lr-ake-based aaa for network mobility (nemo) over wireless links

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 1725

LR-AKE-Based AAA for Network Mobility (NEMO)Over Wireless Links

Hanane Fathi, Member, IEEE, SeongHan Shin, Kazukuni Kobara, Shyam S. Chakraborty,Hideki Imai, Fellow, IEEE, and Ramjee Prasad, Senior Member, IEEE

Abstract—Network mobility introduces far more complexitythan host mobility. Therefore, host mobility protocols such as Mo-bile IPv6 (MIPv6) need to be extended to support this new type ofmobility. To address the extensions needed for network mobility,the IETF NEMO working group has recently standardized thenetwork mobility basic support protocol in RFC 3963. However,in this RFC, it is not mentioned how authentication authorizationand accounting (AAA) issues are handled in NEMO environment.Also, the use of IPsec to secure NEMO procedures does not pro-vide robustness against leakage of stored secrets. To address thissecurity issue and to achieve AAA with mobility, we propose newhandover procedures to be performed by mobile routers and byvisiting mobile nodes. This new handover procedure is based onleakage resilient-authenticated key establishment (LR-AKE) pro-tocol. Using analytical models, we evaluate the proposed handoverprocedure in terms of handover delay which affects the sessioncontinuity. Our performance evaluation is based on transmission,queueing and encryption delays over wireless links.

Index Terms—Authenticated key exchange, authentication au-thorization accounting (AAA), handover delay, IP-based mobilenetworks, leakage resilience, mobile IPv6 (MIPv6), mobile routers,NEMO, session continuity, visiting mobile nodes.

I. INTRODUCTION

THE INCREASING demand for ubiquitous connectivityleads us towards the incorporation of wireless communica-

tion technologies not only in fixed premises such as airports andhotels but also in vehicular environments such as cars, trains,and buses. Consequently, the concept of mobility originallybound to hosts is being extended to an entire network whichchanges its point of attachment to Internet. This is referred toas network mobility (NEMO).

Network mobility introduces far more complexity than hostmobility. Therefore, host mobility protocols such Mobile IPv6

Manuscript received June 5, 2005; revised February 1, 2006. The work ofH. Fathi was done while at the Center for TeleInfrastuktur (CTIF), AalborgUniversity, Denmark. The work of S. S. Chakraborty was done while with theAcademy of Finland and the Helsinki University of Technology, Finland. Thiswork was supported in part by the Danish “Statens Teknisk-VidenskabeligeForskningsråd” through the Center for Network and Service Convergence(CNTK) and in part by the Academy of Finland.

H. Fathi, S. Shin, K. Kobara, and H. Imai are with the Research Center for In-formation Security, National Institute of Advanced Industrial Science and Tech-nology, Chiyoda-ku, 101-0021 Tokyo, Japan (e-mail: [email protected];[email protected]; [email protected]; [email protected]).

R. Prasad is with the Center for TeleInfrastuktur (CTIF), Aalborg University,9220 Aalborg, Denmark (e-mail: [email protected]).

S. S. Chakraborty is with Ericsson Finland, 02420 Jorvas (e-mail: [email protected]).

Digital Object Identifier 10.1109/JSAC.2006.875111

(MIPv6) [1] need to be extended to support this new type of mo-bility. Originally, Mobile IP was designed to provide a host theability to stay connected to the Internet regardless of its loca-tion. In MIPv6, the mobile node (MN) obtains a new Internetprotocol (IP) address in the visited network. To maintain con-tinuous connectivity, the MN needs to update its location withits corresponding node (CN) and its home agent (HA) wheneverit moves to a new subnet so that it can receive packets.

To address the extensions needed for network mobility, theIETF NEMO working group has recently standardized the net-work mobility basic support protocol in [2]. This protocol al-lows for session continuity for every node in the mobile networkas the network moves. The mobile network has at least one mo-bile router (MR), maybe some local fixed nodes (LFNs), andvisiting mobile nodes (VMNs). In [2], a bidirectional tunnel isproposed to be established between the MR and its HA usingMIPv6. In [3], various attacks (e.g., redirection attacks) againstNEMO were described and lead to adoption of IPsec [4] to pro-tect inbound and outbound NEMO traffic. IPsec is used also toprotect the binding update (BU) messages between the MR andits HA. In [5], a threat analysis on NEMO is given pointingout the weaknesses of the integration of IPsec within NEMO.This analysis results in the identification of attacks such as BUspoofing that have been overcome in [2]. In [6], a secure routeoptimization is devised for NEMO based on public key infra-structure (PKI), on cryptographically generated addresses andon crypto-based host identifiers. However, weaknesses remainrelated to the leakage of secrets from mobile devices. IPsec oftenrelies on PKI or on symmetric key cryptography, and it is widelyknown that none of these prevent against leakage of stored se-crets. The leakage of stored secrets has always been a criticalissue in security and this is discussed in [7]. Leakage of se-cret-keys or private-keys causes a serious flaw in the systemwhich is enough to breakdown the overall security, but unfortu-nately the potential of such risk is not negligible due to computerviruses, bugs in programs or misconfigurations of the systemand due to lost/stolen portable devices used for wireless com-munications. Cryptographic authentication relies on the posses-sion of a key by the party to be authenticated. Such keys areoften stored using special devices such as tamper-resistant mod-ules (TRMs). However, there are situations where this is in-convenient (e.g., when PKI is used) or expensive (i.e., due tothe need of purchasing an extra TRM chip). Note that TRMsare also not completely free from bugs or misconfigurations.Therefore, there is a need for secure communication relyingon a short secret that can be remembered by humans to avoidleakage from devices. This is the motivation behind password-based authenticated key exchange (PAKE) protocols, in general,

0733-8716/$20.00 © 2006 IEEE

1726 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006

and of the leakage-resilient authenticated key exchange protocol(LR-AKE) [8]. In this paper, we decide to use LR-AKE insteadof PAKE because LR-AKE provides clear advantages in termsof leakage-resilience, as well as communication and computa-tional efficiency (i.e., bandwidth, delay, etc.). Also, LR-AKEis appropriate for NEMO environment for which PKI is notsuitable. In this paper, we overcome both the classical secu-rity attacks and the problem of leakage by using the LR-AKEprotocol.

Also, in RFC 3963 [2], it is not mentioned how authentica-tion authorization and accounting (AAA) issues are handled inNEMO environment. An AAA infrastructure typically consistsof AAA servers interacting with each other. AAA servers au-thenticate users, handle authorization requests, and collect ac-counting data. For users as well as routers visiting a foreign do-main, usually the AAA foreign (AAAF) server and the AAAhome (AAAH) server need to contact each other to verify if theuser is allowed to obtain the requested service. Recently, [9] ap-peared and proposed an AAA architecture for nested NEMObased on diameter and on protocol for carrying authenticationnetwork access (PANA) for access control and used IPsec forMIP registrations and user data packets. In this paper, we joinNEMO-MIPv6 with AAA in a unique mechanism that is robustagainst leakage of secrets and classical attacks (i.e., spoofing,eavesdropping).

