Efficient authentication for fast handover in wireless mesh networks
Introduction
A wireless mesh network (WMN) consists of mesh clients and mesh points (routers). Mesh clients can be static (e.g., desktops, database servers) or mobile hosts (e.g., cell phone, laptops, PDAs). The MPs form a wireless mesh backbone to provide multi-hop connectivity from one mesh client to another or to the Internet. A subset of mesh points act as mesh access points (MAPs), connecting mesh clients to the WMN. A small number of mesh points work as gateways, connecting the WMN to the Internet.
A WMN is dynamically self-organized and self-configured, with nodes in the network automatically establishing and maintaining mesh connectivity among themselves. This feature brings many benefits to IEEE 802.11-based mesh networks such as low installation cost, large-scale deployment, fault-tolerance, and self-management.
Wireless mesh networks support many important applications such as Internet access provisioning in rural areas, ad hoc networking for emergency and disaster recovery, security surveillance, and information services in public transportation systems, airports, shopping malls, and stadiums. The technology enables networking capability where wiring or installing cables is difficult or expensive and deployment time is a concern.
With the rapid growth of mobile services for handheld devices such as smartphones, tablets and laptops, Internet connectivity anytime anywhere has become a necessity in every day life, business, education and entertainment. While cellular networks effectively handle the handoff problem using signaling embedded in their low-level protocols, there are currently no efficient, transparent handoff solutions for IEEE 802.11-based wireless networks. At the moment, these networks, even if they give the appearance of continuous connectivity to a roaming client, provide connections that are in fact often interrupted when a client transfers from one access point to the next, because handover delays can be as long as several seconds (Velayos and Karlsson, 2003). For some applications (e.g. transferring files), this delay is acceptable; however, it is far too long for real-time traffic such as interactive voice over IP or video conferencing (Amir and Danilov, 2006).
The current version of wireless mesh networking standards IEEE 802.11s does not specify any mechanisms to support fast hand-off for mobile clients. A mesh client has to be authenticated by an authentication server via multi-hop wireless communications, which may result in long delay, low reliability and thus potential service interruption. A performance study of message transmission delay in IEEE 802.11-based mesh networks by Srivatsa and Xie (2008) shows that as the number of wireless hops between two routers increases from one to five, the delay of a message between a client and an authentication server increases from 0.15 s to 0.8 s. Since the authentication process involves several messages (e.g., nine messages in the EAP-TLS protocol used by 802.11s), the handoff latency may be several seconds long, which is not tolerable in real-time applications such as VoIP, newscast, and stock quote distribution.
Our work in this paper contributes toward extending the IEEE 802.11s standards to support fast roaming for mobile clients. In particular, we focus on fast authentication during the hand-off process as well as during the initial login time. We propose a new trust model for WMNs based upon which our proposed authentication protocols are designed. We present ticket-based authentication protocols that are efficient and resilient to attacks. The authentication server does not need to be involved in the handover authentication. Instead, mobile clients' authentications are done by mesh access points, avoiding multi-hop wireless communications. Fast authentication from one MAP to another during the hand-off process is supported using tickets (Kohl and Neuman, 1993). Numerical analysis and simulation results show that our login authentication protocol improves the latency of 802.11s login authentication, and our handover authentication protocol supports fast authentication during the hand-off process, which is lacking in 802.11s.
The remainder of the paper is organized as follows. Related work is discussed in Section 2. We describe the ticket types used in the proposed authentication protocols in Section 3. In Section 4, we present our login and handover authentication protocols. Security analysis is discussed in Section 5. Performance evaluations of the proposed protocols are given in Section 6. Section 7 concludes the paper and outlines our future work.
Section snippets
Related work
We first identify the requirements of an authentication protocol designed specifically for WMNs.
- •
The protocol must incur low computation costs due to mobile devices' limited computational capabilities, storage and/or power supply. The number of messages to be exchanged should be minimized due to the low bandwidth of wireless channels (compared with wired networks).
- •
The delay of re-authentication during the hand-off process should be low to avoid service interruption.
- •
The protocol must support
Proposed trust model and ticket types
We present the definition of ticket and the trust model upon which our authentication protocols are built. We also describe in detail the different types of tickets used in the proposed authentication protocols. Refer to Table 2 for the notation used in the remainder of the article.
The proposed authentication protocols
We propose two authentication protocols, one for the initial login into a network and the other for subsequent roaming (handover). Our authentication protocols follow a key hierarchical structure similar to that in IEEE 802.11i (IEEE, 2003). That is, a pairwise master key (PMK) is created during the authentication process, and a pairwise transient key (PTK) and a group transient key (GTK) are derived from the PMK subsequently. The two parties involved in the authentication will used the PTK for
Security analysis of the proposed authentication protocols
In this section, we identify the security threats (Biryukov et al., 2005, Biryukov and Shamir, 2000, Syverson, 1994) relevant to our proposed authentication protocols and discuss counter-measures against them.
