Secure and Seamless Handoff Scheme for a Wireless LAN System

Transcription

1 Secure and Seamless Handoff Scheme for a Wireless LAN System Jaesung Park 1,BeomjoonKim 2, and Iksoon Hwang 3 1 Department of Internet Information Engineering, The University of Suwon, Gyeonggi-Do, , Korea jaesungpark@suwon.ac.kr 2 Department of Electronic Engineering, Keimyung University, Daegu, Korea bkim@kmu.ac.kr 3 Core S/W 1 Team R&D) LG-Nortel, Gyeonggi-Do, , Korea iksoonhwang@lg-nortel.com Abstract. IEEE i standard specifies full authentication and preauthentication for secure handoff in wireless LAN (WLAN). However, the full authentication is too slow to provide seamless services for handoff users, and preauthentication may fail in highly populated WLANs where it is highly probable that the cache entry of a preauthenticated user is evicted by other users before handoff. In this paper, we propose a seamless and secure handoff scheme by reducing authentication and key management delay in the handoff process. When a user handoffs, security context established between the user and the previous access point (AP) is forwarded from the previous AP to the current AP, and the session key is reused only for the handoff session. The freshness of session key is maintained by regenerating session keys after handoff session is terminated. The proposed scheme can achieve considerable reduction in handoff delay with providing the same security level as 802.1X authentication by letting an AP authenticate a handoff user before making an robust security network association (RSNA) with it. 1 Introduction The wireless local area networks (WLAN) based on IEEE infrastructuremode have been deployed successfully as an economical means to provide users ubiquitous broadband access to Internet. Unlike cellular networks where users can handover while having on-going calls, WLAN systems have provided only portability where users can move only within the radio coverage of an access point (AP) to which they are connected. That is, users cannot move while using the network because current WLAN systems do not easily support seamless handoff. However, as users experience with wireless network increases, they demand continuous communication while on the move. Therefore, fast handoff becomes one of the important research issues in the evolution steps of WLANs. In a WLAN, handoff initiated by a mobile node (MN) goes through the following 4 logical steps: probing, reassociation, authentication and key creation. R. Meersman, Z. Tari, P. Herrero et al. (Eds.): OTM Workshops 2006, LNCS 4277, pp , c Springer-Verlag Berlin Heidelberg 2006

2 596 J.Park,B.Kim,andI.Hwang First, MN seeks to find potential next APs in the probing phase. After making a handoff decision, MN reassociate with an AP to which it decides to handoff. Then MN is reauthenticated by a network and new session keys are generated between MN and network for the handoff session. Security is as important as fast handoff for successful WLAN deployment because data is transferred via wide open wireless radio. However, authentication process involves a few message exchanges between MN and an authentication server (AS) in a network which is generally located far away from APs. It also takes a few interactions between AP and MN to create new session keys for handoff session. The long delay for security on WLAN becomes the major obstacle that makes fast handoff difficult. To solve the delay problem in authentication, pre-authentication is included in the i specification [1]. Basically, preauthentication try to avoid reauthentication by authenticating each MN to a set of potential next APs before it handoffs to one of them. However, i does not specify how to select a set of candidate APs. Several researchers try to answer this question. Frequent handoff region (FHR) is proposed in [2] to denote the set of potential next APs with the long term movement history of MN. Neighbor graph is proposed to determine the potential set of APs [3]. They note the number of candidate APs is small fraction of the total APs. However, these proactive methods must be carefully engineered to avoid reauthentication. For example, the security context of a MN i in a candidate AP could be updated by the other MNs before the MN i handoffs to the AP. It is quite probable if the density of the MNs in the coverage of an AP is high and they move frequently, which is the case of WLAN system deployed in hot spots. If the security context is not found when a MN handoffs, a full authentication process takes place to fail to support seamless service. Also, proactive scheme is not scalable because it imposes heavy management loads on a single AS and each APs with a large signaling messages between them. In this paper, we propose a reactive solution which supports the same security level as IEEE i specification in terms of authentication and freshness of session key while reducing handoff delay significantly. We focus on reducing key creation delay after handoff as well as the authentication delay. We augment the i specification to implement the proposed method for backward compatibility. Specifically, we add two fields in the reassociation request message in IEEE MAC management frame and one field in the capability information to make an AP authenticate the MN requesting the secure reassociation without involving an AS. When an MN handoffs from AP i to AP j, the security context of the MN installed at AP i is fetched to AP j. Using the context information and reassociation request frame, AP j can authenticate the MN requesting reassociation. Also, we reuse the temporary key created before handoff only for the termination of the handoff session. However, the freshness of session key is maintained by regenerating session keys after handoff session is terminated. Unlike proactive schemes, our method operates consistently regardless of network environments such as density of mobile nodes and their movement pattern without incurring heavy management overhead of an AS.

