Abstract
In this paper we present an architecture for fast re-authentication, based on the use of the Kerberos protocol, which allows the reduction in the latency introduced for an authentication process based on the Extensible Authentication Protocol (EAP) when providing network access in mobile networks. The architecture supports two modes of operation, proactive and reactive, to reduce the latency added for the authentication processes which is required when a mobile user changes network points of attachment. Moreover, we provide implementation details on a representative wireless testbed and obtain experimental results from the testbed. Those results are used for simulations to evaluate the performance of the proposed architecture for different deployment scenarios and parameters. We also provide a mathematical analysis to compute authentication delay and validate the simulation results. Performance comparison based on the experiment, simulation and analysis show that the proposed architecture can reduce the authentication delay, compared to other alternatives in typical deployment scenarios.
Similar content being viewed by others
Notes
In this reference, the term realm and domain are used interchangeably.
References
Ohba Y, Das S, Dutta A (2007) Kerberized handover keying: a media-independent handover key management architecture. In: Proc of ACM MobiArch
Marin R, Martinez G, Skarmeta A (2004) Evaluation of AAA infrastructure deployment in Euro6ix IPv6 network project. In: Proc of applied cryptography and network security, ACNS, technical track, pp 325–334
Eduroam (EDUcation ROAMing). http://www.eduroam.org/
Aboba B, Simon D, Eronen P (2008) Extensible authentication protocol key management framework. RFC 5247
Aboba B, Simon D (1999) PPP EAP TLS authentication protocol. RFC 2716
Funk P, Blake-Wilson S (2004) EAP tunneled TLS authentication protocol (EAP-TTLS). Internet draft, draft-ietf-pppext-eap-ttls-05
Dutta A, Famolari D, Das S, Ohba Y, Fajardo V, Taniuchi K, Lopez R, Schulzrinne H (2008) Media-independent pre-authentication suppporting secure interdomain handover optimization. IEEE Wirel Commun 15(2):55–64
Narayanan V, Clancy T, Nakhjiri M, Dondeti L (2008) Handover key management and re-authentication problem statement. RFC 5169
WiMax Forum. http://www.wimaxforum.org/
Neuman C, Yu T, Hartman S, Raeburn K (2005) The Kerberos network authentication service (V5). RFC 4120
Aboba B, Blunk L, Vollbrecht J, Carlson J, Levkowetz H (2004) Extensible Authentication Protocol (EAP). RFC3748
IEEE Std 802.1X-2004 (2004) IEEE standard for local and metropolitan area networks—port based network access control. IEEE Standards, New York
Rigney C, Willens S, Rubens A, Simpson W (2000) Remote authentication dial in user service (RADIUS). RFC 2865
Calhoun P, Loughney J (2003) Diameter base protocol. RFC 3588
Dantu R, Clothier G, Atri A (2007) EAP methods for wireless networks. Computer Standards Interfaces 29(3):289–301
Stanley D, Aboba B, Walker J (2005) Extensible Authentication Protocol (EAP) method requirements for wireless LANs. RFC 4017
Salowey J, Dondeti L, Narayanan V, Nakhjiri M (2008) Specification for the derivation of root keys from an Extended Master Session Key (EMSK). RFC 5247
Marin R, Bournelle J, Maknavicius-Laurent M, Combes JM, Gomez-Skarmeta A (2006) Improved EAP keying framework for a secure mobility access service. In: Proc of IWCMC 2006, pp 183–188
Ohba Y, Das S, Marin R (2007) An EAP method for EAP extension (EAP-EXT). Internet draft, draft-ohba-hokey-emu-eap-ext-02
IEEE Std 802.21-2008 (2008) IEEE standard for local and metropolitan area networks—part 21: media independent handover services. IEEE Standards, New York
Marin-Lopez R, Pereñiguez F, Ohba Y, Bernal F, Skarmeta AF (2009) A transport-based architecture for fast re-authentication in wireless networks. In: Proc of IEEE Sarnoff symposium 2009. IEEE Computer Society Press
Marin R, Garcia P, Gomez-Skarmeta A (2007) Cryptographic identity based solution for fast handover on EAP wireless networks. In: Proc of the 9th international conference on mobile and wireless communications networks, MWCN 2007, pp 46–51
Aboba B, Beadles M, Arkko J, Eronen P (2005) The network access identifier. RFC 2486
Cantor S, Kemp J, Philpott R, Maler E (eds) (2005) Assertions and protocols for the OASIS security assertion markup language (SAML) v2.0. OASIS standard
Host AP software. http://hostap.epitest.fi
Free Radius. http://www.freeradius.org
Kerberos: the network authentication protocol. Massachusetts Institute of Technology (MIT). http://www.mit.edu/~kerberos/