While the combination of AAA and MIP procedures has beenwidely investigated for host mobility, this issue seems to havereceived relatively less attention for NEMO. In RFC 2977, IETFspecifies the requirements for AAA to support Mobile IP ser-vices. In [10], the basic pillars for combining AAA and MIP aregiven. In [11], an integration of AAA with hierarchical MIPv6 isproposed to achieve better registration latency. Concerning se-cure wireless roaming, [12] introduces the use of identity-basedcryptography for MIP with AAA. All the results in the cited lit-erature focus on host mobility and are not easily extendable toNEMO.

In this paper, we propose a handover procedure for networkmobility (NEMO) achieving AAA and mobility with securityagainst leakage, and various active and passive attacks. We con-sider the mobility of the MR and the mobility of the VMN. Wedo not consider nested mobile networks but our proposal caneasily be extended to nested mobile networks. We devise mech-anisms based on LR-AKE for registrations at the HA for MRand VMN and for registrations at the CN to guarantee route op-timization for VMN. The registration to the CN from the VMNis applicable also for the MR to achieve route optimization. Weanalyze the security of the proposed architecture. To assess theperformance impact of the proposed architecture, we focus onthe session continuity over wireless links which is the essentialpoint of NEMO and specifically on VoIP session continuity thatis affected by handover delays higher than 300 ms [13], [14].Therefore, we evaluate the handover delay as function of theframe error rate (FER) in the wireless link and the messagesarrival rate at the HA. The evaluation is made using analyt-ical methods for transmission delays based on a random errorprocess and queueing delays. The handover delay is analyti-cally derived in various situations. The method used involvesqueueing theory and reliability mechanism of each protocol to

overcome losses that are most likely to happen over a wirelesslink. We give the proportion of the handover delay due to the se-curity procedure, the MIPv6 procedure, the encryption, and thequeueing in order to identify the dominant factors.

The rest of this paper is organized as follows. In Section II,the NEMO protocol based on Mobile IPv6 is described.Section III presents the weaknesses of IPSec in NEMO interms of leakage resilience. Section IV introduces the LR-AKEprotocol. In Section V, we propose a new secure handovermechanisms for achieving AAA in NEMO. The security anal-ysis of our proposal is given in Section VI. The performanceanalysis of the proposed mechanisms in terms of handoverdelay using analytical models is given in Section VII. Then,the results for the handover delay are presented in Section VIIIconsidering various conditions, and the concluding remarks aregiven in Section IX.

II. NETWORK MOBILITY: NEMO

Network mobility (NEMO) protocol enables mobile net-works to attach to different points in the Internet with sessioncontinuity. The protocol is an extension of Mobile IPv6 thatallows for session continuity and reachability for every node inthe mobile network.

The MR, which connects the network to the Internet, uses theNEMO basic support protocol with its HA to achieve sessioncontinuity. The protocol is designed in such a way that networkmobility is transparent to the nodes inside the mobile network.A mobile network is considered as a network segment or subnetwhich moves and attaches to points in the fixed network. Theentry point in a mobile network is a MR that manages the net-work’s movement. There is at least one MR per mobile networkthat is responsible for maintaining a bidirectional tunnel to aHA. The mobile network consists of LFNs that always belongto the same mobile network and communicate via the same MRand VMNs that attach temporarily to the mobile network and tothe MR. The HA advertises an aggregation of mobile networksto the infrastructure.

A mobile network can also consist of multiple and nestedsubnets but this is not considered in this paper. A MR has aunique home address through which it is reachable when it isregistered with its HA. The MR advertises one or more prefixesin the mobile network attached to it.

When the MR moves away from the home link and attachesto a new access router, it acquires a care-of-address (CoA) fromthe visited link. As soon as the MR acquires a care-of address, itimmediately sends a BU to its HA. When the HA receives thisBU, it creates a binding cache entry binding the MR’s home ad-dress to its CoA at the current point of attachment. When theMR provides connectivity to nodes in the mobile network, it in-dicates this to the HA by setting a flag (R) in the BU. It may alsoinclude information about the mobile network prefix in the BU,so that the HA can forward packets meant for permanent nodesin the mobile network to the MR. The HA acknowledges theBU by sending a binding acknowledgement to the MR. A posi-tive acknowledgement means that the HA has set up forwardingfor the mobile network. Once the binding process completes, abidirectional tunnel is established between the HA and the MR.http://folk.uio.no/paalee/

http://folk.uio.no/paalee

FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS 1727

The tunnel endpoints are MR’s care-of address and the HA’saddress.

If a packet with a source address belonging to the mobile net-work prefix is received at the MR from the mobile network,the MR sends the packet in a reverse-tunnel to the HA usingIP-in-IP encapsulation. The HA decapsulates this packet andforwards it to the correspondent node. For traffic originated byitself, the MR can use reverse tunneling. When a correspondentnode sends a packet to a node in the mobile network, this packetsis routed via the HA which currently has the binding for theMR. It is expected that the MR’s network prefix would be ag-gregated at the HA, which advertises the resulting aggregation.The HA can receive the data packets destined to the mobile net-work by advertising routes to the mobile network prefix. Whenthe HA receives a data packet meant for a node in the mobilenetwork, it sends it via the tunnel to MR’s current CoA. TheMR decapsulates the packet and forwards it onto the interfacewhere the mobile network is connected. The link between MRand HA is protected by IPsec in tunnel mode. The MR also hasto make sure the destination address on the inner IPv6 header be-longs to a prefix used in the Mobile Network before forwardingthe packet to the mobile network. Otherwise, it should drop thepacket.

The VMNs in the mobile network should perform the MIPv6with their HAs and CNs to guarantee session continuity once ina foreign mobile network.

III. WEAKNESSES OF IPSEC IN NEMO

In IPsec, the establishment and maintenance of security as-sociation is performed by Internet key exchange (IKE) protocol[15]. IKEv1 [15] defines three types of keys upon which a phaseI might be based: a preshared symmetric key, a pair of keys forpublic-key encryption, and a pair of keys for digital signature.In any case, a party should store a cryptographically strong key(symmetric key, private keys for public-key encryption, and dig-ital signature) on devices. Leakage of such keys results in totalbreakdown of security since authentication only depends on thestrong secret the party holds. If the symmetric-keys are weaksecret-like passwords, offline dictionary attacks can be applied[16]. Recently, IKEv2 [17] specified digital signature-based au-thentication (called SIGMA) and password-based authentica-tion [18] both of which become insecure if the stored secretsare leaked out (refer to [19] for the insecurity of [18]).

Moreover, BUs to CN originally secured by the returnroutability procedure are weak against on-path attackers, asstated in [1].

