simple and low-cost re-authentication protocol for henb
TRANSCRIPT
China Communications January 2013 105
NETWORK TECHNOLOGY AND APPLICATION
Simple and Low-Cost Re-Authentication Protocol for HeNB LAI Chengzhe, LI Hui, ZHANG Yueyu, CAO Jin
State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China
Abstract: The 3rd Generation Partnership Project (3GPP) defined a new architecture, called Home eNode B (HeNB). The 3GPP has also presented a protocol for communications between HeNB and core networks for mutual authentication. To reduce the authentication costs associated with communication, compu-tation and energy, this paper proposes a simple and low-cost re-authentication protocol that does not compromise the provided security services. The proposed protocol uses as the re-authentication parameter a Master Session Key (MSK) that has already been computed in the initial authentication, and does not require the full initial authentication to be repeated. Moreover, the proposed protocol does not modify the 3GPP infrastructure, and is easily applied to the HeNB system. Finally, the secu-rity of the proposed protocol is verified by Automated Validation of Internet Security Protocols and Applications (AVISPA) and Burrows-Abadi-Needham (BAN) Logic; de-tailed evaluations of performance are also given. The analysis results illustrate that the proposed protocol can achieve at least 50% cost reduction in communication and 58% cost reduction in energy. The computational cost is also reduced by half compared with the initial authentication.
Key words: HeNB; authentication; security;
3GPP
I. INTRODUCTION
Home eNode B (HeNB) [1] is defined by the
3rd Generation Partnership Project (3GPP) in
release 9, also referred as femtocell. It is a
base station that enables small cellular com-
munication and typically designed for use in
residential or small business environments.
Some security risks have emerged with the
introduction of HeNB [2]. The 3GPP specifies
the threats, the requirements and the corre-
sponding solutions of HeNB in Ref. [3]. 3GPP
points that the following authentications are
necessary for HeNB authentication: a) Mutual
authentication between HeNB device and the
operator’s network. Authentication algorithms
using the credentials stored in the Trusted En-
vironment (TrE) should be executed inside the
TrE. b) Authentication of the Hosting Party
(HP) by the operator’s network: the identity of
the hosting party is authenticated by the op-
erator’s network, and this authentication is
optional.
Among several authentication issues, com-
bined device and HP authentication is an im-
portant security mechanism; it makes sure that
HeNB device can access Core Network (CN)
safely. To achieve this aim, the 3GPP has
proposed a method that combined certificate and
Extensible Authentication Protocol for Authen-
tication and Key Agreement (EAP-AKA) -based
authentication running within Internet Key
Exchange (IKEv2) protocol between HeNB
and Security GateWay (SeGW) for mutual
authentication of HeNB and CN. However, to
the best of our knowledge, it has not given a
special re-authentication protocol for HeNB
Revised: 2012-07-31 Accepted: 2012-10-18 Editor: HAO Weimin
106 China Communications January 2013
system. As the full initial authentication pro-
tocol will induce a large amount of authentica-
tion overhead, such as computational and en-
ergy cost for cryptographic operations and
communication cost for exchanging of authen-
tication signaling, it is necessary to design a
re-authentication protocol for HeNB system.
In previous works, Refs. [4-12] have proposed
some solutions implementing re-authentication;
Refs. [4, 6-7, 9-10] aimed to optimize authen-
tication protocol and reduce re-authentication
delay; Refs. [5, 8, 11] tried to enhance robust-
ness of re-authentication; and Refs. [12] pro-
vided an enhanced privacy protection mecha-
nism for re-authentication. However, all of the
existing protocols introduce different authen-
tication frameworks that make major changes
to the network architecture of the 3GPP stan-
dard; therefore they can not be applied to the
HeNB system. Based on above considerations,
we design a special re-authentication protocol
for HeNB system.
In this paper, we propose a simple and
low-cost re-authentication protocol for HeNB
without compromising the provided security
services. It does not modify the infrastructure
in 3GPP and can be applied easily to the
HeNB system. The protocol uses Master
Session Key (MSK) that has been already
computed in the initial authentication as the
re-authentication parameter; therefore, the full
EAP-AKA combined certificate running within
IKEv2 authentication protocol is avoided in
the re-authentication, and the exchange of
authentication signaling messages and the
calculation of authentication parameters are
reduced.
