Skip to main content
SpringerLink
Log in

A Kerberized Architecture for Fast Re-authentication in Heterogeneous Wireless Networks

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

In this paper we present an architecture for fast re-authentication, based on the use of the Kerberos protocol, which allows the reduction in the latency introduced for an authentication process based on the Extensible Authentication Protocol (EAP) when providing network access in mobile networks. The architecture supports two modes of operation, proactive and reactive, to reduce the latency added for the authentication processes which is required when a mobile user changes network points of attachment. Moreover, we provide implementation details on a representative wireless testbed and obtain experimental results from the testbed. Those results are used for simulations to evaluate the performance of the proposed architecture for different deployment scenarios and parameters. We also provide a mathematical analysis to compute authentication delay and validate the simulation results. Performance comparison based on the experiment, simulation and analysis show that the proposed architecture can reduce the authentication delay, compared to other alternatives in typical deployment scenarios.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. In this reference, the term realm and domain are used interchangeably.

  2. http://www.wireshark.org

  3. http://www.isi.edu/nsnam/ns/

  4. http://www.antd.nist.gov/seamlessandsecure.shtml

  5. http://web.informatik.uni-bonn.de/IV/Mitarbeiter/dewaal

References

  1. Ohba Y, Das S, Dutta A (2007) Kerberized handover keying: a media-independent handover key management architecture. In: Proc of ACM MobiArch

  2. Marin R, Martinez G, Skarmeta A (2004) Evaluation of AAA infrastructure deployment in Euro6ix IPv6 network project. In: Proc of applied cryptography and network security, ACNS, technical track, pp 325–334

  3. Eduroam (EDUcation ROAMing). http://www.eduroam.org/

  4. Aboba B, Simon D, Eronen P (2008) Extensible authentication protocol key management framework. RFC 5247

  5. Aboba B, Simon D (1999) PPP EAP TLS authentication protocol. RFC 2716

  6. Funk P, Blake-Wilson S (2004) EAP tunneled TLS authentication protocol (EAP-TTLS). Internet draft, draft-ietf-pppext-eap-ttls-05

  7. Dutta A, Famolari D, Das S, Ohba Y, Fajardo V, Taniuchi K, Lopez R, Schulzrinne H (2008) Media-independent pre-authentication suppporting secure interdomain handover optimization. IEEE Wirel Commun 15(2):55–64

    Article  Google Scholar 

  8. Narayanan V, Clancy T, Nakhjiri M, Dondeti L (2008) Handover key management and re-authentication problem statement. RFC 5169

  9. WiMax Forum. http://www.wimaxforum.org/

  10. Neuman C, Yu T, Hartman S, Raeburn K (2005) The Kerberos network authentication service (V5). RFC 4120

  11. Aboba B, Blunk L, Vollbrecht J, Carlson J, Levkowetz H (2004) Extensible Authentication Protocol (EAP). RFC3748

  12. IEEE Std 802.1X-2004 (2004) IEEE standard for local and metropolitan area networks—port based network access control. IEEE Standards, New York

    Google Scholar 

  13. Rigney C, Willens S, Rubens A, Simpson W (2000) Remote authentication dial in user service (RADIUS). RFC 2865

  14. Calhoun P, Loughney J (2003) Diameter base protocol. RFC 3588

  15. Dantu R, Clothier G, Atri A (2007) EAP methods for wireless networks. Computer Standards Interfaces 29(3):289–301

    Article  Google Scholar 

  16. Stanley D, Aboba B, Walker J (2005) Extensible Authentication Protocol (EAP) method requirements for wireless LANs. RFC 4017

  17. Salowey J, Dondeti L, Narayanan V, Nakhjiri M (2008) Specification for the derivation of root keys from an Extended Master Session Key (EMSK). RFC 5247

  18. Marin R, Bournelle J, Maknavicius-Laurent M, Combes JM, Gomez-Skarmeta A (2006) Improved EAP keying framework for a secure mobility access service. In: Proc of IWCMC 2006, pp 183–188

  19. Ohba Y, Das S, Marin R (2007) An EAP method for EAP extension (EAP-EXT). Internet draft, draft-ohba-hokey-emu-eap-ext-02

  20. IEEE Std 802.21-2008 (2008) IEEE standard for local and metropolitan area networks—part 21: media independent handover services. IEEE Standards, New York

    Google Scholar 

  21. Marin-Lopez R, Pereñiguez F, Ohba Y, Bernal F, Skarmeta AF (2009) A transport-based architecture for fast re-authentication in wireless networks. In: Proc of IEEE Sarnoff symposium 2009. IEEE Computer Society Press

  22. Marin R, Garcia P, Gomez-Skarmeta A (2007) Cryptographic identity based solution for fast handover on EAP wireless networks. In: Proc of the 9th international conference on mobile and wireless communications networks, MWCN 2007, pp 46–51

  23. Aboba B, Beadles M, Arkko J, Eronen P (2005) The network access identifier. RFC 2486

  24. Cantor S, Kemp J, Philpott R, Maler E (eds) (2005) Assertions and protocols for the OASIS security assertion markup language (SAML) v2.0. OASIS standard

  25. Host AP software. http://hostap.epitest.fi

  26. Free Radius. http://www.freeradius.org

  27. Kerberos: the network authentication protocol. Massachusetts Institute of Technology (MIT). http://www.mit.edu/~kerberos/