3 Secure and Seamless Handoff Scheme for a Wireless LAN System Fast and Secure Handoff Problems in WLAN Systems In this section, we explain typical WLAN network architecture and best current practice for secure WLAN based on IEEE i specification. With the discussion, we derive the problems caused by security mechanisms in providing fast handoff. We also review related works for fast and secure handoff to discuss their advantages and disadvantages. 2.1 WLAN Security Based on IEEE i In terms of IEEE i specification, secure WLAN is defined as robust security network (RSN) where all mobile nodes and APs make robust security network association (RSNA) between them. RSNA is made when MN and AS authenticates each other and MN and AP generates a temporary secure key for data encryption over wireless link. To build a RSN, IEEE i specifies authentication enhancement based on IEEE 802.1X over entity authentication such as open system authentication and shared key authentication. It also specifies key management and establishment, encryption enhancement over wired equivalent privacy (WEP). In the i, it is assumed that the AS and the AP to which a mobile station associates is trusted. Moreover, it is implicated that AS and APs have trust relationship. In a typical WLAN system which is owned and operated by a single carrier, network management tools are provided to detect unauthorized APs, therefore trust relationship between APs can be assumed. When a MN handoffs in a RSN, it must establish RSNA with a new AP again. That is, a MN must be authenticated again by an AS and temporary security key be created. For mutual authentication, extensible authentication protocol (EAP) is used between a MN and an AS. EAP allows a MN to select specific authentication method such as EAP-TLS, EAP-MD5, EAP-AKA, however, EAP-TLS [4] is often used. EAP-TLS messages are exchanged between a MN and an AP over wireless link encapsulated by EAP over LAN (EAPoL) protocol. IEEE i does not mandate protocols between APs and an AS. However, remote authentication dial-in user service (RADIUS) becomes a de facto standard. Recently, EAP over DIAMETER is being developed. After mutual authentication, a session key for data encryption over wireless link is created through IEEE i protocol called four way handshake. EAP-TLS provides challenge-response type strong authentication and encryption. For the EAP-TLS authentication, MN and AS must have certificate from common certification authority (CA). Figure 1 shows the complete message flows during authentication and four way handshake. Authentication process starts by sending the identity information of a MN to AS. Then, a MN authenticates AS via AS certificate. After successful authentication, MN randomly select a premaster secrete and send the premaster secrete encrypted with the public key of the AS (Client-Key-Exchange message) to the AS with its certificate. The AS can authenticate the MN with its certificate. With the premaster secrete both

4 598 J.Park,B.Kim,andI.Hwang MN AP AS EAP-Request/Identity EAP-Response/Identity(UserID) EAP-Request(TLS Start) EAP-TLS/Response(CHello) EAP-Response/Identity(UserID) AS Authentication Create MK EAP-TLS/Request(SHello, Certificate, Certificate_Req.) EAP-TLS/Response(Certificate, Client_Key_Exchange) EAP-TLS/Request(change_cipher_spec, finished) EAP-TLS/Response(empty) MN Authentication Create MK Full Authentication Create PMK EAP-TLS/Success (PMK) Create PMK EAP-TLS/Success EAPoL-Key (ANonce) Receive PMK pick ANonce pick SNonce,Derive PTK EAPoL-Key (SNonce, MIC, RSN IE) Derive PTK EAPoL-Key (ANonce, MIC, RSN IE) Install PTK EAPoL-Key (Unicast, MIC) Install PTK 4-way handshake CHello: Client Hello SHello: Server Hello MK: Master Key PMK: Pairwise Master Key MIC: Message Integrity Check RSN IE: RSN Information Element Fig. 1. Full authentication and 4-way handshake procedure the MN and the AS creates a master key (MK). The MK is used to derive a pairwise master key with a pseudo random function (PRF) as follows. PMK = PRF(MK, CHello SHello). (1) The AS sends PMK to an AP which the MN requests to make a RSNA. Therefore, after successful mutual authentication, MN and AS share the MK, and MN, AS, and AP have the common PMK. PMK is used to generate a pairwise transient key (PTK) for data encryption between MN and AP. Four way handshake using EAPoL-Key messages takes place to confirm the liveness of the MN and AP, and to guarantee the freshness of the PTK. MN and AP exchanges its randomly selected Nonce (ANonce from AP, SNonce from MN) through the first two EAPoL-Key messages. PTK is created using the PMK and medium access control (MAC) addresses of the MN and AP as well as ANonce and SNonce by using the following equation. PTK = PRF(PMK,MN MAC AP MAC ANonce SNonce). (2) The third EAPoL-Key message is used to synchronize the PTK between MN and AP and the fourth message signifies the completion of the four way handshake and the installation of the key. 2.2 Preauthentication Schemes From the above discussion, it is apparent that full authentication and four way handshakes are major obstacles for fast handoff because they require a number