The remainder of the paper is organized as
follows. We specify HeNB security architec-
ture and the initial authentication protocol in
Section II. In Section III, the proposed
re-authentication protocol based on 3GPP
standard is presented. An analysis of security
and performance of the proposed protocol are
provided in Section IV. Finally, conclusions
are offered in Section V.
II. BACKGROUND
2.1 Network architecture of HeNB system The system architecture of HeNB is shown in
Figure 1, and described as follows [13]:
1) User Equipment (UE): a standard user
equipment for Universal Mobile Telecommu-
nications System (UMTS) (for HNB) or Long
Term Evolution (LTE) networks (for HeNB).
Note that, the air interface between UE and
HeNB is a backwards compatible air interface
in UMTS Terrestrial Radio Access Network or
Evolved Universal Terrestrial Radio Access
Network.
2) SeGW: a network element at the border
of the operator’s CN. After successful mutual
authentication between the HeNB and the
SeGW, the SeGW connects the HeNB to the
CN. Any connection between the HeNB and
the CN is tunneled through the SeGW.
3) Local GateWay (L-GW) is specified in
TS 23.060 [14] and in TS 23.401 [15]. In this
paper, it is not involved in re-authentication
protocol.
Fig.1 Network architecture of HeNB system
HeNB is a kind of LTE macro Radio Access Network for deploy-ment in the home. To reduce its initial aut-hentication costs in terms of communica-tion, computation and energy, this paper proposes a reauthent-ication protocol with-out compromising the provided security ser-vices. Meanwhile, the analysis results show that the proposed re-authentication proto- col can provide better performance compar-ed to the initial authe-ntication.
China Communications January 2013 107
4) Authentication, Authorization and Accounting (AAA) server and Home Sub-scriber Server (HSS): HSS stores the sub-scription data and authentication information of the HeNBs. When hosting party authentica-tion is required, AAA server authenticates the hosting party based on the authentication in-formation retrieved from HSS.
HeNB Management System (HeMS) and HeNB GateWay (HeNB-GW) are specified in TS 32.593 [16] and TS 36.300 [17], respec-tively, both of which are not involved in our re-authentication protocol.
2.2 Initial authentication protocol
Figure 2 illustrates an autonomous device
integrity check followed by initiation of com-
bined device and HP authentication protocol,
including the certificate-based mutual authen-
tication between the HeNB and the CN, fol-
lowed by an EAP-AKA-based HP authentica-
tion exchange between the HeNB and the
AAA server.
In the initial authentication protocol, at the
beginning, both the HeNB and the SeGW
share a bidirectional IKE_SA that provides
confidentiality and integrity services to the
following IKEv2 messages (Figure 2: Steps
2-3). After that, HeNB and SeGW perform a
combined device and HP authentication pro-
tocol using certificate by EAP-AKA [18]
Fig.2 Initial authentication based on EAP-AKA running within IKEv2
108 China Communications January 2013
running within IKEv2 [19] (Figure 2: Steps 4-20). Note that, there is a trusted relationship between the SeGW and the AAA server and a pre-established IPsec tunnel between them that protects the exchange of Diameter mes-sages [20]. Finally, an IPsec tunnel is estab-lished between the HeNB and the SeGW that provides security services to the transmitted data (Figure 2: Steps 21-22).
III. PROPOSED RE-AUTHENTICATION PROTOCOL
3.1 Modification to the initial au-thentication protocol
To implement our re-authentication protocol, it needs minor changes to the initial authenti-cation protocol. In Figure 2: Step 10, when AAA server received AVs from HSS, it com-putes an MSK as follows.
( || || )MSK prf CK IK Identity= (1)
Where prf is a pseudo-random function, “||” denotes concatenation, CK is the encryption key, IK is the integrity key, Identity belongs to HeNB. In the initial authentication, MSK is a key material and used to calculate AUTH payload, in our scheme, MSK is also an au-thentication parameter for re-authentication phase.
Then AAA server stores the calculated MSK and creates a list that binds the identity of HeNB with corresponding MSK. Similarly, HeNB computes an MSK using equation (1) and stores it.
Fig.3 Proposed re-authentication protocol
3.2 Proposed re-authentication protocol
Figure 3 shows our proposed re-authentication protocol, which works as follows.
Step 1. When HeNB performs re-authe-ntication protocol, at the beginning, to initiate IKEv2, the HeNB sends the SAi1 (the set of cryptographic algorithms which SeGW sup-ports for IKE_SA), the KEi (Diffie-Hellman value) and a nonce value Ni to the SeGW.