IV. LEAKAGE-RESILIENT AUTHENTICATED KEY EXCHANGE

(LR-AKE) PROTOCOL BASED ON RSA

In this section, we give an overview of LR-AKE protocolto be used in our proposed architecture. The first LR-AKEprotocol has been proposed in [8] but it was based on theDiffie–Hellman protocol which is not appropriate for mobiledevices with limited computing power.1 In this paper, we pro-pose to use a slightly modified version of the LR-AKE protocol

1In general, a modular exponentiation with an exponent of 160-bits long over1024-bits modulus as used in the Diffie–Hellman protocol requires heavy com-puting power.

given in [19] that is based on RSA and can be regarded as theappropriate solution for “unbalanced” wireless networks wherea party has a limited computing power capability on the onehand, and the corresponding party has higher computing powercapabilities on the other hand. Also, the LR-AKE protocol[19] is remarkably efficient as computing RSA encryptionwith small primes (i.e., small encryption exponents) is morelightweight than computing the Diffie–Hellman values. TheLR-AKE protocol is based on a two-party (client and server)model.

A. Security Goal

The security goal of an AKE protocol is to establish securechannels between two parties, authenticating each other andsharing a common session key (e.g., the key is used for con-fidentiality and/or data integrity) at the end of the protocol. Inaddition to mutual authentication and generation of session keysin AKE, LR-AKE protocols provide additional security fea-tures that protect a party’s short secret against leakage of storedsecrets from the both parties. To summarize, our RSA-basedLR-AKE protocol guarantees both leakage-resilience of storedsecrets and forward secrecy.

B. Preliminaries

Here, we provide a definition of the standard RSA function,which is the basis for the security of the LR-AKE protocol, andsome notations.

An RSA public and private key pair is com-puted as follows: 1) such that , are distinct and oddprimes and 2) are integers satisfying mod

. We call a RSA modulus. The RSA encryption func-tion is defined by mod and theRSA decryption function is .Thus, the RSA function is simply exponentiation with expo-nent (i.e., or ) in the group , whose order is

(1)The basic security property of the RSA function is one-way-

ness, meaning given , , , it is computationally hard to com-pute .

Let denote the security parameter for hash functions andtemporal random values (say, 160 bits). Let denote theset of finite binary strings and the set of binary stringsof length . Let “ ” denote the concatenation of bit strings in

.Let us define secure one-way hash functions as follows: whiledenotes a full-domain hash function from to, hash functions from to are denoted , for

,1,2,3,4. Here, we will assume that and are distinctrandom functions from one another. Let and be the identitiesof client and server, respectively.

C. The LR-AKE Protocol Based on RSA

1) The Relevant Context: The relevant situations or envi-ronments to benefit most from LR-AKE are wireless networks


Fig. 1. The whole protocol of RSA-based LR-AKE where the enclosed values in rectangle represent stored secrets of client and server, respectively.

including heterogeneous devices (i.e., with different computa-tional capabilities): for instance, such network enables commu-nications between a user (so-called client) which has insecuredevices, such as mobile phones or PDAs, with limited com-puting power but some memory capacity itself and a server thathas enough computing power to generate a pair of (public andprivate) keys of RSA and to perform the RSA decryption func-tion when is a small prime number. In order to speedup com-putation of (for the client’s efficiency), can be chosento be a small prime with a small number of 1’s in its binary rep-resentation (e.g., ).2 In addition, neither TRM nor PKI isneeded to support LR-AKE.

2) The Process: The RSA-based LR-AKE protocol consistsof three phases: initialization, public-key verification, and ses-sion-key generation. In the initialization phase, a client regis-

2Choosing “e” as a small prime (e.g., 3) does not incur any security problemknown so far. Of course, it is the case that the modulus “N” is a compositeof two prime numbers with each size equal (following the RSA key generationprocedure shown in preliminaries in Section IV-B). The actual security of theRSA function is not in the public key, but in factoring the composite “N .” Sincethe RSA key (including “N”) is generated in the initialization phase of the RSA-based LR-AKE protocol, there is no possible attack on “e” even if “e” is a smallprime.

ters the verification data to a server . In the public-key verifica-tion phase, the client and the server verify the server’s RSAkey via challenge-response protocol. In the session-key genera-tion phase, the client and the server authenticate each other,and then they generate a shared session key. The whole protocolis illustrated in Fig. 1.

• Initialization: During the initialization, the client gener-ates verification data with the secret values , and hispassword

(2)

The user registers the verification data and securely toserver . This could be done only once when the user sub-scribes to the server. Then, the user just stores the secrets

and on insecure devices (e.g., mobile devices withlow computing power) and remembers his password .

• Public-key verification: The public-key verification pro-tocol runs between client and server as follows. Atfirst, they both exchange random numbers , chosenfrom , and along the latter the server sends its


RSA public key and to the client aslong as the received number is in the right range. TheRSA key pair , is generated by serverand are calculated with under theprivate key . Each of is a divided hash valueof . Upon receiving all of thesevalues, client checks the validity of andwith its public key . These two flows are used inorder to thwart so-called -residue attacks [19]. This phaseis executed only once.

• Session-key generation: The client computes using thesecret value and the password . Then, the client cal-culates using a mask generation function as the productof an encryption of a random value under the public key

with a full-domain hash of and other values, be-fore sending it in a masked message (MM) to server . Thelatter can divide this encrypted value by a hash of its secretvalue registered by the client and other values, and thendecrypt the resultant value under its private key soas to obtain that is used to compute its authenticatorcarried in a server authenticator message (SA) and the ses-sion key. After receiving from the server, client com-putes his authenticator and the session key , as longas the authenticator is valid, and it sends to server

in a client authenticator message (CA). If the authenti-cator is valid, the server actually computes the sessionkey which is used for their subsequent cryptographicalgorithms. At the end of the protocol, the client storesa new secret value , after updating the secret valueas follows: . In the same way, theserver stores a new secret value , after updating thesecret value as follows: .

D. The Security of LR-AKE

We consider an attacker who has capability to control fully thecommunications between the parties. For the full security proofand several security features, please refer to [19]. Some ways forthe attacker to break the LR-AKE protocol are the following.

• To guess a password and to make an online trial with re-spect to and only after getting the user/client’s savedsecret (i.e., ). The LR-AKE protocol is secure against on-line attacks by having the server take an appropriate policywith limited number of trials.

• To use a RSA function that is not a permutation. With theview of , the attacker tries all the passwords, and onlya strict fraction lead to in the image of . Butfor that, the attacker has to forge a proof of validity for

. The optimal parameter can be obtained from[20].

• To use the authenticator or to check the correct pass-word. But this requires the ability to solve one-wayness ofthe RSA function.

• To send a correct authenticator or , but being lucky.

E. Efficiency

With respect to computation costs, client needs to com-pute one modular exponentiation with the exponent andone modular multiplication . When is a small prime, the

computation costs (i.e., in case of ) be-come very small compared with the Diffie–Hellman computa-tions. In particular, the remaining costs after precomputation isonly one modular multiplication and additional negligible op-erations for modular additions and hash functions. As for com-munication costs, it requires a bandwidth of bitsapproximately.