5 Secure and Seamless Handoff Scheme for a Wireless LAN System 599 MN AP Neighbor APs AS Association 4-way handshake Full Authentication Create MK Data Exchange Send PMKs preauthentication handoff 4-way handshake without full authentication Data Exchange Fig. 2. Preauthentication procedure of message exchanges among MN, AP, and AS which takes an order of seconds. To solve the problem, preauthentication is also included in the IEEE i specification. Basically, preauthentication try to reduce handoff delay by authenticating each MN to a set of potential next APs before it actually handoffs to one of them. Figure 2 illustrates the message flows when preauthentication is used. However, i does not specify how to select a set of candidate APs. Several researchers try to answer this question. Pack [2] proposed a frequent handoff region (FHR) to denote the set of potential next APs. The FHR of a MN is calculated from the long term movement history of the MN. A centralized AS records and analyzes the frequency each MN moves from one AP to another. That is, AS maintains n x n matrix of each MN, where n is the number of AP in the WLAN system and the element of the array N ij is the inverse of handoff ratio of the MN from the AP i to AP j. If the MN associates with an AP i,it also authenticates with other APs in FHR. Neighbor graph (NG) is proposed to determine the potential set of APs [3]. They note the number of candidate APs is small fraction of the total APs. Neighbor graph can be constructed in a distributed manner at each AP or it can be installed in an AS when WLAN is deployed. The latter is often used for its fast convergence time. Once neighbor graph is established, an AS distributes the security context and key materials of an MN to the set of APs in the neighbor graph. If an MN moves to one of the candidate APs in the neighbor graph, the authentication process is avoided. However, these proactive schemes have the following drawbacks. First, the performance of the scheme depends not only on the prediction mechanisms but also on the cell environment. For example in a neighbor graph scheme, the security context of a MN i in a candidate AP could be updated by the other MNs before the MN i handoffs to the AP. It is quite probable if the density of the MNs in the coverage of an AP is high and they move frequently which is the case of WLAN system deployed in hot spots. If the security context is not found when a MN handoffs, a full authentication process takes place which fails to

6 600 J.Park,B.Kim,andI.Hwang support a seamless service. Second, proactive schemes are not scalable in terms of state information maintained in an centralized AS and the signaling overhead between an AS and APs. 3 Proposed Secure and Seamless Handoff Scheme In this section, we detail our seamless and secure handoff method. We extend IEEE i specification to implement the proposed method for backward compatibility. The fundamental idea is to authenticate handoff MN by a new AP with the previous security context from the old AP without involvement of an AS. Also, the PTK generated between MN and old AP is reused to eliminate the 4-way handshake delay, only for the duration of the handoff session. New PMK is delivered from AS to the AP while handoff session continues. Whether PTK expires or handoff session terminates, new PTK is created between new AP and MN to guarantee the freshness of session key. [ MAC Management Frame Format ] Frame Control Duration DA SA BSS ID Seq. Control Frame Body FCS Order Information Capability Info. SNonce MIC Description Capability Information SNounce used to create PTK with an old AP (32bytes) Message integrity check (MIC) over entire reassociation request message. One of the previous PTK is used to digitally sign the message (16bytes) [ Extended Reassociation Request Frame Body ] Bit B9 Information FSH Description 1: Request fast and secure handoff 0: otherwise [ MAC Capability Information Field ] Fig. 3. Extension of reassociation request MAC management frame 3.1 Extended MAC Management Frame Body Components To implement the proposed scheme, we extend the reassociation request MAC management frame body and capability information field as figure 3. To indicate the ability of secure and seamless handoff, MN sets the fast and secure handoff (FSH) bit in the capability information index within the reasssociation request message. FSH bit is also included in the beacon message, probe response message, and association request message to indicate the ability of secure and seamless handoff of AP and MN. In the reassociation request frame body, handoff MN includes the SNonce it used to generate PTK with an AP to which it associates before handoff. MN also includes message integrity check (MIC) calculated over the reassociation request frame using the PKT. The AP to which the MN handoffs can check the integrity of the reassociation request frame using the MIC.

