Secure Service and Network Framework for Mobile Ethernet

Secure cellular data services have become more popular in the Japanese market. These services are based on 2G/3G cellular networks and are expected to move into the next-generation wireless networks, called Beyond 3G. In the Beyond 3G, wireless communication available at a user's location is selected based on the type of the service. The user downloads an application from one wireless network and executes it on another. Beyond 3G expects core and wireless operators and allows to plug-in new wireless access. A security model that can accommodate these requirements needs to be sufficiently flexible for end users to utilize with ease. In this paper, we explain the Mobile Ethernet architecture for all IP networks in terms of the Beyond 3G. We discuss usage scenario/operator models and identify entities for the security model. We separate a mobile device into a personal identity card (PIC) containing cryptographic information and a wireless communications device that offers security and flexibility. We propose a self-delegation protocol for device authentication and use a delegated credential for unified network- and service-level authentication. We also propose proactive handover authentication using the security context between different types of wireless access, such as Third Generation Partnership Project (3GPP) and WLAN, so that the secure end-to-end communication channels established by service software on the TCP/IP are not terminated. Lastly, we raise security issues regarding the next-generation platform.     

A Robust Authentication Protocol with Non-Repudiation Service for Integrating WLAN and 3G Network

The third-generation cellular systems provide great coverage, complete subscriber management and nearly universal roaming. Nevertheless, 3G systems suffer the high installation cost and low bandwidth. Though WLAN provides hot spot coverage with high data rates, it lacks roaming and mobility support. From users' points of views, the integration of WLAN and 3G systems is an attractive way that will provide them a convenient access to network. When integrating WLAN and 3G, there are still some problems should be concerned in terms of authentication and security, such as authentication efficiency and repudiation problem. In this paper, we review the authentication scheme for WLAN and 3G/UMTS interworking which is specified by 3GPP and propose a robust localized fast authentication protocol with non-repudiation service for integrating WLAN and 3G network. The localized re-authentication protocol can shorten the authentication time delay. On the other hand, with the non-repudiation service, the assumption, that subscriber has to fully trust 3G home operator, can be deleted and the trust management between the independent WLAN operator, 3G visited operator and 3G home operator can be eliminated. In other words, our proposed protocol provides legal evidences to prevent the 3G home operator from overcharge toward the subscriber and also prevent the WLAN operator and 3G visited operator from overcharge toward the 3G home operator. The authentication protocol employs HMAC, hash-chaining techniques, and public-key digital signature to achieve localized fast re-authentication and non-repudiation service.     

Secure authentication enhancement scheme for seamless handover and roaming in space information network

Space information network composed of a variety of heterogeneous networks is widely concerned.However,the space information network is facing more security threats and more likely to roam due to its complex topology and large user scale.Considering the characteristics of space information network,a secure authentication enhancement scheme for seamless handover and roaming in space information network was presented.The fast mutual authentication and reasonable accounting between the user and the visiting domain based on the combination of Token and Hash chain was achieved.In addition,two seamless handover mechanisms were proposed to ensure the continuity of user communication.Finally,security analysis indicates that the scheme can not only provide essential security properties,but also achieve reasonable accounting.     

Machine Learning Protocol for Secure 5G Handovers

The fifth generation (5G) networks are characterized with ultra-dense deployment of base stations with limited footprint. Consequently, user equipment’s handover frequently as they move within 5G networks. In addition, 5G requirements of ultra-low latencies imply that handovers should be executed swiftly to minimize service disruptions. To preserve security and privacy while at the same time maintaining optimal performance during handovers, numerous schemes have been developed. However, majority of these techniques are either limited to security and privacy or address only performance aspect of the handover mechanism. As such, there is need for a novel handover authentication protocol that addresses security, privacy and performance simultaneously. This paper presents a machine learning protocol that not only facilitates optimal selection of target cell but also upholds both security and privacy during handovers. Formal security analysis using the widely adopted Burrows–Abadi–Needham (BAN) logic shows that the proposed protocol achieves all the six formulated under this proof. As such, the proposed protocol facilitates strong and secure mutual authentication among the communicating entities before generating the shares session key. The derived session key protected the exchanged packets to avert attacks such as forgery. In addition, informal security evaluation of the proposed protocol shows that it offers perfect forward key secrecy, mutual authentication any user anonymity. It is also demonstrated to be robust against attacks such as denial of service (DoS), man-in-the-middle (MitM), masquerade, packet replays and forgery. In terms of performance, simulation results shows that it has lower packets drop rate and ping–pong rate, with higher ratio of packets received compared with improved 5G authentication and key agreement (5G AKA’) protocol. Specifically, using 5G AKA’ as the basis, the proposed protocol reduces the handover rate by 94.4%, hence the resulting handover signaling is greatly minimized.