V. LR-AKE-BASED AAA FOR NEMO

In this paper, we propose an AAA and handover process forNEMO based on LR-AKE and MIPv6 to protect against leakageof stored secrets without compromising the protection againstclassical active and passive attacks. Our proposed procedure isbased on LR-AKE performed between the MR and the LFNs,between the MR and its HA, and between VMNs and their HAand CNs.

• The security of the communications on the link betweenthe MR and the LFNs is guaranteed by LR-AKE; MR andLFNs should perform the message exchange illustrated inFig. 1 before any communication.

• The security of the communications (i.e., signaling anddata) on the link between the MR and its HA is guaran-teed by LR-AKE.

• The security of the communications (i.e., signaling anddata) on the link between the VMN and its HA is guar-anteed by LR-AKE.

• The security of the communications (i.e., signaling anddata) on the link between the VMN and its CNs is guar-anteed by LR-AKE.

• The security of the communications (i.e., signaling anddata) on the link between the VMN and MR is guaranteedby the establishment of a shared symmetric key sent by

via a path secured by LR-AKE and the procedureproposed in Fig. 4.

The verification data necessary for LR-AKE is stored by theadministrator at the HA and at the MR for HA-MR link, by theuser at the LFN and at the MR for securing the LFN-MR linkand at the VMN and at its HA for securing VMN-HA link.

We expose in the following sections how the handoverprocess for the MR and the VMN is performed. Note that allthe encryptions performed in this architecture are based onAES used in counter mode.

A. Architectural Elements

In our scenario, every MR with LFNs belongs to a home do-main. When the MR requests a network connection in a par-ticular domain, the process involves the AAA server (AAAF ifthe MR is in a foreign domain; AAAH if the MR is in its homedomain) for billing purposes and the HA for session continuityand authentication purposes. When a VMN requests a networkconnection in a foreign domain, the process involves the AAAserver (AAAF and AAAH) for billing purposes and the HA forauthentication purposes and the CN for session continuity. Asillustrated in Fig. 2, the AAA infrastructure in a mobile envi-ronment is based on a set of servers (AAAF, AAAH) located indifferent domains. If the MR or the VMN are in a foreign do-main, the procedure involves the AR, the AAAF, the AAAH, the


Fig. 2. Messages flow for registrations to HA with proposed security architec-ture. k are session keys and r are random numbers used to generate the keys.

Fig. 3. Messages flow during the registrations to HA with proposed securityarchitecture.

HA, and the CN (for the VMN). These are the entities we con-sider further in the next section. We consider also that the AAAFand the AAAH have a pre-established roaming agreements andtherefore have set up a preshared secret key and the AAAHand the HA have a preshared secret key that is encrypted with

introduced in Fig. 1 (later is deleted). We also consider thatAAAH and HA are collocated or have a trustful relationship asthey are part of the same administrative domains.

B. Messages Flow for MR

The mechanism proposed including all security, AAA, andmobility procedures is illustrated in Figs. 2 and 3. The MR needsfirst to realize that it is in a foreign network through the ex-change of router solicitations and router advertisements. Oncethe change of network is detected, the MR and its HA usesLR-AKE to achieve mutual authentication and to generate the

session keys to be used for encrypting the BUs/BAs. Therefore,as illustrated in Figs. 2 and 3, the MR sends the masked mes-sage (MM) to its HA. The HA sends back the server authenti-cator (SA) message to the MR. Upon reception of SA, the MRchecks the legitimacy of the HA, sends back the client authenti-cator (CA) message and generates the session key . Upon re-ception of CA, the HA authenticates the MR and generates thesame key . Finally, the MR can send to its HA a BU encryptedwith . Upon reception of BU, the HA sends AAA message re-quest (AMR) encrypted with the secret symmetric key to theAAAH.3 After receiving the AMR, the AAAH sends to AAAFa random number encrypted with the preshared secret .The AAAF answers with a random number also encryptedwith the preshared secret . Based on this exchange, AAAFand AAAH generate the session key in the following way:

(3)This key is generated to prevent against replay attacks. Then, theAAAH sends AMR encrypted with to AAAF specifying theMR’s CoA and its profile. The AAAF sends back an AAA mes-sage acknowledgment (AMA) to show that the authorization isgranted to MR. The AAAH informs the HA about the authoriza-tion by sending AMA encrypted with . HA thus sends backa BA encrypted with to the MR. Upon reception of BA, theaccess is granted to the MR and AAAF starts charging for it.

The path between the MR and its HA is secured usingLR-AKE that establishes a session key with three-way hand-shake. The path between both AAA servers is secured usinga temporary symmetric session key. The link between AAAHand HA is protected by symmetric key cryptography.

C. Messages Flow for VMN

The VMN needs first to realize that it is in a foreign networkthrough the exchange of router solicitations and router adver-tisements with the MR or with other routers in the mobile net-work. Once the change of network is detected, the VMN and itsHA uses LR-AKE to achieve mutual authentication and to gen-erate the session keys to be used for encrypting the BUs/BAs.Therefore, the VMN performs the same procedure as the MR toachieve AAA and mobility registration securely, as illustratedin Fig. 2.

The path between the VMN and its HA is secured usingLR-AKE that establishes a session key with three-way hand-shake. The path between both AAA servers is secured usinga temporary symmetric session key. The link between AAAHand HA is protected by symmetric key cryptography.

To update its binding at its CN, the VMN needs to performthe following procedure. Once the change of network is de-tected, the VMN and the CN need to generate the session keysto be used for encrypting the messages exchanged on the pathVMN-CN direct and via their respective HAs.

• The path between the VMN and its HA is secured usingLR-AKE that establishes a session key with three-wayhandshake: VMN (playing the role of Client in LR-AKE)

3If AAAH and HA are not collocated and do not belong to the same adminis-trative domain, they can then exchange random numbers to generate a temporarysession key as performed in (5)


performs the three way handshake as described earlier togenerate the session key used to encrypt the BUs andmessages sent to HA. The path between CN and its HAis secured in the exact same way using encryption withthe session key . Both VMN-initiated and CN-initiatedprocedures do not have to be simultaneous but CN musthave established with its HA prior to VMN’s handover.

• The path between CN’s HA and VMN’s HA is secured bythe use of leakage-resilient PKI. Both HAs need to protecttheir secret keys and the symmetric key (to be used tosecure exchanges between HAs) by encrypting them withthe secret value introduced in Section IV. is nevertransmitted, instead random numbers and generatedby CN’s HA and VMN’s HA, respectively, are exchangedonly once using the HAs’ public keys, as illustrated inFig. 4. Once this step is achieved, used for all the fol-lowing exchanges between the given HAs is computed byboth HAs in the following way:

(4)This is done to ensure lower computational cost as thepublic key cryptosystem is generally known for being 1000times more time and computation-consuming that the useof a symmetric key (128 bit random number). There-fore, all the following exchanges between both given HAshappen much faster.