7 Secure and Seamless Handoff Scheme for a Wireless LAN System 601 Fast Authentication MN Reassociation Req. (FSH, SNonce, MIC) Reassociation Rsp. (success) new AP Move_Nofity Move_Response (Security Context) old AP AS Create new PMK Handoff session with the previous PMK Request new PMK (EAP-Response(Identity)) PMK Redistribution Create new PMK 4-way handshake with the new PMK Fig. 4. Message flows in the proposed fast and secure handoff method 3.2 Fast Authentication and Key Management Figure 4 illustrates the message flows of our proposed method. When a MN handoffs from old AP to new AP, MN sends a reassociation request message to new AP. New AP fetches the security context (e.g. PMK, SNonce, ANonce, MAC address of the old AP, Cipher Suite, etc.) of the MN from old AP. The interaccess point protocol (IAPP) can be used to exchange the security context of a MN between APs because it is developed to exchange information between APs from different vendors [5]. The only difference in our approach is that security association is assumed to be made between APs at the network deployment. However, the adaptation of IAPP is straight forward. Because the MIC in the reassociation request message is encrypted by PTK used between MN and old AP, only the new AP can have the same PTK and cipher suite to correctly decrypt the MIC from the security context. If the message integrity check passes, new AP authenticates the MN by comparing the SNonce in reassociation request message and the SNonce in the security context from old AP. After successful authentication, MN and new AP keep using the previous PTK only for the handoff session to reduce 4-way handshake delay. In the i, handoff is considered the same as the initial access to the network. However, we argue that handoff is the continuation of the on-going session because MN will use the same session key if the MN does not handoff. Therefore, MN is allowed to use the previous PTK if MN is authenticated by new AP. However, the reuse of the PTK must not sacrifice the freshness of session key and the liveness of the communicating entities. Session key must be refreshed after each session. For this purpose, new PMK is distributed from AS to new AP while handoff session continues. In the i trust assumption, new PMK must be different from the previous PMK. We devise the derivation of the new PMK which binds MK and MAC address of the old AP and new AP as follows. np MK = PRF(MK,oldPMK MN MAC oldap MAC newap MAC ). (3)

8 602 J.Park,B.Kim,andI.Hwang MK is shared only between MN and AS after MN goes through full authentication at its initial network access. Old PMK is generated by MK and random number (CHello, SHello) generated by MN and AS, and old PMK is known only to MN, AS, and old AP. The freshness of session key and the liveness of each communicating party is guaranteed because the PTK is created again through 4-way handshake with new PMK when the handoff session terminates or the PTK ages off. 4 Perfomance Evaluation In this section we analyze and compare the RSNA delay among full authentication, preauthentication and the proposed scheme. We define the RSNA delay as the sum of authentication delay and key management delay. The delays between MN and AP, AP and AS, and AP and AP are denoted by t a, t d, t ap, respectively. From figure 1, RSNA delay of the full authentication becomes 13t a +8t d. In case of preauthentication, authentication is avoided if the security context is stored at an AP to which a MN handoff. Otherwise, full authentication takes place. The cache entry of the preauthenticated MN can be evicted by the other MNswhiletheMNresidesinthecurrentAP.Weassumethereareρ MNs in cell area of each AP and the size of cache in each AP is N c. From the fluid flow model [7], the aggregate rate of MNs crossing the cell boundary is given by C = ρvl π, (4) where v is the average velocity of a MN and L is the size of location area. If we denote the cell residence time of a MN as t cr and the cumulative distribution function of the cell residence time as F (t), then the probability of cache miss (p m ) when MN handoffs to one of candidate AP becomes p m = Pr( ρvl π t cr >N c )=1 F( πn c ). (5) ρvl Therefore, RSNA delay of preauthentication is given by P d =4t a + p m (13t a +8t d ). (6) From figure 4, RSNA delay of the proposed scheme depends on the t ap because it avoids 4-way handshake. Then we can represent the RSNA delay as R d =2t ap. (7) 4.1 Numerical Results From the research on mobility model, cell residence time of a MN can be modeled using generalized gamma function [6]. That is, the probability density function of t cr is modeled as 1 f(t cr,a,b)= b a Γ (a) ta 1 e t/b, (8)