Performance evaluation
We compare the performance of our proposed authentication protocols with existing protocols using both numerical analysis and simulations. The protocols to be compared include EAP-TLS and the algorithm proposed by Kassab (2007). EAP-TLS is a popular authentication protocol for IEEE 802.11-based wireless networks and represents the multi-hop handover authentication approach. Kassab's (Kassab, 2007) and Li's (Li, 2010) algorithms are representative of the ticket-based approach and the closest to
Conclusion
The objective of our work is to extend the capabilities of IEEE 802.11s standards to support fast hand-off for real-time applications such as VoIP, tele-conferencing, and stock quote distributions. We propose new authentication protocols to support fast login and hand-off in IEEE 802.11s networks. A client and a MAP mutually authenticate each other using one-hop communications. Fast authentication for roaming from one MAP to another is supported by using transfer tickets. The authentication
Celia Li received her M. A. Sc. degree in Electrical & Computer Engineering from Ryerson University (Toronto, Canada) in 2005. She is currently a Ph.D. student at York University (Toronto, Canada), Department of Computer Science and Engineering. Her research interests include wireless networking, network security, and role-based access control.
References (50)
- et al.
Fast handoff for seamless wireless mesh networks
(2006) - et al.
Dos-resistant authentication with client puzzles
- et al.
Cryptanalytic time/memory/data trade-offs for stream ciphers
- et al.
Improved time-memory trade-offs with multiple data
- et al.
A performance comparison of multi-hop wireless ad hoc network routing protocols
Design and implementation of a WLAN/CDMA 2000 inter-networking architecture
(2003)- Cisco Aironet 802.11 Wireless Adapter....
Draft amendment: ESS mesh networking
(2009)- et al.
A pairwise key pre-distribution scheme for wireless sensor networks
ECDSA, FIPS 186-3, Digital Signature Standard (DSS)
(2009)
Protocol for carrying authentication and network access (PANA)
A fast handover authentication mechanism based on ticket for 802.16 m
IEEE Communication Letter
Inter-access point communication for distributed resource management in 802.11 networks
3GPP Technical Specification 22.121 v5.3.1: “The virtual home environment (release 5)”
IEEE 802.11s: the WLAN mesh standard
IEEE Wireless Communications
Authentication protocols for mobile network environment value-added services
IEEE Transaction on Vehicular Technology
A fast handoff mechanism for IEEE 802.11 and IAPP networks
Part11: wireless medium access control (MAC) and physical layer specifications: medium access control (MAC) security enhancement
Password authentication using multiple servers
Mutual authentication and key exchange protocols for roaming services in wireless mobile networks
Fast pre-authentication based on proactive key distribution for 802.11 infrastructure networks
Securing fast handover in WLANs: a ticket based proactive authentication scheme
SOS: an architecture for mitigating DoS attacks
IEEE Journal of Selected Areas in Communications
The Kerberos network authentication service (V5)
HMAC: keyed-hashing for message authentication
Cited by (25)
A new secure and privacy preserved protocol for IEEE802.11s networks
2018, Computers and SecurityCitation Excerpt :The proposed protocol in the current paper suggests a different structure for the ticket. Also, it changes the sent data from the current home MP (HMP) to its neighbors as mentioned in Abouhogail (2016); Li et al. (2013). Fu et al. (2012) concentrates mostly on the privacy.
Security Challenges During Handoff Authentication Operation for Wireless Mesh Network
2023, Lecture Notes in Electrical EngineeringFast handoff authentication of client in wireless mesh network
2022, Proceedings - 2022 4th International Conference on Advances in Computing, Communication Control and Networking, ICAC3N 2022Pre-handover Mechanism in the Internet of Vehicles Based on Named Data Networking
2022, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICSTUntraceable Authentication Protocol for IEEE802.11s Standard
2021, International Journal of Communication Networks and Information SecurityHandoff Authentication Through Diffie-Hellman Approach for Wireless Mesh Networks
2021, Lecture Notes in Networks and Systems
Celia Li received her M. A. Sc. degree in Electrical & Computer Engineering from Ryerson University (Toronto, Canada) in 2005. She is currently a Ph.D. student at York University (Toronto, Canada), Department of Computer Science and Engineering. Her research interests include wireless networking, network security, and role-based access control.
Dr. Uyen Trang Nguyen received her Bachelor of Computer Science and Master of Computer Science degrees in 1993 and 1997, respectively, from Concordia University, Montreal, Canada. She completed her Ph.D. degree at the University of Toronto, Canada, in 2003. From 1995 to 1997 she was a software engineer at Nortel Networks, Montreal, Canada. She joined the Department of Computer Science and Engineering at York University, Toronto, Canada, in 2002 and is currently an Associate Professor. Her research interests are in the areas of mobile and ubiquitous computing, wireless networking, multimedia applications and network security.
Dr. Hoang Lan Nguyen received his B.E. degree with the highest honors in Telecommunications from the University of Wollongong (NSW, Australia) in 2003, and his M.Sc. and Ph.D. degrees in Computer Science from York University (Toronto, Canada) in 2006 and 2012, respectively. Before joining York University, he worked for Australia Nortel Networks as a software engineer. He is currently a research scientist at IBM Canada. His research interests include wireless networking, multicast routing, and network security.
Dr. Nurul Huda received his Ph.D. degree in Informatics in 2007 from the Graduate University for Advanced Studies (Tokyo, Japan). He was a post-doctoral fellow at the National Institute of Informatics (Tokyo, Japan) from 2007 to 2010, and a researcher at the Research Organization of Information and Systems (Tokyo, Japan) from 2010 to 2012. He is currently a research associate at York University (Toronto, Canada), Department of Computer Science and Engineering. His research interests are in the areas of wireless ad hoc networks, delay tolerant networks and privacy enhancing technologies.