MIT Information Systems (2008) Kerberos V5 application programming library
KERNAC: Kerberized network access control. http://kernac.codealias.info
Zrelli S, Shinoda Y (2008) EAP fast re-authentication protocol (EAP-FRAP). Internet draft, draft-zrelli-eap-frap-04
Kaafar MA, Benazzouz L, Kamoun F, Males D (2004) Kerberos-based authentication architecture for wireless LANs. In: Proc of IFIP networking’04, LNCS 3042, pp 1344–1353
Moustafa H, Bourdon G, Gourhant Y (2005) AAA in vehicular communication on highways with ad hoc networking support: a proposed architecture. In: Proc of the 2nd ACM international workshop on vehicular ad hoc networks, pp 79–80
Almus H, Brose E, Rebensburg K (2008) A Kerberos-based EAP method for re-authentication with integrated support for fast handover and IP mobility in wireless LANs. In: Proc of the 2nd international conference on communications and electronics, ICCE 2008, pp 61–66
Molva R, Samfat D, Tsudik G (1994) Authentication of mobile users. IEEE Networks 8(2):26–35
Song M, Wang L, Song J (2008) A secure fast Handover scheme based on AAA protocol in mobile IPv6 networks. J China Univ Post Telecommun 15(1):14–18
Kang H, Mung Y (2005) Authentication in fast handover of mobile IPv6 applying AAA by using hash value, LNCS 3794/2005, pp 815–824
Shi D, Tang C (2005) An authentication method on security association for mobile IP fast handoff. In: Proc of international conference wireless communications, networking and mobile computing (WCNM) 2005, vol 2, pp 1324–1327
Zhang J, Zhang Y, Tian Y, Li Z (2008) CPK-based fast authentication method in Mobile IPv6 networks. In: Proc of IEEE symposium on computers and communications, 2008. ISCC 2008, vol 2, pp 234–239
Housley R, Aboba B (2007) Guidance for authentication, authorization, and accounting (AAA) key management. RFC 4962
Marin R, Fernandez PJ, Gomez AF (2007) 3-party approach for fast handover in EAP-based wireless networks. In: Proc of the on the move (OTM) conferences, IS 2007, LNCS 4804, pp 1734–1751
Bird R, Gopal I, Herzberg A, Janson P, Kutten S, Molva R, Yung M (1995) The KryptoKnight family of light-weight protocols for authentication and key distribution. IEEE/ACM Trans Netw 3(1):31–41
Lopez RM, Dutta A, Ohba Y, Schulzrinne H, Gomez Skarmeta AF (2007) Network-layer assisted mechanism to optimize authentication delay during handoff in 802.11 networks. In: Proc of ACM mobiquitous 2007. ACM
IEEE 802.11 (2007) Std. Telecommunications and information exchange between systems—local and metropolitan area network—specific requirements—part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Standards, New York
Politis C, Chew K, Akhtar N, Georgiades M, Tafazolli R, Dagiuklas T (2004) Hybrid multilayer mobility management with AAA context transfer capabilities for all-IP networks. IEEE Wirel Commun 11(4):76–88
Aura T, Roe M (2005) Reducing reauthentication delay in wireless networks. In: Proc of IEEE SECURECOMM 2005, pp 139–148
Kim H, Shin KG, Dabbous W (2005) Improving cross-domain authentication over wireless local area networks. In: Proc of IEEE SECURECOMM’05, pp 103–109
Mishra A, Shin M, Petroni N, Clancy C, Arbaugh W (2004) Proactive key distribution using neighbor graphs. IEEE Wirel Commun 11(1):26–36
Pack S, Choi Y (2002) Fast inter-AP handoff using predictive-authentication scheme in a public wireless LAN. In: Proc of IEEE networks 2002 (Joint ICN 2002 and ICWLHN 2002)
Narayanan V, Dondeti L (2008) EAP extensions for EAP re-authentication protocol (ERP). RFC 5296
Acknowledgements
This work has been supported by a Seneca Foundation grant within the Human Resources Researching Training Program 2007. Thanks also to the Funding Program for Research Groups of Excellence with code 04552/GERM/06 also granted by the Seneca Foundation.
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an extension of the initial work in [1]. This new work has been supported by a Seneca Foundation grant within the Human Resources Researching Training Program 2007. Thanks also to the Funding Program for Research Groups of Excellence with code 04552/GERM/06 also granted by the Seneca Foundation.
Rights and permissions
About this article
Cite this article
Marin-Lopez, R., Pereñiguez-Garcia, F., Ohba, Y. et al. A Kerberized Architecture for Fast Re-authentication in Heterogeneous Wireless Networks. Mobile Netw Appl 15, 392–412 (2010). https://doi.org/10.1007/s11036-009-0220-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11036-009-0220-3