     

GHAP: An Efficient Group-based Handover Authentication Mechanism for IEEE 802.16m Networks

IEEE 802.16m is now under consideration by the International Telecommunication Union (ITU) to become the International Mobile Telecommunications (IMT)-Advanced standard. However, handover authentication is a critical issue in this area. In this paper, we propose an efficient group-based handover authentication mechanism, named as GHAP, for correlated mobile stations (MSs) in IEEE 802.16m networks. In our scheme, the correlated MSs who have the similar Signal to Interference-plus-Noise Ratio and history handover information etc. are divided into the same handover group. When the first MS of the handover group members moves from the service base station (BS) to a target BS, the service BS transmits all the handover group members’ security context to the target BS utilizing the security context transfer (SCT) method and then all these MSs in the same handover group can easily perform the handover authentication with the target BS. Different from the conventional SCT schemes, our scheme uses the MSs’ security context as a symmetric key of Cipher-based message authentication code (CMAC) but not the key material of deriving new session key. Therefore, the proposed scheme can effectively resist the domino effect existing in the previous SCT schemes. Moreover, security analysis shows that the proposed scheme also meets the other security requirements in handover authentication semantics. Furthermore, performance analysis demonstrates that the proposed scheme is very efficient in reducing average handover latency.     

Analysis and Improvement of a Robust Smart Card Based-Authentication Scheme for Multi-Server Architecture

Recently, Pippal et al. proposed an authentication scheme for multi-server architecture and claimed that their scheme had many advantages compared to the previous schemes, such as security, reliability, etc. In this paper, we reanalyze the security of their scheme and demonstrate that their scheme is vulnerable to impersonation attack even if the adversary doesn’t know the information stored in the user’s smart card. Moreover, the adversary can proceed off-line password guessing attack if the user’s smart card is compromised. In order to eliminate those shortcomings, we propose an improved multi-server authentication scheme which can preserve user anonymity. We demonstrate the completeness of the proposed scheme through the BAN logic. Compared with other related protocols, the security analysis and performance evaluation show that our proposed scheme can provide stronger security.     

An efficient EAP‐based proxy signature handover authentication scheme for WRANs over TV white space

The wireless regional area networks (WRANs) operates in the very high frequency and ultra high frequency television white space bands regulated by the IEEE 802.22 standard. The IEEE 802.22 standard supports Extensible Authentication Protocol (EAP)‐based authentication scheme. Due to the participation of a server and the information exchanged between a customer primes equipment and the secondary user base station, it takes around 50 ms to complete a complete EAP authentication that cannot be accepted in a handover procedure in WRANs. In this paper, we propose an EAP‐based proxy signature (EPS) handover authentication scheme for WRANs. The customer primes equipment and secondary user base station accomplish a handover authentication without entailing the server by using the proxy signature. Approved by the logic derivation by Burrows, Abadi, and Needham logic and formal verification by Automated Validation of Internet Security Protocols and Applications, we can conclude that the proposed EPS scheme can obtain mutual authentication and hold the key secrecy with a strong antiattack ability. Additionally, the performance of the EPS scheme in terms of the authentication delay has been investigated by simulation experiments with the results showing that the EPS scheme is much more efficient in terms of low computation delay and less communication resources required than the security scheme regulated in IEEE 802.22 standard.     