Step 2. Accordingly, the SeGW answers with a message that contains its SAr1 (the set of cryptographic algorithms from which SeGW picks for IKE_SA), the Diffie-Hellman value KEr to complete the DH exchange for SeGW and its Nr. At this moment, the HeNB and the SeGW share a bidirectional IKE_SA that provides confidentiality and integrity ser-vices to the following IKEv2 messages.
Step 3. After the establishment of the IKE_SA, the HeNB sends its identity ID-HeNB, its nonce NHeNB used to prevent re-play attack, the SAi2 payload, the traffic se-lectors (TSi and TSr), the CFG_REQUEST that the HeNB requested for a remote IP address, and AUTHHeNB that is a MAC value com-puted over the first IKEv2 message using the stored MSK and its NHeNB, which is used for the HeNB’s authentication, to the SeGW:
( || )HeNB HeNBAUTH prf MSK N= (2)
Step 4. Then, the SeGW forwards IDHeNB to the AAA server. AAA server uses IDHeNB to search the list that binds the identity of HeNB with corresponding MSK which is cre-ated in the initial authentication phase. If AAA server finds corresponding MSK, it sends the MSK to the SeGW via the Diameter protocol.
Step 5. Upon receiving the MSK, the SeGW verifies the AUTHHeNB using received NHeNB in order to authenticate the HeNB. Next, it generates the AUTHSeGW by computing an MAC over the second IKEv2 message using the obtained MSK as follows:
( || )SeGW SeGWAUTH prf MSK N= (3)
Then the SeGW sends it to the HeNB. In addi-
tion, this message also includes nonce NSeGW,
the traffic selectors (TSi and TSr), the SAr2
China Communications January 2013 109
payload and the assigned HeNB’s remote IP
address that is included in the the configura-
tion payload (CFG_REPLY). Step 6. In order to complete the re-authen-
tication protocol, the HeNB verifies the AUTHSeGW using the MSK and NSeGW for au-thenticating the SeGW. After successful veri-fication, the HeNB and the SeGW have been authenticated mutually using the AUTHHeNB and AUTHSeGW respectively, which are com-puted using the MSK computed in the initial authentication. Finally, an IPsec tunnel is es-tablished between the HeNB and the SeGW that provides security services to the transmit-ted data.
IV. EVALUATIONS OF THE RE-AUTHENTICATION PROTOCOL
4.1 Security evaluation
4.1.1 Security analysis
The proposed protocol first satisfies the fol-lowing basic properties of IKEv2 protocol.
Confidentiality: The established IPsec em-ploying the ESP protocol can provide confidentiality services.
Integrity: The established IPsec employing the ESP protocol can provide integrity ser-vices.
Anonymity protection: The application of IKEv2 can provide anonymity protection, since the user’s identity (i.e., IMSI) as well as the identities of the requested services (i.e.,W-APN) are delivered securely using the IKE_SA.
Perfect Forward Secrecy (PFS): IKEv2 protocol can guarantee that an attacker cannot compute fresh session keys from a leak key.
Protection against traffic analysis: IPsec operating in tunnel mode (encapsulates and protects the entire IP packet including the IP header) can protect the exchanged IP packets from traffic analysis.
Further security analysis of our scheme is as follows.
Mutual authentication and key agree-ment: In the proposed re-authentication pro-tocol, HeNB is identified by its IDHeNB, the only condition for successful authentication is
that the HeNB possesses the same MSK with the one that is pre-stored in the network for it. The MSK for the HeNB is generated during the initial authentication protocol, by applying a one-way function on the HeNB’s identity, the CK and IK, and a Nonce. Both CK and IK are directly derived from the pre-shared key K that is assigned to the HeNB when it is sub-scribed to the 3G/LTE home network. More-over, the AAA server has stored the calculated MSK and created a list that binds the identity of HeNB with corresponding MSK. Therefore, it is evident that the proposed re-authentication can correctly provide mutual authentication and key agreement between the HeNB and SeGW on behalf of CN.
Security of MSK: The ways in which the adversary could reveal the MK key are: (i) retrieving the MSK from AUTHHeNB or AUTHSeGW; (ii) compromising the security of the entities that store the MSK (i.e., the HeNB device and the AAA server);
For case (i), the adversary may get physical access to the channel and obtain AUTHHeNB or AUTHSeGW. Then, from AUTHHeNB or AUTHSeGW it tries to retrieve the MSK. How-ever, this cannot be realized, since it requires the inversion of the one-way hash functions used for the generation of AUTHHeNB or AUTHSeGW. Moreover, since the generation of the MSK is not based on a password, the ad-versary cannot retrieve it by performing a dic-tionary attack.