• VMN and CN should communicate directly and in a secureway to exchange BUs/BAs. This is ensured by the estab-lishment of a symmetric session key (128 bits randomnumber) that is generated at each endpoint via the ex-changes of random numbers on the safe path:

. From the VMN to its HA,the random number is encrypted using key generatedby LR-AKE . Between both HAs, is encrypted by .Between CN and its HA, is encrypted by generatedby LR-AKE. CN sends back to VMN a random numberon the same safe path. Finally, VMN and CN can generatethe session key to be used to protect their exchanges

(5)The BUs to the HA can be sent in a secure manner thanks to

LR-AKE using the session key , and the BUs sent directly tothe CN are secured by the symmetric key . Also, the VMN’sHA establishes only once the session key with the CN’s HA.Moreover, all the VMNs linked to the same HA1 communi-cating with CNs belonging to the same HA2 use the same sym-metric key for performing inter-HA communications and han-dovers.

D. LR-AKE Considerations

Considering the LR-AKE exchange between MR and itsHA and the VMN and its HA, the initialization phase and thepublic-key verification phase shown in Fig. 1 are only executedonce for all when the MR subscribes to its home network.They are not performed at every handover, and therefore are

Fig. 4. Message flow for registrations to CN for VMN with proposed securityarchitecture. k are session keys and r are random numbers used to generatethe keys.

decoupled from the handover delay. The phase triggered atevery handover is the session key generation phase (three-wayhandshake).

For MIPv6 registrations to CN and to HA, the HAs privatekeys for PKI and the subsequent session keys between HAsand with AAAH are encrypted with the secret stored value asits key: , where

is the key for PKI, is the symmetric keyshared between HA and AAAH, is the session key be-tween HAs and represents some public information.Then, the value is deleted on HAs sides. This protects the pri-vate key against leakage of stored secrets from both VMN/CN,MR and HAs. The delay to perform protection against leakageis negligible as the HA has high computational power and needsto be done only once and possibly offline.

VI. SECURITY ANALYSIS

Here, we show that the security architecture proposed inSection V not only guarantees the authenticity and the con-fidentiality of the messages exchanged between MR, LFN,VMN, CN, and HAs, but also provides security against leakageof stored secrets which may be even more important and prac-tical threat in the real world. As we pointed out in Section I,cryptographic protocols used for authentication are totallyuseless if the stored secrets leak out due to accidents such aslost/stolen devices. Let us consider an attacker who has abilityto eavesdrop, modify, and insert the messages exchanged byparties, as well as to have access to parties’ stored secrets (MRin Fig. 2, and VMN and CN in Fig. 4).

Theorem 1: The proposed security architecture of Fig. 2 pro-vides secure BU/BA exchanges if the LR-AKE protocol and thesymmetric-key encryption are secure.


Proof: In order to simplify the discussion, we assume thatAAAH and HA are the same party so that the communicationsbetween them can be done securely. There are three cases for theattacker to break the MIPv6 handover. The first case isto break the underlying symmetric-key encryption that is used toencrypt BU/BA messages with the established temporal sessionkey between MR and HA. The second case is to breakthe symmetric-key encryption used to encrypt AMR/AMA be-tween AAAF and AAAH. The third case is to breakthe underlying LR-AKE protocol that is used to authenticate andthen generate a session key between MR and HA. Therefore, theoverall success probability for the attacker is upper-bounded by

(6)

(7)

where is the case that the attacker does not break theunderlying LR-AKE protocol.

Lemma 1: is negligible.If the symmetric-key encryption is secure, it is obvious.Lemma 2: is negligible.Let us remind that the security of the LR-AKE protocol de-

pends on the password and the stored secret value . Sowe discuss its security against both online and offline dictionaryattacks. In offline dictionary attacks, an attacker who records thecommunications of one or more sessions tries to eliminate a sig-nificant amount of possible passwords so as to impersonate oneparty. In online dictionary attacks, an attacker can do no betterthan guess at most one password during each interaction to theparties. While online dictionary attacks can be applied to anypassword-based protocols, they are not so threatening since theycan be detected by the other party and prevented by limiting thenumber of trials within certain period (e.g., a server that termi-nates a transaction after three trial-failures on password!).

can be interpreted as to break the secrecy of sessionkeys in the context of executing the LR-AKE protocol. Withoutleakage of , the attacker cannot even apply online dictio-nary attacks since the secrecy of session keys depends on thestrong secret . Even if the attacker gets , the secrecy ofsession keys can be shown where the attacker is confined inSection IV-D. That is, online dictionary attacks are not so threat-ening with the same reason as the above discussion. Therefore,

is negligible, so is .Lemma 3: is negligible.If the symmetric-key encryption is secure, it is obvious.Theorem 2: The proposed security architecture of Fig. 4 pro-

vides secure BU/BA exchanges if the LR-AKE protocol, thesymmetric-key encryption, and the public-key encryption aresecure.

Proof: There are four cases for the attacker to break theMIPv6 handover. The first case is to break the under-lying symmetric-key encryption that is used to encrypt BU/BA

messages with the established temporal session key betweenVMN and CN. The second case is to break the sym-metric-key encryption used to encrypt random numbers betweenVMN and MN’s HA. The same case can be considered betweenMN’s HA and CN’s HA, and between CN and CN’s HA. Thethird case is to break the underlying LR-AKE protocolthat is used to authenticate and then generate a session key be-tween VMN and MN’s HA, and between CN and CN’s HA.The fourth case is to break the underlying public-keyencryption used to encrypt random numbers between MN’s HAand CN’s HA. Therefore, the overall success probability for theattacker is upper-bounded by

(8)

(9)

where and are the cases that the attacker does notbreak the underlying LR-AKE protocol and the public-key en-cryption, respectively. We omit the remaining proof that eachprobability is negligible since it can be shown very similarly asin Theorem 1.

VII. DELAY PERFORMANCE ANALYSIS

In this section, we analyze the delay of the proposed handovermechanism. In this paper, we evaluate the time interval betweenthe moment when the MR or the VMN sends an router solici-tation and the moment when the MR or the VMN can send andreceive IP packets, under various conditions. The analysis con-sists of four steps.

• The first step consists in the evaluation of the transmissiondelay of NEMO-MIPv6 messages. It considers the FERof the wireless link and the retransmissions strategies toovercome the losses.

• The second step is similar to the first step but considers thesecurity procedure based on LR-AKE and AAA messageexchanges necessary.

• The third step deals with the queueing delays experiencedby the different messages on the communication path.

• The fourth step considers the en/decryption delay inducedby the LR-AKE cryptographic functions.

A. NEMO-MIPv6 Delay

In this section, we assume the following.• A random error process.• An router advertisement is sent only if a router solicitation

has been previously received.• A binding acknowledge is sent only if a BU has been re-

ceived previously.• Error correcting codes are not considered here.


• The link-layer reliability mechanism is assumed to operatein the transparent mode where link layer retransmissionsare not performed.

Let be the probability of a frame being erroneous in the airlink. Therefore, considering frames contained in a packet, thepacket loss rate is .