An Improved Privacy-Aware Handoff Authentication Protocol for VANETs

Vehicles handover from one road-side unit to another is a common phenomenon in vehicular ad-hoc networks (VANETs). Authenticating vehicles effectively is the key to success of VANETs. Li and Liu et al. proposed a lightweight identity authentication protocol (LIAP) for VANTEs recently, which is based on the concept of dynamic session secret process instead of conventional cryptographic schemes. LIAP possesses many advantages of againsting major existing attacks and performing well at efficiency and low consumption. However, we have demonstrated that the protocol LIAP doesn’t provide user location privacy protection and the resistance of parallel session attack is weak. Therefore, to enhance security of the protocol LIAP, we concatenate the terminal’s pseudo-identity with a random number, then encrypt the connected information by using quadratic residues operation, the generated dynamic identity can against the user location tracking attack. Furthermore, in order to against the parallel session attack during the handover procedure, a new road side unit regenerated a new session secret sequence and computed a challenge sequence with the terminal user’s pseudo-identity through XOR encryption. Through security analysis and experiments, our scheme has higher efficiency and better performance to be applicable to VANETS compared with other existing schemes.     

A novel user’s authentication scheme for pervasive on-line media services

Due to the explosive growth of the Internet and the pervasion of multimedia, protection of intellectual property (IP) rights of digital content in transactions induces people’s concerns. Current security requirements and copyright protection mechanisms especially need to work in real-time and on-line for communication and networking. For media service systems in the Internet, user’s authentication is most essential in association with the access control of the media system. The authentication scheme is a trivial but crucial issue for maintaining user’s information. Up to now, many one-time password-based authentication schemes have been proposed. However, none is secure enough. The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources. Traditionally static passwords can more easily be obtained by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced. These schemes are specially fit for media services in the Internet since they will frustrate the attacker’s attempt. Lin, Shen and Hwang proposed a strong-password authentication scheme in association with one-time password by using smart cards, and claimed their scheme can resist guess attack, replay attack, impersonation attack and stolen attack. Later, Ku, Tsai, and Chen showed that Lin-Shen-Hwang’s scheme suffers from a replay attack and a denial-of-service attack. Furthermore, Ku proposed a hash-based strong-password authentication scheme to enhance the security. In this paper, we show the weaknesses and devise some attacks against Ku’s scheme. Then, we revise Ku’s scheme and propose a novel user’s authentication scheme in pervasive on-line media services for current communication and networking.     

A pairing‐free identity‐based handover AKE protocol with anonymity in the heterogeneous wireless networks

Nowadays, seamless roaming service in heterogeneous wireless networks attracts more and more attention. When a mobile user roams into a foreign domain, the process of secure handover authentication and key exchange (AKE) plays an important role to verify the authenticity and establish a secure communication between the user and the access point. Meanwhile, to prevent the user's current location and moving history information from being tracked, privacy preservation should be also considered. However, existing handover AKE schemes have more or less defects in security aspects or efficiency. In this paper, a secure pairing‐free identity‐based handover AKE protocol with privacy preservation is proposed. In our scheme, users' temporary identities will be used to conceal their real identities during the handover process, and the foreign server can verify the legitimacy of the user with the home server's assistance. Besides, to resist ephemeral private key leakage attack, the session key is generated from the static private keys and the ephemeral private keys together. Security analysis shows that our protocol is provably secure in extended Canetti‐Krawczyk (eCK) model under the computational Diffie‐Hellman (CDH) assumption and can capture desirable security properties including key‐compromise impersonation resistance, ephemeral secrets reveal resistance, strong anonymity, etc. Furthermore, the efficiency of our identity‐based protocol is improved by removing pairings, which not only simplifies the complex management of public key infrastructure (PKI) but also reduces the computation overhead of ID‐based cryptosystem with pairings. It is shown that our proposed handover AKE protocol provides better security assurance and higher computational efficiency for roaming authentication in heterogeneous wireless networks.     

Security architectures for B3G mobile networks

This paper analyzes the security architectures employed in the interworking model that integrates third-generation (3G) mobile networks and Wireless Local Area Networks (WLANs), materializing Beyond 3G (B3G) networks. Currently, B3G networks are deployed using two different access scenarios (i.e., WLAN Direct Access and WLAN 3GPP IP Access), each of which incorporates a specific security architecture that aims at protecting the involved parties and the data exchanged among them. These architectures consist of various security protocols that provide mutual authentication (i.e., user and network authentication), as well as confidentiality and integrity services to the data sent over the air interface of the deployed WLANs and specific parts of the core network. The strengths and weaknesses of the applied security measures are elaborated on the basis of the security services that they provide. In addition, some operational and performance issues that derives from the application of these measures in B3G networks are outlined. Finally, based on the analysis of the two access scenarios and the security architecture that each one employs, this paper presents a comparison of them, which aims at highlighting the deployment advantages of each scenario and classifying them in terms of: a) security, b) mobility, and c) reliability.     