Attack (ii) targets the HeNB device and the AAA server. Specifically, the adversary may attempt to retrieve the stored MSK either from the HeNB device by using a malicious piece of software (such as viruses, worms, etc.), or from the AAA server by invading the security of the 3GPP core network. To defeat such at-tacks, the HeNB device must be protected from rogue code and the MSK must be stored in an encrypted form. Moreover, the AAA server must be secured by using firewalls, which protect it from unauthorized penetration and external attacks.
Man-in-the-Middle (MitM) attack: Be-cause the IKEv2 protocol runs between the HeNB and SeGW, and Diameter protocol
110 China Communications January 2013
executes between the SeGW and the AAA server, the tunnel between the HeNB and the AAA server is secure. In that way, the proposed re-authentication can protect against MitM attack.
Replay attack: Due to the parameter NHeNB and NSeGW included in the AUTHHeNB and AUTHSeGW respectively, in each authentica-tion protocol, NHeNB and NSeGW are different. Even if an attacker acquires the NHeNB or NSeGW in an authentication protocol, he still can not fake the AUTHHeNB or AUTHSeGW by reusing it in a new authentication protocol.
DoS attack: Attempting to perform a DoS attack, an adversary may try to flood the SeGW, which is located in the operator’s CN, and deplete the resources of the CN. However, this can be avoided. We can introduce special mechanism which instructs the messages for-warded to the SeGW that are sent only by au-thenticated users and discard any other mes-sages. In addition, IKEv2 protocol used in authentication procedures can also resist DoS attacks.
4.1.2 Formal verification
The primary goal of our proposed protocol is to provide mutual authentication service be-tween HeNB device and CN. To verify this, we test our protocol using formal security verification tool known as the AVISPA [21]. AVISPA package is a state-of-the-art tool for the automatic verification and analysis of In-ternet security protocols. AVISPA integrates automatic security analysis and verification back-end servers like “On-the-Fly Model- Checker” (OFMC), “Constraint-Logic-based Attack Searcher” (Cl-AtSe), and SAT-based Model-Checker (SATMC). Protocols under examination by AVISPA must be coded in the “High Level Protocol Specifications Lan-guage” (HLPSL) to be tested by the back-end servers. We use OFMC and Cl-AtSe to text our re-authentication protocol. The HLPSL code is omitted.
The goal of our proposed protocol is to provide mutual authentication service between HeNB and CN. The analysis goal of the model is shown in Table I.
Table I Analysis goals of the model
goal
authentication_on rand1
authentication_on rand2
end goal
enviroment()
We set the depth of the search to be five
and the output of the model checking results is
shown in Figure 4. Figure 5 is the output of
the model checking results of Cl-AtSe.
From Figures 4-5, we can conclude that the
proposed scheme holds the security properties
and it can resist those malicious attacks such
as replay attacks, MitM attacks, and secrecy
attacks under the test of AVISPA.
Fig.4 Results reported by the OFMC
Fig.5 Results reported by the Cl-AtSe
China Communications January 2013 111
Finally, we use the formal method BAN
Logic [22] to prove the security of our proto-
col as follows.
1. The formal messages:
(Message1) HeNB →SeGW: IDHeNB, NHeNB,
( || )HeNB HeNBAUTH prf MSK N= ;
(Message2) SeGW →AAA server: IDHeNB;
(Message3) AAA server→SeGW: MSK =
( || || )prf CK IK Identity ;
(Message4) SeGW → HeNB:NSeGW, ( || )SeGW SeGWAUTH prf MSK N= ;
2. Security Assumptions:
(a) It is assumed that K is a secure key
which is shared between the HeNB and the
corresponding HSS. 1) HeNB has the secure key K and
| KHeNB HeNB HSSº .
2) HSS has the secure key K and
| KHSS HeNB HSSº .
3) HeNB has the secure key MSK and
| MSKHeNB HeNB AAAserverº .
4) AAA server has the secure key MSK and
| MSKAAAserver HeNB AAAserverº .
(b) It is assumed that the SeGW trusts the AAA server.
1) SeGW |≡ AAA server..
(c) It is assumed that the communication
between AAA server and SeGW is secure. 1) | PSeGW SeGW AAAserverº , where
P is the conveyance messages between SeGW and AAA server.
