WMNs) upraised as superior technology offering all aspects of services as compared to conventional networks. Due to the absence of centralised authority, WMNs suffers from both external and internal attacks, which decrease the overall performance of WMNs. In this study, the authors proposed an efficient handoff authentication protocol with privacy preservation of nonce and transfer ticket against external attacks during handoff and proposed round trip time (RTT)‐based detection protocol to resist against internal attacks in WMNs. For privacy preservation of nonce and transfer ticket, encryption of the nonce and transfer ticket during handoff authentication process was considered. For detection, the calculation of RTT and processing time to identify the malicious nodes forming wormhole link were considered. The proposed work prevents the AODV routing protocol against the wormhole attack in WMNs. The simulation of the proposed work was done using NS‐3 simulator, and the experimental results show that the performance of the proposed method prevents WMNs from both external and internal attacks.
... In ticket-based handover by broadcast authentication [4, 6, 14, 16, 17, 19], the AAA server maintains every MAP and its neighbors' locations. When a client is about to leave a MAP, the AAA server will send tickets to all the neighboring MAPs over a secure channel. ...
Due to the ever-growing popularity mobile devices of various kinds have received worldwide, the demands on large-scale wireless network infrastructure development and enhancement have been rapidly swelling in recent years. A mobile device holder can get online at a wireless network access point, which covers a limited area. When the client leaves the access point, there will be a temporary disconnection until he/she enters the coverage of another access point. Even when the coverages of two neighboring access points overlap, there is still work to do to make the wireless connection smoothly continue. The action of one wireless network access point passing a client to another access point is referred to as the handover. During handover, for security concerns, the client and the new access point should perform mutual authentication before any Internet access service is practically gained/provided. If the handover protocol is inefficient, in some cases discontinued Internet service will happen. In 2013, Li et al. proposed a fast handover authentication mechanism for wireless mesh network (WMN) based on tickets. Unfortunately, Li et al.’s work came with some weaknesses. For one thing, some sensitive information such as the time and date of expiration is sent in plaintext, which increases security risks. For another, Li et al.’s protocol includes the use of high-quality tamper-proof devices (TPDs), and this unreasonably high equipment requirement limits its applicability. In this paper, we shall propose a new efficient handover authentication mechanism. The new mechanism offers a higher level of security on a more scalable ground with the client’s privacy better preserved. The results of our performance analysis suggest that our new mechanism is superior to some similar mechanisms in terms of authentication delay.
Roy, Amit KumarKhan, Ajoy KumarInternet accessing through light-weight device becomes the most widely choice at present. Devices such as laptop and mobile become the most favourable choice for accessing the Internet anywhere and at anytime. However, an issue of handoff authentication arises as these devices migrates its location from its home MAP to foreign MAP. For handoff authentication, ticket-based schemes were mostly considered which allows the client to authenticate itself to the FMAP. These tickets should be exchanged in a secured manner among the mesh entities. Therefore, in this paper we had proposed a handoff authentication protocol with confidentiality of transfer ticket or identity ticket through Diffie-Hellman approach. Through experimental results, it is proved that our protocol achieves minimum handoff latency and minimum computational cost along with ticket confidentiality.
Wireless mesh networks have grown very rapidly in recent years, owing to the features of self-organization, low installation costs, large-scale deployment, and fault-tolerance. Fast and efficient authentication schemes are especially important in multi-hop WMNs. We propose two novel ticket-based mutual authentication protocols in order to minimize the latency, one for initial authentication and the other for fast handover. The 4-way handshake in the phase of login authentication is cut down to 2-way using the Login-Ticket. The authentication server does not need to be involved in the handover authentication process. Instead, the target mesh access points authenticate mobile clients using the tickets pre-distributed by the current access points, avoiding multi-hop wireless communications between the authentication server and the mesh clients/points. Furthermore, even if the client has to handover several times, the AS is still not required to be involved in the process. Security analysis shows that our proposed protocols are secure and resilient to various kinds of attacks. Performance analysis demonstrates that the protocols are efficient in terms of authentication delay and communications costs, thus they are very suitable for circumstance of WMNs.