SEAI: Secrecy and Efficiency Aware Inter-gNB Handover Authentication and Key Agreement Protocol in 5G Communication Network

Recently, the Third Generation Partnership Project (3GPP) has initiated the research in the Fifth Generation (5G) network to fulfill the security characteristics of IoT-based services. 3GPP has proposed the 5G handover key structure and framework in a recently published technical report. In this paper, we evaluate the handover authentication mechanisms reported in the literature and identify the security vulnerabilities such as violation of global base-station attack, failure of key forward/backward secrecy, de-synchronization attack, and huge network congestion. Also, these protocols suffer from high bandwidth consumption that doesn’t suitable for energy-efficient mobile devices in the 5G communication network. To overcome these issues, we introduce Secrecy and Efficiency Aware Inter-gNB (SEAI) handover Authentication and Key Agreement (AKA) protocol. The formal security proof of the protocol is carried out by Random Oracle Model (ROM) to achieve the session key secrecy, confidentiality, and integrity. For the protocol correctness and achieve the mutual authentication, simulation is performed using the AVISPA tool. Also, the informal security evaluation represents that the protocol defeats all the possible attacks and achieves the necessary security properties.Moreover, the performance evaluation of the earlier 5G handover schemes and proposed SEAI handover AKA protocol is carried out in terms of communication, transmission, computation overhead, handover delay, and energy consumption. From the evaluations, it is observed that the SEAI handover AKA protocol obtains significant results and strengthens the security of the 5G network during handover scenarios.

     

A Secure and Effective Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks

Recently, Mun et al. analyzed Wu et al.’s authentication scheme and proposed an enhanced anonymous authentication scheme for roaming service in global mobility networks. However, through careful analysis, we find that Mun et al.’s scheme is vulnerable to impersonation attacks and insider attacks, and cannot provide user friendliness, user’s anonymity, proper mutual authentication and local verification. To remedy these weaknesses, we propose a novel anonymous authentication scheme for roaming service in global mobility networks. Compared with previous related works, our scheme has many advantages. Firstly, the secure authenticity of the scheme is formally validated by an useful formal model called BAN logic. Secondly, the scheme enjoys many important security attributes including prevention of various attacks, user anonymity, no verification table, local password verification and so on. Thirdly, the scheme does not use timestamp, thus it avoids the clock synchronization problem. Further, the scheme contains the authentication and establishment of session key scheme when mobile user is located in his/her home network, therefore it is more practical and universal for global mobility networks. Finally, performance and cost analysis show our scheme is more suitable for low-power and resource limited mobile devices and thus availability for real implementation.     

IEEE 802.16密钥管理协议的安全问题分析与改进方案

IEEE 802.16在MAC层设计的安全子层没有完全解决宽带无线接入的安全问题.本文分析了认证和密钥管理(PKM)协议的安全缺陷,针对其可能遭受的攻击,提出了改进方案,并提出一种基于PKM的支持快速切换的密钥信息安全漫游机制.     

A Secure and Effective Anonymous User Authentication Scheme for Roaming Service in Global Mobility Networks

In global mobility networks, anonymous user authentication is an essential task for enabling roaming service. In a recent paper, Jiang et al. proposed a smart card based anonymous user authentication scheme for roaming service in global mobility networks. This scheme can protect user privacy and is believed to have many abilities to resist a range of network attacks, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Jiang et al.’s scheme, and show that the scheme is in fact insecure against the stolen-verifier attack and replay attack. Then, we also propose a new smart card based anonymous user authentication scheme for roaming service. Compared with the existing schemes, our protocol uses a different user authentication mechanism, which does not require the home agent to share a static secret key with the foreign agent, and hence, it is more practical and realistic. We show that our proposed scheme can provide stronger security than previous protocols.     