2) | PAAAserver SeGW AAAserverº ,
where P is the conveyance messages be-tween SeGW and AAA server.
3. Protocol goals:
(a) Mutual authentication between HeNB
and SeGW.
4. Statements and analysis:
(a) (Goal 3.a) Mutual authentication be-
tween HeNB and SeGW. 1) Since Message 1, SeGW (IDHeNB,
NHeNB, ( || )HeNB HeNBAUTH prf MSK N= );
2) Since Message 2, AAA server IDHeNB;
3) For message-meaning rule and 2.a), 2.b),
2,c) and 4.a.1), 4.a.2)
| , ( || )
| | |~ ( , ( || )) | #
MSKHeNB HeNB
HeNB HeNB HeNB
AAAserver HeNB AAAserver AUTH f MSK N
AAAserver HeNB SeGW N f MSK N SeGW N
º =º º º
4) Since Message 3, SeGWMSK. 5) For nonce-verification rule, 4.a.3),
| # , | |~ ( || )
| | ( || )HeNB HeNB
HeNB
SeGW N SeGW AAAserver f MSK N
SeGW AAAserver f MSK N
º ºº º
6) For jurisdiction rule and 4.a.5)
| ( || ), |~ ( || )
| |HeNB HeNBSeGW AAAserver f MSK N SeGW HeNB f MSK N
SeGW AAAserver HeNB
º º º
7) Since Message 4, HeNB (NSeGW, ( || )SeGW SeGWAUTH prf MSK N= );
8) For message-meaning rule and 2.a),
4.a.5),
| , ( )
| | |~ ( , ( )) | #
MSKSeGW SeGW
SeGW
HeNB HeNB AAAserver AUTH f MSK N
HeNB AAAserver SeGW NSeGW f MSK NSeGW HeNB N
º =º º º
9) For nonce-verification rule, 4.a.8),
| # , | |~ ( || )
| | ( || )SeGW SeGW
SeGW
HeNB N HeNB AAAserver f MSK N
HeNB AAAserver f MSK N
º ºº º
10) For jurisdiction rule and 4.a.9)
| ( || ), |~ ( || )
| |SeGW SeGWHeNB AAAserver f MSK N HeNB SeGW f MSK N
HeNB AAAserver SeGW
º º º
11) By 4.a.6), 4.a.10)→ (HeNB |≡AAA
server|≡SeGW)∧(SeGW |≡AAA server ≡
HeNB)→ (HeNB |≡ SeGW)∧ (SeGW |≡
HeNB), therefore, the goal of mutual authen-
tication between HeNB and SeGW is held.
Since 4.a.11), the protocol goal is held. From
test results and security analysis, we can con-
clude that our re-authentication protocol can
provide adequate security services and has not
lower the security level of the initial authenti-
cation.
4.2 Cost analysis
4.2.1 Communication cost analysis
According to Ref. [23], we assume that the
transmission cost of a message between the
HeNB and the AAA server is one unit, and
between the HeNB and the SeGW is a unit. It
is expected that a < 1 since the distance be-
tween HeNB and the SeGW is shorter than the
distance between HeNB and the AAA server.
Similarly, we assume that the delivery cost of
a message between the AAA server and the
SeGW is b unit, b<1, and the delivery cost of a
112 China Communications January 2013
message between the AAA server and the HSS
is c unit, c<1.
As shown in Figure 2, to estimate the communication cost of the initial authentica-tion, we consider two distinct cases. In the first case, the AAA server must obtain fresh au-thentication vectors from the HSS, it involves: 1) the exchange of eight messages between the HeNB and the SeGW; 2) the exchange of four messages between the SeGW and the AAA server; and 3) the exchange of two messages between the AAA server and the HSS for ob-taining fresh authentication vectors.
In the second case, the AAA server has al-
ready had a fresh authentication vector (i.e.,
from a previous authentication of the HeNB),
and it does not communicate with the HSS.
Thus, the expected communication cost of the
initial authentication is:
1 10 4 2iniC a b= + + (4)
2 10 4iniC a b= + (5)
From Eqs. (4-5) we can deduce that the to-
tal communication cost for the initial authen-
tication is:
1 2
1 1
(10 4 ) 2
ini ini inin
C C Cn nn a b c
n
-= +
+ +=
(6)
where n means that the AAA server will obtain
n authentication vectors from HSS.