  28. MIT Information Systems (2008) Kerberos V5 application programming library

  29. KERNAC: Kerberized network access control. http://kernac.codealias.info

  30. Zrelli S, Shinoda Y (2008) EAP fast re-authentication protocol (EAP-FRAP). Internet draft, draft-zrelli-eap-frap-04

  31. Kaafar MA, Benazzouz L, Kamoun F, Males D (2004) Kerberos-based authentication architecture for wireless LANs. In: Proc of IFIP networking’04, LNCS 3042, pp 1344–1353

  32. Moustafa H, Bourdon G, Gourhant Y (2005) AAA in vehicular communication on highways with ad hoc networking support: a proposed architecture. In: Proc of the 2nd ACM international workshop on vehicular ad hoc networks, pp 79–80

  33. Almus H, Brose E, Rebensburg K (2008) A Kerberos-based EAP method for re-authentication with integrated support for fast handover and IP mobility in wireless LANs. In: Proc of the 2nd international conference on communications and electronics, ICCE 2008, pp 61–66

  34. Molva R, Samfat D, Tsudik G (1994) Authentication of mobile users. IEEE Networks 8(2):26–35

    Article  Google Scholar 

  35. Song M, Wang L, Song J (2008) A secure fast Handover scheme based on AAA protocol in mobile IPv6 networks. J China Univ Post Telecommun 15(1):14–18

    Article  Google Scholar 

  36. Kang H, Mung Y (2005) Authentication in fast handover of mobile IPv6 applying AAA by using hash value, LNCS 3794/2005, pp 815–824

  37. Shi D, Tang C (2005) An authentication method on security association for mobile IP fast handoff. In: Proc of international conference wireless communications, networking and mobile computing (WCNM) 2005, vol 2, pp 1324–1327

  38. Zhang J, Zhang Y, Tian Y, Li Z (2008) CPK-based fast authentication method in Mobile IPv6 networks. In: Proc of IEEE symposium on computers and communications, 2008. ISCC 2008, vol 2, pp 234–239

  39. Housley R, Aboba B (2007) Guidance for authentication, authorization, and accounting (AAA) key management. RFC 4962

  40. Marin R, Fernandez PJ, Gomez AF (2007) 3-party approach for fast handover in EAP-based wireless networks. In: Proc of the on the move (OTM) conferences, IS 2007, LNCS 4804, pp 1734–1751

  41. Bird R, Gopal I, Herzberg A, Janson P, Kutten S, Molva R, Yung M (1995) The KryptoKnight family of light-weight protocols for authentication and key distribution. IEEE/ACM Trans Netw 3(1):31–41

    Article  Google Scholar 

  42. Lopez RM, Dutta A, Ohba Y, Schulzrinne H, Gomez Skarmeta AF (2007) Network-layer assisted mechanism to optimize authentication delay during handoff in 802.11 networks. In: Proc of ACM mobiquitous 2007. ACM

  43. IEEE 802.11 (2007) Std. Telecommunications and information exchange between systems—local and metropolitan area network—specific requirements—part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Standards, New York

    Google Scholar 

  44. Politis C, Chew K, Akhtar N, Georgiades M, Tafazolli R, Dagiuklas T (2004) Hybrid multilayer mobility management with AAA context transfer capabilities for all-IP networks. IEEE Wirel Commun 11(4):76–88

    Article  Google Scholar 

  45. Aura T, Roe M (2005) Reducing reauthentication delay in wireless networks. In: Proc of IEEE SECURECOMM 2005, pp 139–148

  46. Kim H, Shin KG, Dabbous W (2005) Improving cross-domain authentication over wireless local area networks. In: Proc of IEEE SECURECOMM’05, pp 103–109

  47. Mishra A, Shin M, Petroni N, Clancy C, Arbaugh W (2004) Proactive key distribution using neighbor graphs. IEEE Wirel Commun 11(1):26–36

    Article  Google Scholar 

  48. Pack S, Choi Y (2002) Fast inter-AP handoff using predictive-authentication scheme in a public wireless LAN. In: Proc of IEEE networks 2002 (Joint ICN 2002 and ICWLHN 2002)

  49. Narayanan V, Dondeti L (2008) EAP extensions for EAP re-authentication protocol (ERP). RFC 5296

Download references

Acknowledgements

This work has been supported by a Seneca Foundation grant within the Human Resources Researching Training Program 2007. Thanks also to the Funding Program for Research Groups of Excellence with code 04552/GERM/06 also granted by the Seneca Foundation.

Author information

Authors and Affiliations

  1. Department of Information and Communications Engineering, Facultad de Informatica, Campus de Espinardo, University of Murcia, 30071, Murcia, Spain

    Rafa Marin-Lopez, Fernando Pereñiguez-Garcia, Fernando Bernal-Hidalgo & Antonio F. Gomez

  2. Toshiba Corporate Research and Development Center, Kawasaki, Japan

    Yoshihiro Ohba

Authors
  1. Rafa Marin-Lopez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fernando Pereñiguez-Garcia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yoshihiro Ohba
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fernando Bernal-Hidalgo
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Antonio F. Gomez
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rafa Marin-Lopez.

Additional information

This paper is an extension of the initial work in [1]. This new work has been supported by a Seneca Foundation grant within the Human Resources Researching Training Program 2007. Thanks also to the Funding Program for Research Groups of Excellence with code 04552/GERM/06 also granted by the Seneca Foundation.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Marin-Lopez, R., Pereñiguez-Garcia, F., Ohba, Y. et al. A Kerberized Architecture for Fast Re-authentication in Heterogeneous Wireless Networks. Mobile Netw Appl 15, 392–412 (2010). https://doi.org/10.1007/s11036-009-0220-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-009-0220-3

Keywords

Search

Navigation