An enhanced two-factor user authentication in wireless sensor networks

Since wireless sensor networks (WSN) are often deployed in an unattended environment and sensor nodes are equipped with limited computing power modules, user authentication is a critical issue when a user wants to access data from sensor nodes. Recently, M.L. Das proposed a two-factor user authentication scheme in WSN and claimed that his scheme is secure against different kinds of attack. Later, Khan and Alghathbar (K-A) pointed out that Das’ scheme has some security pitfalls and showed several improvements to overcome these weaknesses. However, we demonstrate that in the K-A-scheme, there is no provision of non-repudiation, it is susceptible to the attack due to a lost smart card, and mutual authentication between the user and the GW-node does not attained. Moreover, the GW-node cannot prove that the first message comes from the user. To overcome these security weaknesses of the K-A-scheme, we propose security patches and prove our scheme.     

Privacy‐preserving registration protocol for mobile network

In this paper, we propose a novel privacy‐preserving registration protocol that combines the verifier local revocation group signature with mobile IP. The protocol could achieve strong security guarantee, such as user anonymity via a robust temporary identity, local user revocation with untraceability support, and secure key establishment against home server and eavesdroppers. Various kinds of adversary attacks can be prevented by the proposed protocol, especially that deposit‐case attack does not work here. Meanwhile, a concurrent mechanism and a dynamical revocation method are designed to minimize the handover authentication delay and the home registration signals. The theoretical analysis and simulation results show that the proposed scheme could provide high security level besides lightweight computational cost and efficient communication performance. For instance, compared with Yang's scheme, the proposed protocol could decrease the falling speed of handover authentication delay up to about 40% with privacy being preserved. Copyright © 2012 John Wiley & Sons, Ltd.     

一种鲁棒的无线传感器网络用户认证方案安全性的增强

In order to remedy the security weaknesses of a robust user authentication framework for wireless sensor networks, an enhanced user authentication framework is presented. The enhanced scheme requires proof of the possession of both a password and a smart card, and provides more security guarantees in two aspects: 1) it addresses the untraceability property so that any third party accessing the communication channel cannot link two authentication sessions originated from the same user, and 2) the use of a smart card prevents offline attacks to guess passwords. The security and efficiency analyses indicate that our enhanced scheme provides the highest level of security at reasonable computational costs. Therefore, it is a practical authentication scheme with attractive security features for wireless sensor networks.     

Vertical Handover Over Intermediate Switching Framework: Assuring Service Quality for Mobile Users

Ensuring quality of service (QoS) for the mobile users during vertical handover between IEEE 802.11 wireless local area networks (WLAN) and data network provided by Ultramodern Telecommunication Systems (UMTS) is one of the key requirements for seamless mobility and transfer of existing connections from one network to another. QoS fulfillment is a complex problem and requires participation of both the mobile users as well as the connection networks. The QoS assurance criteria for existing connections can be affected by fluctuations of data rates when a user moves from the high speed WLAN network to the low speed UMTS network, even in the presence of another WLAN network in its vicinity. This can happen if the alternate WLAN network is highly loaded. Therefore handover from a high speed network to a low speed network should be avoided, whenever possible. This paper proposes a QoS based handover procedure that prioritizes the existing connection over the new connections so that rate fluctuations due to handover can be avoided if there exist another WLAN network in the range of the mobile user. Whenever the possibility of handover is detected, a pre-handover bandwidth reservation technique is used to reserve bandwidth at the alternate WLAN networks to avoid QoS degradation. The proposed scheme is implemented in Qualnet network simulator and the performance is analyzed and compared with traditional handover techniques.     

Hybrid coupling scheme for UMTS and wireless LAN interworking

We propose a hybrid coupling scheme to support interworking between UMTS and WLAN networks. Under the Tight-coupled system, it is expected that WLAN users can also use UMTS services with guaranteed QoS and seamless mobility. However, the interworking is problematic. The capacity of UMTS core network nodes cannot accommodate the bulky data traffic from WLAN, since the core network nodes are designed to handle the small-sized data of circuit voice calls or short packets. The proposed coupling scheme differentiates the data paths according to the type of the traffic and can accommodate traffic from WLAN efficiently, with guaranteed QoS and seamless mobility. We compare the handover procedures of the proposed coupling strategy with those of the loose and tight coupled schemes. In addition, we analyze the delay based on signaling costs during vertical handover. It is shown that the handover latency decreases when the UMTS and WLAN are coupled in the proposed way.