As shown in Figure 3, the proposed
re-authentication involves the exchange of
Fig. 6 Communication cost improvement I
four messages between the HeNB and the
SeGW, and two messages between the SeGW
and the AAA server. The AAA server does not
communicate with the HSS, thus, the expected
re-authentication communication cost is:
4 4reC a b= + (7)
We can figure out that the improvement I of
the communication cost of the proposed re-
authentication over the initial authentication
is:
3
5 2ini re
ini
C C an cI
C an bn c
- += =
+ + (8)
In order to facilitate analysis, we set a= 0.5,
b=0.5. The results are shown in Figure 6. We
draw the communication cost improvement I
of the proposed protocol over the initial au-
thentication as a function of the size n of au-
thentication vectors and the value c that stands
for the message transmission cost between the
AAA server and the HSS. As can be seen from
Figure 6, when the size n of authentication
vectors decreases, the communication cost
improvement of the proposed protocol in-
creases, which is because the AAA server
must communicate more frequently with the
HSS to obtain fresh authentication vectors in
the full initial authentication protocol. More-
over, when the message transmission cost c
increases, the communication cost improve-
ment of the proposed protocol also increases.
The reason for the phenomenon is that the
proposed re-authentication scheme does not
need the message exchanging for getting au-
thentication vectors between the AAA server
and the HSS, thus it avoids the additional cost
of obtaining authentication vectors.
4.2.2 Computational cost analysis
We further compare the initial authentication
and our re-authentication on the computational
cost. Firstly, the time used for the primitive
cryptography operations has been measured
by using C/C++ OPENSSL library [24] tested
on an Celeron 1.1GHZ processor as an HeNB
and Dual-Core 2.6GHZ as an SeWG in Table
II. Table III shows the length of authentication
time. The experiment results show that the
China Communications January 2013 113
Table II Time costs of the primitive cryptography
operations (1024 bits)
(ms) TE1 TH
2 TRV3 TPM
4
HeNB 1.698 0.035 6 0.957 1.537
SeGW 0.525 0.012 1 0.301 0.475
1 modular exponentiation. 2 hash. 3 RSA verication. 4 point muliplication.
Table III Comparison of computational cost
(ms) Initial authentication Re-authentication
THeNB1
2TE+4 TH+TRV+2TPM =7.569 4
TE+2TH +TPM =3.947
TSeGW2
2TE+2 TH+TRV+2TPM =2.325 2
TE+2 TH +TPM =1.024 2
1 the total operation time of HeNB. 2 the total operation time of SeGW.
operation cost by our scheme is much less
than that of the initial authentication.
From Table III, we can see that our re-
authentication protocol can effectively reduce
computational cost. Compared with the initial
authentication, the computational cost of
HeNB declines to 52%, and the computational
cost of SeGW is down to 44%.
4.2.3 Energy cost analysis
According to the analysis method of Ref. [23],
the energy cost contains the following sections:
1) the IKEv2 message sending and receiving;
2) the computation of an authentication value
generating or verifying an MAC; 3) the com-
putation of an authentication value generating
or verifying a certificate; 4) the computation
of keys using the EPS-AKA algorithms; 5) the
computation of keys using the Diffie-Hellman
algorithm and 6) the encryption or decryption
of an IKEv2 message. The notation of the en-
ergy cost is shown in Table IV. The energy
costs of initial authentication and re-authen-
tication are respectively:
2
/
2 4 8
6ini CER IKEv
ENC DEC KEY DH KEY EPS
E E MAC E
E K E- -
= ´ + ´ + ´ +
+ + (9)
Table IV Notation of the energy cost
Notation Definition
EIKEv2 The energy cost of sending or re-ceiving an IKEv2 message
EMAC The energy cost of generating or verifying an MAC
ECER The energy cost of generating or verifying a certificate using a public key algorithm
EKEY-EPS The energy cost of keys calculation using the EPS-AKA algorithms
EKEY-DH The energy cost of keys calculation using the Diffie-Hellman algorithm
ENONCE The energy cost of generating a Nonce
EENC/DEC The energy cost of IKEv2 message encryption or decryption
2 /2 4 2
2re IKEv ENC DEC
KEY DH NONCE
E MAC E E
K E-
= ´ + ´ + +
+ (10)
From Ref. [23], because energy costs of
EIKEv2, EMAC, EKEY-EPS and ENONCE can be neg-
ligible, we set the ratio of energy cost of
re-authentication and initial authentication as
follows.