We denote as the interframe time, being the time intervalbetween the transmissions of two consecutive frames, and asthe frame propagation delay through the radio access network(RAN). Therefore, the propagation delay from MR to RAN fora message is .

1) Retransmission Timer: The retransmission timers forMIPv6 follow the exponential backoff mechanism. Letbe the initial backoff timer. The backoff timer upon the thtransmission doubles after each retransmission. Hence

(10)

The initial retransmission timer can be taken from thespecification, see Table II.

2) Retransmission Probability: The probability of retrans-mission is the probability of a transaction having failed:this means that the first packet sent (solicitation containingframes) is lost or that the first packet is received but the response(advertisement containing frames) is lost. Therefore, theprobability of having a retransmission of solicitation is

(11)

(12)

The value of is changing reflecting the size of the messagesexchanged in the transaction.

3) Average Transmission Delay: Let be the maximumnumber of transmissions. The average delay for thesuccessful transmission of the MIP “request” message to theRAN is as follows:

(13)

The handover delay is the addition of the delays for all themessages necessary to perform the handover. The transmissiondelay to the RAN for the registration to HA is given as

(14)

where is the delay between the RAN and the HA whichis mainly Internet delay. The transmission delay to the RAN

for the registration to CN is given as

(15)

B. Security Delay

The security delay consists of the delay to perform LR-AKE,to establish a session keys and to exchange AAA messages.

To evaluate LR-AKE security delay, the same reasoning asMIPv6 delay described in the previous section is used. We as-sume that the reception of MM messages trigger the transmis-sion of SA messages and SA’s reception triggers transmissionof CA messages. We do not consider error-correction codes, andwe consider that the link layer reliability mechanism operates intransparent mode.

The probability of retransmission is as mentioned in (12).The average delay for transmitting successfully an th LR-AKEpacket is analogous to the one for MIP expressed in (13). Thetotal LR-AKE delay is

(16)

where is the total number of LR-AKE messages necessary toestablish the session key between clients and servers.

Concerning the exchanges between AAAH and AAAF, weneed to consider the exchange of random numbers and the ex-change of AMR and AMA messages. This delay is denoted

which takes . The transmission delay of messagesexchanged between HA and AAAH is considered negligible asAAAH and HA are assumed to be collocated in the same do-main.

The total security delay for registrations to HA is

(17)

For registrations to CN, once LR-AKE performed, the pathsbetween HAs and the direct path MN-CN are secured with theestablishment of session keys and . The key establishmentbetween HAs takes which we consider proportional to In-ternet delay. The key establishment between MN-CN takeswhich is the addition of the transmission delay of each neces-sary messages involving (13).

The total security delay for registrations to CN is

(18)

C. Queueing Delay

In this section, we determine the queueing delays of aMIP/LR-AKE message at the MR, the VMN, the HA, and theCN and the queueing delays of AAA messages at the AAAservers. We consider an M/M/1 queueing model at the MR,at the VMN, at the HA, and at the AAA servers. We consider


an M/G/1 model for CN because while VMN, MR, and HAperform dedicated tasks, the CN may be serving a variety ofnon-MIP related tasks with a general service distribution time.We assume that multiple MRs and VMNs are served by HAsand the AAA servers. So, the MIP message arrival rate at theMR and at the VMN is a fraction of the message arrivalrate at the HA and at the AAA servers .

Using results from the queueing theory [21], the averagequeueing delay at the MR and at the VMN follow the sameexpression:

(19)

where is service rate of the MIP message at MR and at theVMN. The average queueing delays at the HA and at the AAAservers follow the same expression:

(20)

where is the HA’s load and the AAA’s loads.The queueing delay at the CN is the following:

(21)

where is the load at the destination for non-MIP messages,is the service rate of MIP messages at the destination. The value

equals , where and are the secondmoments of and the service rate of non-MIP messages at theCN , respectively.

The overall average queueing delay for registrations to theHA is the following:

(22)

where is the total number of necessary messages processedby MR for registration to the HA, is the number of mes-sages going through HA, and is the number of messagesprocessed by the AAA servers during the registration.

The overall average queueing delay for registrations to theCN is the following:

(23)

where is the total number of necessary messages to performthe registration (i.e., number of messages necessary for MIPv6and LR-AKE), is the number of messages going throughHA, and is the number of messages processed by the CN.

D. En/Decryption Delay

To evaluate the en/decryption delay, we use measurementachieved with OpenSSL running on windows XP platform ofa handheld device VAIO type U 1 GHz. The RSA encryptionused in LR-AKE needs to perform 16 modular squarings andone modular multiplication when . As a mod-ular squaring can be considered as a modular multiplication,

the RSA encryption involves thus 17 multiplication which takes0.0004 s on our test terminal. Due to the precomputation in-volved of LR-AKE, only one multiplication needs to be per-formed during the handover which takes 23.5 s.

Also, Advanced Encryption Standard (AES) in countermodeis used to encrypt the BUs, the BAs, and random numbers ex-changed between AAA servers and the AAA messages. On thetest terminal, we obtain for AES in CBC4 mode 0.04 s perbyte. We multiply this by the amount of data (in bytes) to beencrypted, and we obtain the encryption delay.

E. Handover Delay Expressions

The handover delay is the cumulative delay due to thetransmission5 of MIPv6, LR-AKE, and AAA messages, thequeueing, and the en/decryption. Therefore, the average han-dover delay is as follows:

(24)

VIII. NUMERICAL RESULTS

In this section, we present results based on the previousanalysis. This section presents the results of the average han-dover delay for MIPv6-AAA proposed procedure for NEMO.The number and the size of the messages exchanged affect theaverage handover delay. For the evaluation, the approximatesize for each MIP message is obtained from [1]. The numberof frames is needed in each case and we take into considerationa channel with 128 kb/s. The values of the delay and theinterframe time are set, respectively, 10 and 1 ms. The delayfrom AR to HA or from AAAH and AAAF or fromand is set to 100 ms. For MIPv6, the maximum numberof transmissions is set to 7 and the values of the fixedbackoff timers are obtained from [1].

Concerning the queueing delay, we assume that the handovermessage arrival rate is and that the service rate at the HAand the AAA servers are the same (i.e., ). Also, weassume . For the results considering a varying FER,the MIP message arrival rate at the MR, and at the VMN areassumed to be . For the results consideringa varying , the FER is kept constant at 1%. The other systemparameters values are given in Tables I and II.

The average handoff delay is evaluated at various FER be-tween 0%–10%.

The proportion of handover delay that is due to the queueingand encryption is in relatively small proportion compared withthe transmission delays: 115 s for encryption and 9 ms forqueueing. As shown in Figs. 5 and 7, the main contributors in thehandover delay are the transmission delays of MIPv6, AAA, keyestablishment, and LR-AKE messages to perform the handoversecurely. The handover delay for registrations to CN are 200 msshorter due to a shorter security procedure that does not involveAAA messages.

4As countermode is not yet available in OpenSSL, we used the results ob-tained with CBC mode which is almost the same or a bit slower than the coun-termode.

5The Internet delay is included in the transmission delay.