9 Secure and Seamless Handoff Scheme for a Wireless LAN System 603 where a is a shape parameter, b is a scale parameter, and Γ () is the Gamma function. The distribution becomes more concentrated, as a scale parameter becomes smaller. t a is determined by medium access control (MAC) protocol among contending MNs and the wireless link bandwidth. Therefore, there may be large variation in t a if controlled management channel is not used. On the contrary, major contributor to t d and t ap are transmission delay. In a wired network, the transmission delay is stabilized and mainly depends on the hop count. In WLAN, adjacent APs are connected through a layer 2 switch or an access router, so they are one or two hops away from each other. Since AS is located at the core of a network, t d is much larger than t ap Preauthentication: a=1, b=1 Preauthentication: a=1, b=2 Preauthentication: a=2, b=3 Proposed Scheme Preauthentication: a=1, b=1 Preauthentication: a=1, b=2 Preauthentication: a=2, b=3 Proposed Scheme RSNA Delay (msec) RSNA Delay (msec) N c /rho (x10 3 ) N c /rho (x10 3 ) (a) avg. velocity = 5km/hr (b) avg. velocity = 60km/hr Fig. 5. RSNA Delay Comparison Considering the latency budget for RSNA delay with b, which provides 11Mbps over wireless link, we assume t a =2.5msec, t d =97.2msec, t ap =23.7msec for numerical comparison between preauthentication and the proposed scheme. Figure 5 illustrates the RSNA delay for each scheme with different distribution of cell residence time of a MN when cell radius is 100m. We vary the average velocity of the other MNs from 5km/hr (figure 5-(a)) to 60km/hr (figure 5-(b)). The x-axis represents the ratio of the cache size of AP to the density of MNs within the radio coverage of an AP. As was noticed, preauthentication depends heavily on the ratio, the cell residence time of handoff MN, and the velocity of the other MNs. As the other MNs moves faster, APs need bigger cache to prevent the preauthenticated MN from being overwritten. Especially, when the variation in cell residence time becomes larger (for example, from a=1, b=1 to a=2, b=3), bigger cache is needed to cover the large deviation, which is not economical solution for deployment of many APs. On the contrary, the proposed scheme is affected only by the delay between APs and is not relevant to the N c and the movement of the other MNs. In terms of the management overhead, the proactive schemes need at least O(n) computation and storage space per AP and AS for each MN, where n is the number of candidate APs per AP. Whereas, the proposed method only requires O(1) computation and space per AP and AS, which makes it more scaleable.

10 604 J.Park,B.Kim,andI.Hwang 5 Conclusions In this paper, we propose a reactive secure and seamless handoff method for WLAN system. The authentication delay is reduced by making a posterial AP authenticate MN requesting RSNA using the security context made with MN and previous AP. 4-way handshake is suspended until handoff session expires or PTK expires. We showed the proposed scheme is as secure as EAP-TLS authentication while reducing handoff delay. Compared to proactive method which depends on the other MN s mobility and the cell residence time of the handoff MN, our reactive method can bound handoff delay with a proper round trip time between APs without imposing heavy management loads both on APs and AS. References 1. IEEE Std i: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifiations: Amendment 6: Medium Access Control(MAC) Security Enhancement, July (2004). 2. S. Pack and Y. Choi: Fast Inter-AP Handoff Using Predictive-Authentication Scheme in a Public Wireless LAN, IEEE Networks, Aug. (2002). 3. A. Mishra et al.: Proactive Key Distribution Using Neighbor Graphs, IEEE Wireless Communications, Feb. (2004). 4. B. Aboba, and D. Simon: PPP EAP TLS Authentication Protocol. RFC 2716, Oct. (1999). 5. IEEE Std f: IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distributed Systems Supporting IEEE Operation, July (2003). 6. M. M. Zonoozi and P. Dassanayake: User Mobility Modeling and Characterization of Mobility Patterns, IEEE JSAC vol. 15, no. 7, Sept. (1997). 7. H. Xie et al.: Dynamic Location Area Management and Performance Analysis, Proc. VTC 93, May (1993).