Recently, user mobility in wireless data networks is increasing because of the popularity of portable devices and the desire for voice and multimedia applications. These applications, however, require fast handoffs among base stations to maintain the quality of the connections. Re-authentication during handoff procedures causes a long handoff latency which affects the flow and service quality especially for multimedia applications. Therefore minimizing re-authentication latency is crucial in order to support real-time multimedia applications on public wireless IP networks.In this paper, we proposed two fast re-authentication methods based on the predictive authentication mechanism defined by IEEE 802.11i security group. We have implemented these methods in an experimental test-bed using freeware and commodity 802.11 hardware and we demonstrate that they provide significant latency reductions compared to already proposed solutions. Conducted measurements show a very low latency not exceeding 50 ms under extreme congested network conditions.
Supporting user mobility is one of the most challenging issues in wireless networks. Recently, as the desires for the user mobility and high-quality multimedia services increase, fast hando® among base sta- tions comes to a center of quality of connections. Therefore, minimizing re-authentication latency during hando® is crucial for supporting various promising real-time applications such as Voice over IP (VoIP) on public wireless networks. In this study, we propose an enhanced proactive key distribution scheme for fast and secure hando® based on IEEE 802.11i authentication mechanism. The proposed scheme reduces the hando® de- lay by reducing 4-way handshake to 2-way handshake between an access point and a mobile station during the re-authentication phase. Further- more, the proposed scheme gives little burden over the proactive key pre-distribution scheme while satisfying 802.11i security requirements.
User mobility in wireless data networks is increasing because of technological advances, and the desire for voice and multimedia applications. These applications, however, require that handoffs between base stations (or access points) be fast to maintain the quality of the connections. In this article we introduce a novel data structure, the neighbor graph, that dynamically captures the mobility topology of a wireless network. We show how neighbor graphs can be utilized to obtain a 99 percent reduction in the authentication time of an IEEE 802.11 handoff (full EAP-TLS) by proactively distributing necessary key material one hop ahead of the mobile user. We also present a reactive method for fast authentication that requires only firmware changes to access points and hence can easily be deployed on existing wireless networks.
In the current specification of Proxy Mobile IPv6, there is no attempts for optimized authentication mechanism. In this paper, we propose a ticket-based authentication mechanism in where the security information are reused for fast authentication during mobile nodes hand off between different links. According to the performance evaluation, the proposed mechanism shows the improved performance up to 89.2% compared to EAP-TLS and Kerberos. In addition, we provide the validity of the proposed mechanism through BAN logic.
The emergence of public access wireless networks enables ubiquitous Internet services, whereas inducing more challenges of security due to open mediums. As one of the most widely used security mechanisms, authentication is to provide secure communications by preventing unauthorized usage and negotiating credentials for verification. Meanwhile, it generates heavy overhead and delay to communications, further deteriorating overall system performance. Therefore, it is very important to have an in-depth understanding of the relationship between the security and quality of service (QoS) through the authentication in wireless networks. In this paper, we analyze the impact of authentication on the security and QoS quantitatively. First, a system model based on challenge/response authentication mechanism is introduced, which is wide applied in various mobile environments. Then, the concept of security levels is proposed to describe the protection of communications with regard to the nature of security, i.e., information secrecy, data integrity, and resource availability. Third, traffic and mobility patterns are taken into account for quantitative analysis of QoS. Finally, we provide numerical results to demonstrate the impact of security levels, mobility and traffic patterns on overall system performance in terms of authentication cost, delay, and call dropping probability.
More and more wireless access networks based on WLANs e.g. IEEE 802.11 are publicly deployed in multiple environments such as airports, depots, shopping centers, etc. Efficient authentication mechanisms are required to ensure a robust control of network access and secure user exchanges. The evolution of mobile devices, wireless access technologies and user behaviors lead to an increasing demand of seamless mobility support. Thus, authentication mechanisms must support seamless handover across network cells. In previous work, we have proposed a fast re-authentication method based on proactive key distribution: PKD with IAPP caching. This method proposes a very interesting handover delay reduction but it does not comply with the IEEE 802.11i security requirements. In this paper, we propose a ticket-based enhancement to go beyond the security weakness of the PKD with IAPP caching re-authentication method. A functional description of the security enhancement is given in addition to a security evaluation.
User mobility in wireless data networks is increasing because of technological advances, and the desire for voice and multimedia applications. These applications, however, require handoffs between base stations (or access points) to be fast to maintain the quality of the connections. In this paper, we introduce a novel data structure, the Neighbor Graph, which dynamically captures the mobility topology of the network, and we show how neighbor graphs can be utilized to reduce the authentication time of an IEEE 802.11 hand-off from 1.1 seconds (full EAP/TLS) to 50 ms without loss of security.
Amendment 6: Medium Access Control (MAC) Security Enhancements
- Ieee Standard