TABLE ISIZE AND NUMBER OF FRAMES FOR MESSAGES SENT

OVER THE WIRELESS LINK

TABLE IIBACKOFF TIMER INTERVALS FOR LR-AKE AND FOR MIPV6 [1]

Fig. 5. Handover delay induced by secure registration to HA for MR and forVMN versus FER.

To encompass the scenario with higher HA load, we computethe handover delay as a function of the messages arrival rate.Fig. 6 shows how little the message arrival rate affects the han-dover delay. It is in the order of 10 ms for message arrival rateincreasing from 50 requests/s to 250 requests/s. So the queueingdelays are not the most affecting factors.

The handover delay obtained for registrations to CN and toHA even for low FER is too high to provide session continuityfor stringent applications like VoIP. It could provide sessioncontinuity for video session if an appropriate buffer is imple-mented and proactive measures are taken. The crucial param-eters to minimize the handover delay are the retransmissiontimers that are too generous in the specifications of MIPv6, theretransmission mechanisms, and the number and size of mes-sages exchanged. This can be further improved in the future.

Fig. 6. Handover delay induced by secure registration to HA for MR and forVMN versus handover messages arrival rates.

Fig. 7. Handover delay induced by secure registration to CN for VMN versusFER.

IX. CONCLUSION

In this paper, we have proposed and evaluated a new and se-cure architecture to achieve AAA and handovers for NEMOcomprising MRs and VMNs. The handover mechanism pro-posed is based on MIPv6 and LR-AKE; and prevents againstclassical attacks and leakage of stored secrets. We have analyzedthe security of the proposed architecture. We have evaluatedthe handover delay of the proposed procedure depending on theFER in the wireless link and the server’s load to show the impactof the enhanced security. The main contributors in the handoverdelay have been considered: transmission, queueing, and en-cryption processes. The heaviest contributor is the transmissiondelay due to exchanges of MIPv6 messages, and LR-AKE mes-sages through the wireless link which can be highly erroneous.This can be improved by using fast-handoff and hierarchicalMIPv6. LR-AKE and the proposed architecture can easily betransposed in such optimization techniques. On the other hand,the use of link-layer retransmission coupled with appropriate


retransmission timers may significantly improve the handoverdelay even for fast or hierarchical handoff mechanisms.

Moreover, to improve the analytical model used here, onecould evaluate the handover delay using more complex modelfor correlated errors. Our analytical results will also be con-fronted to measurements results in the future.

REFERENCES

[1] D. Johnson, C. Perkins, and J. Arkko, Mobility support in IPv6,” IETF,RFC 3775, Jun. 2004.

[2] V. Devarapalli, R. Wakikawa, A. Petrescu, and P. Thubert, “Networkmobility (NEMO) basic support protocol,” IETF, RFC3963, Jan. 2005.

[3] A. Petrescu, A. Olivereau, C. Jeanneteau, and H.-Y. Lach, “Threats forbasic network mobility support (NEMO threats),” IETF Internet Draft:draft-petrescu-nemo-threats-01.txt, Jan. 2004, expired.

[4] S. Kent and R. Atkinson, “Security architecture for the Internet pro-tocol,” RFC 2401, Nov. 1998, .

[5] S. Jung, F. Zhao, S. F. Wu, and H. Kim, “Threat analysis on net-work mobility (NEMO),” in Lecture Notes in Computer Science.New York: Springer-Verlag, 2004, Proc. ICICS.

[6] M. Calderon, C. Bernados, M. Bangulo, and I. Soto, “Securing routeoptimization in NEMO,” in Proc. 3rd Int. Symp. Modeling and Opti-mization in Mobile, Ad Hoc, Wireless Netw., Apr. 2005, pp. 248–254.

[7] S. Shin, K. Kobara, and H. Imai, “A simple leakage-resilient authen-ticated key establishment protocol, its extensions and applications,”IECE Trans. Fundamentals, vol. E88-A, no. 3, pp. 736–754, Mar. 2005.

[8] S. Shin, K. Kobara, and H. Imai, “Leakage-Resilient Authenticated KeyEstablishment Protocols,” in Lecture Notes in Computer Science.New York: Springer-Verlag, 2003, Proc. ASIACRYPT, pp. 155–172.

[9] S. Zrelli, T. Ernst, J. Bournell, G. Valadon, and D. Binet, “Access con-trol architecture for nested mobile environments in IPv6.,” in Proc.4th Conf. Security and Network Architecture (SAR), Jun. 2005, pp.115–126.

[10] C. Perkins, “Mobile IP joins forces with AAA,” IEEE Pers. Commun.,pp. 59–61, Aug. 2000.

[11] P. Engelstad, T. Halselstad, and F. Paint, “Authentication access forIPv6 supported mobility,” in Proc. ISCC 2003, 2003, pp. 569–576.

[12] B. Lee, D. Choi, H. Kim, S. Sohn, and K. Park, “Mobile IP and WLANwith AAA authentication protocol using identity-based cryptography,”in Proc. ICT 2003, 2003, pp. 597–603.

[13] ETSI, Ts 122 105, Release 6 ETSI, Tech. Rep., 2005.[14] ——Ts 10129-2, Release 1.3.0 ETSI, 3GPP, Tech. Rep., 2002.[15] D. Harkins and D. Carrel, “The Internet key exchange (IKE),” IETF,

RFC 2409, Nov. 1998.[16] R. Perlman and C. Kaufman, “Analysis of the IPSec key exchange stan-

dard,” in Proc. WET ICE 2001, E. Security, Ed., 2001, pp. 120–131.[17] C. Kaufman, Internet key exchange (IKEv2) protocol IETF, RFC4306,

Dec. 2005.[18] S. Halevi and H. Krawczyk, “Public-key cryptography and password

protocols,” ACM Trans. Inf. Syst. Security, vol. 2, no. 3, pp. 230–268,1999.

[19] S. Shin, K. Kobara, and H. Imai, “Efficient leakage-resilient authenti-cated key transport protocol based on RSA,” in Lecture Notes in Com-puter Science. New York: Springer-Verlag, 2005, Proc. ACNS , pp.269–284.

[20] ——, “A lower bound of complexity of RSA-based password-authen-ticated key exchange,” in Lecture Notes in Computer Science. NewYork: Springer-Verlag, 2005, Proc. EuroPKI 2005, pp. 191–205.

[21] L. Kleinrock, Queuing Systems Vol. I Theory, W. N. York, Ed. NewYork: Wiley, 1975.

Hanane Fathi (S’05–M’06) received the M.S. de-gree in electrical engineering from Aalborg Univer-sity, Aalborg, Denmark, and the TelecommunicationsEngineering Diploma at Ecole Centrale d’Electron-ique of Paris, Paris, France, both in 2002. She re-ceived the Ph.D. degree in wireless communicationsfrom the Center for TeleInfrastruktur at Aalborg Uni-versity in 2006.

She is currently working at the AIST ResearchCenter for Information Security, Tokyo, Japan.Her research interests include VoIP over wireless

networks, mobility management, authentication schemes, and wireless security.