/
/
2
2 6ENC DEC KEY DH
CER ENC DEC KEY DH
E E
E E Kh -
-
´ +=
´ + + (11)
We can use the analysis of Ref. [25] to ob-
tain the results shown in Tables V and VI.
Table V The ratio of energy cost of re-authentication and initial authentication (EKEY-DH =1024 bits)
EPUB EENC/DEC
0.42 RSA, 102 4 bits RSA, 102 4 bits
0.34 DSA, 102 4 bits RSA, 102 4 bits
0.26 ECDSA, 163 bits RSA, 102 4 bits
Table VI The ratio of energy cost of re-authentication and initial authentication (EKEY-DH =512 bits)
EPUB EENC/DEC
0.32 RSA, 102 4 bits RSA, 102 4 bits
0.22 DSA, 102 4 bits RSA, 102 4 bits
0.13 ECDSA, 163 bits RSA, 102 4 bits
Tables V and VI show the ratio of energy
114 China Communications January 2013
cost of re-authentication and initial authentica-
tion when EENC/DEC =1024 bits and 512 bits
respectively. Analysis results show that the
proposed re-authentication protocol reduces
the computational processing and conse-
quently the energy consumption at HeNB
compared with the initial authentication. We
can observe that the energy cost of re-authen-
tication reduces to less than 50% of initial
authentication regardless of implementing
cryptographic algorithms.
V. CONCLUSION
This paper presented a simple and low-cost
re-authentication protocol for HeNB. The
proposed protocol can greatly reduce the au-
thentication cost of the initial authentication
and does not modify the 3GPP standard infra-
structure. Our protocol uses MSK that has
already been computed in initial authentica-
tion as the re-authentication parameter; there-
fore the full EAP-AKA running within IKEv2
authentication protocol is avoided in the
re-authentication; the exchange of authentica-
tion signaling messages and the calculation of
authentication parameters are reduced. The
final analysis showed that our re-authentication
protocol has not lower the security level of
initial authentication. In addition, the analysis
results of performance illustrated that the
proposed protocol can achieve at least 50%
cost reduction in communication and 58% cost
reduction in energy, and the computational
cost is also reduced by half compared with
initial authentication.
ACKNOWLEDGEMENT
This work was supported by the China Schol-
arship Council; the National Natural Science
Foundation of China under Grants No.
60772136, No. 61102056; the Fundamental
Research Funds for the Central Universities
under Grant No. JY10000901025; the project
supported by Natural Science Basic Research
Plan in Shaanxi Province of China under
Grant No. 2011JQ8042.
References [1] 3GPP. Architecture Aspects of Home NodeB
and Home eNodeB, 3GPP TS 23.830 v9.0.0[S], September, 2009.
[2] LAI Chengzhe, LI Hui, ZHANG Yueyu, et al. A Fast Authentication Method for Mobile User Accessing to Core Network via Home NodeB/eNodeB[C]// Proceedings of the 2010 China Communication Security Conference: August 6-8, 2010, Yunnan, China. National Defense Industry Press, 2010: 61-65.
[3] 3GPP TR 33.820 v8.3.0: Security of H(e)NB (Rel. 8) [S], Dec. 2009.
[4] AURA T, ROE M. Reducing Reauthentication Delay in Wireless Networks[C]// Proceedings of the 1st International Conference on Secu-rity and Privacy for Emerging Areas in Com-munications Networks: September 5-9, 2005, Athens, Greece, 2005: 139-148.
[5] GANZ A, PARK S H, GANZ Z. Robust Re-Authentication and Key Exchange Protocol for IEEE 802.11 Wireless LANs[C]// Proceed-ings of the IEEE Military Communications Conference: October 19-21, 1998, Boston, MA, USA, 1998, 3: 1018-1022.
[6] NARAYAN V, DONETI L. Eap Extensions for Eap Re-Authentication Protocol (erp), RFC 5296[S], August, 2008.
[7] CLANCY T, NAKHJIRI M, NARAYANAN V, et al. Handover Key Management and Re-Authentication Problem Statement, IETF RFC 5169[S], March, 2008.
[8] HARSKIN D, OHBA Y, NAKHJIRI M, et al. Prob-lem Statement and Requirements on a 3-Party Key Distribution Protocol for Handover Key-ing, IETF Internet Draft: draft-ohba-hokey- 3party-keydist-ps-01[S], March, 2007.
[9] LIN S, CHIU J, LEE G. A Fast Iterative Localized Re-Authentication Protocol for Heterogene-ous Mobile Networks [J]. IEEE Transactions on Consumer Electronics, 2010, 56(4): 2267-2275.