SeongHan Shin received the B.S. and M.S. degreesin computer science from Pukyong National Univer-sity, Busan, Korea, in 2000 and 2002, respectively,and the Ph.D. degree in information and communica-tion engineering, information science and technologyfrom the University of Tokyo, Tokyo, Japan, in 2005.

From October 2005 to March 2006, he waswith the Institute of Industrial Science, Univer-sity of Tokyo as a Postdoctoral Researcher. SinceDecember 2005, he has been with the ResearchCenter for Information Security, National Institute

of Industrial Science and Technology, Japan, as a Researcher of the ResearchTeam for Security Fundamentals. His research interests include informationsecurity, cryptography and wireless security.

Dr. Shin received the CSS Student Paper Award and the IWS 2005/WPMC2005 Best Student Paper Awards in 2003 and 2005, respectively.

Kazukuni Kobara received the B.E. degree in elec-trical engineering and the M.E. degree in computerscience and system engineering from the YamaguchiUniversity, Yamaguchi, Japan, in 1992 and 1994, re-spectively, and the Ph.D. degree in engineering fromthe University of Tokyo, Tokyo, Japan, in 2003.

From 1994 to 2000 and 2000 to 2006, he wasa Technical Associate and a Research Associate,respectively, at the Institute of Industrial Science,University of Tokyo. In 2006, he joined the ResearchCenter for Information Security, National Institute

of Advanced Industrial Science and Technology, where he is now ChiefResearcher. His current research interests include cryptography, informationand network security.

Dr. Kobara is a member of the Institute of Electronics, Information and Com-munication Engineers (IEICE) of Japan and IACR. He received the SCIS PaperAward and the Vigentennial Award from the ISEC Group of IEICE, in 1996and 2003, respectively. He also received the Best Paper Award of WISA, theISITA Paper Award for Young Researchers, and the IEICE Best Paper Award(Inose Award) in 2001, 2002, and 2003, respectively. He served as a member ofCRYPTREC (2000–present) and the Vice Chairperson of the WLAN SecurityCommittee of Japan (2003).

Shyam S. Chakraborty received the M.Tech.degree from the Indian Institute of Technology(IIT), Delhi, and the Licenciate of Technology andthe Doctor of Science (Technology) from HelsinkiUniversity of Technology, Helsinki, Finland.

He has been a Visiting Professor at the AsianInstitute of Technology, Guest Professor at AalborgUniversity, and Guest Researcher at TU-Berlin. Heis a Guest Editor of the IETE Journal of Research(Special Issue on Protocols for Resource, Linkand Mobility Management). He joined Ericsson

Corporate Research in Finland in 2005. He is a Docent to the Departmentof Electrical and Computer Engineering, Helsinki University of Technology.His research interests are modeling and performance analysis of protocols,multihop networks, diversity combining, link, mobility, signaling and securitymanagement, VoIP in wireless systems, etc.

Dr. Chakraborty is a recipient of the Academy Fellowship from the Academyof Finland (2000). He is Guest Editor of the IEEE JOURNAL ON SELECTED

AREAS IN COMMUNICATIONS (Special Issue on Multihop Wireless Mesh Net-works) and General Co-Chair of the Workshop “Meshnets,” 2005.


Hideki Imai (M’74–SM’88–F’92) was born inShimane, Japan, on May 31, 1943. He receivedthe B.E., M.E., and Ph.D. degrees in electricalengineering from the University of Tokyo, Tokyo,Japan, in 1966, 1968, and 1971, respectively.

From 1971 to 1992, he was on the faculty ofYokohama National University. In 1992, he joinedthe faculty of the University of Tokyo, where he iscurrently a Full Professor in the Institute of IndustrialScience. Concurrently, he serves as the Director ofResearch Center for Information Security, National

Institute of Advanced Industrial Science and Technology. His current researchinterests include information theory, coding theory, cryptography, and infor-mation security.

Dr. Imai received the Best Book Awards in 1976 and 1991, Best PaperAwards in 1992, 2003, and 2004, the Yonezawa Memorial Paper Award in1992, the Achievement Award in 1995, the Inose Award in 2003, and the Dis-tinguished Achievement and Contributions Award in 2004, from the Instituteof Electronics, Information and Communication Engineers (IEICE). He alsoreceived the Golden Jubilee Paper Award from the IEEE Information TheorySociety in 1998, and Official Commendations from the Minster of InternalAffairs and Communications in June 2002, and from the Minister of Economy,Trade and Industry in October 2002. He was awarded the Honor Doctor Degreeby Soonchunhyang University, Korea, in 1999, and the Docteur Honoris Causaby the University of Toulon Var, France, in 2002. He is also the recipient ofthe Ericsson Telecommunications Award 2005. He is a member of the ScienceCouncil of Japan. He was elected an IEICE Fellow in 2001. He has chairedmany committees of scientific societies and organized a number of internationalconferences. He served as the President of the Society of Information Theoryand Its Applications in 1997, of the IEICE Engineering Sciences Society in1998, and of the IEEE Information Theory Society in 2004. He is currently theChair of THE Cryptography Techniques Research and Evaluation Committeeof Japan (CRYPTREC).

Ramjee Prasad (M’88–SM’90) was born inBabhnaur (Gaya), Bihar, India, on July 1, 1946.He received the B.Sc. degree in engineering fromthe Bihar Institute of Technology, Sindri, India, theM.Sc. degree in engineering and the Ph.D. degreefrom the Birla Institute of Technology (BIT), Ranchi,India, in 1968, 1970, and 1979, respectively.

Since June 1999, he has been with AalborgUniversity, Aalborg, Denmark, where he is currentlyDirector of the Center for Teleinfrastruktur (CTIF),and holds the Chair of Wireless Information and

Multimedia Communications. He is a project leader of several international,industrially funded projects. He is the Coordinating Editor and Editor-in-Chiefof the Springer International Journal on Wireless Personal Communicationsand a member of the editorial board of other international journals. He haspublished over 500 technical papers, contributed to several books, and hasauthored, coauthored, and edited 16 books.

Dr. Prasad has received several international awards; the latest being the Te-lenor Nordic 2005 Research Prize (website: http://www.telenor.no/om/). He isCoordinator of the European Commission Sixth Framework Integrated ProjectMAGNET (My personal Adaptive Global NET). He was involved in the Euro-pean ACTS project FRAMES (Future Radio Wideband Multiple Access Sys-tems) as a DUT Project Leader. He is also the founding Chairman of the Eu-ropean Center of Excellence in Telecommunications, known as HERMES, andhe is now Honorary Chair. He is a Fellow of IEE, a Fellow of IETE, a memberof The Netherlands Electronics and Radio Society (NERG), and a member ofIDA (Engineering Society in Denmark). He is advisor to several multinationalcompanies. He has served as a member of advisory and program committees ofseveral IEEE international conferences.

lr-ake-based aaa for network mobility (nemo) over wireless links

Documents