[10] LI Guangsong, CHEN Xi, MA Jianfeng. A Tick-et-Based Re-Authentication Scheme for Fast Handover in Wireless Local Area Net-works[C]// Proceedings of the 2010 6th In-ternational Conference on Wireless Commu-nications Networking and Mobile Computing (WiCOM): September 23-25, 2010, Chengdu, China, 2010: 23-25.
[11] YANG Fan, CAI Yi. Re-Authentication Design for PKMv2 of IEEE 802.16e Standard[C]// Proceedings of the 2010 International Con-ference on Computational Intelligence and Software Engineering (CiSE): December 10-12, 2010, Wuhan, China, 2010: 1-4.
China Communications January 2013 115
[12] PERENIGUEZ F, KAMBOURAKIS G, MARIN-LOPEZ R, et al. Privacy-Enhanced Fast Re-Authentication for EAP-Based Next Gen-eration Network [J]. Computer Communica-tions, 2010, 33(14): 1682-1694.
[13] 3GPP. Security of Home Node B (HNB)/Home Evolved Node B (HeNB), 3GPP TR 33.320 v11.3.0[S], September, 2011.
[14] 3GPP. General Packet Radio Service (GPRS); Service Description; Stage 2, 3GPP TS 23.060[S], September, 2011.
[15] 3GPP. General Packet Radio Service (GPRS) Enhancements for Evolved Universal Terres-trial Radio Access Network (E-UTRAN) Access, 3GPP TS 23.401[S], August, 2011.
[16] 3GPP. Telecommunication Management; Pro-tocol Flows for Type 1 Interface H(e)NB to H(e)NB Management System (H(e)MS), 3GPP TS 32.593[S], September, 2011.
[17] 3GPP. Evolved Universal Terrestrial Radio Ac-cess (E-UTRA) and Evolved Universal Terres-trial Radio Access Network (E-UTRAN); Overall Description; Stage 2, 3GPP TS 36.300[S], Sep-tember, 2011.
[18] ARKKO J, HAVERINEN H. EAP-AKA Authenti-cation, RFC 4187[S], January, 2006.
[19] KAUFMAN C. The Internet Key Exchange (IKEv2) Protocol, RFC 4306[S], December, 2005.
[20] CALHOUN P, LOUGHNEY J, GUTTMAN E, et al. Diameter Base Protocol, RFC 3588[S], Sep-tember, 2003.
[21] AVISPA—Automated Validation of Internet Secu-rity Protocols [EB/OL]. http://www.avispa-project. org, 2012.
[22] BURROWS M, ABADI M, NEEDHAM R. A Logic of Authentication [J]. ACM Transactions on Computer Systems, 1990, 8(1): 18-36.
[23] CHRISTOFOROS N, CHRISTOS X. One-Pass EAP-AKA Authentication in 3G-WLAN Inte-grated Networks [J]. Wireless Personal Com-
munications, 2009, 48(4): 569-584. [24] OPENSSL[EB/OL]. http://www.openssl.org/, 2012. [25] POTLAPALLY N, RAVI S, RAGHUNATHAN A, et
al. Analyzing the Energy Consumption of Se-curity Protocols[C]// Proceedings of the In-ternational Symposium on Low Power Elec-tronics and Design (ISLPED): August 25-27, 2003, Seoul, Korea, 2003: 30-35.
Biographies LAI Chengzhe, is a Ph.D. candidate in the School of Telecommunications Engineering, Xidian University, Xi’an, China. His current research is focused on security in wireless networks and next generation cellular networks. Email: [email protected] LI Hui, received his B.S. degree from Fudan University, China in 1990, M.S. and Ph.D. degrees from Xidian University, Xi’an, China in 1993 and 1998, respectively. Since June 2005, he has been a professor in the School of Telecommunications Engineering, Xidian University. His research interests are in the areas of cryptography, wireless network security, information theory and network coding. Email: [email protected] ZHANG Yueyu, is an associate professor in the School of Telecommunications Engineering, Xidian University, Xi’an, China. He received his B.S., M.S. and Ph.D. degrees from Xidian University, China in 2001, 2005 and 2008, respectively. His current research interests include information security and next generation mobile communication network security. Email: [email protected] CAO Jin, is a Ph.D. candidate in the School of Telecommunications Engineering, Xidian University, Xi’an, China. His current research is in wireless network security and handover authentication. Email: [email protected]