TEASE: A novel Tunnel-based sEcure Authentication SchemE to support smooth handoff in IEEE 802.11 wireless networks

https://doi.org/10.1016/j.jpdc.2010.12.003Get rights and content

Abstract

With the growing popularity of WiFi-based devices, WiFi-based wireless networks have received a great deal of interest in the wireless networks community. However, due to the limited transmission range of WiFi-based networks, mobile users have to switch their associated access points constantly to maintain continuing communications during their movement. The process of switching access points is called handoff. Handoff management is a key service in mobile networks, because providing seamless roaming in wireless networks is mandatory for supporting real-time applications in a mobile environment, such as VoIP, online games, and eConference. Security is another important issue in network communications, and to prevent possible attacks, authentication is required during the handoff process to guarantee the reliability of mobile clients and access points. In this paper, we propose a novel authentication scheme to achieve a smooth handoff in WiFi-based networks, which we refer to as TEASE. A tunnel is introduced to forward data packets between the new access point and the original reliable access point. The processing of a complete secure authentication and the transmitting of data between mobile terminals and their correspondence nodes can go on simultaneously. The security of handoff is achieved without increasing overhead to authentication servers, and handoff latency can be minimized to support seamless roaming. Simulation results show that our proposed scheme reduces significantly the communication interruption time and generates low packet loss ratio, and our method is suitable to be used for secure handoff in real-time applications.

Highlights

► We propose a tunnel-based authentication scheme to reduce interruption time. ► The security requirements are met by using temporary tunnel keys. ► Simulation results demonstrate that authentication latency is minimized. ► Smooth handoff is realized in real-time environment.

Introduction

The IEEE 802.11 [10] protocol is the most widely used wireless connection standard in IP-based networks, and its advantages over other wireless connection protocols, such as low cost, easy deployment and high bandwidth, will make it an important component in next generation networks. However, the radio range of access points (APs) in IEEE 802.11 networks is limited, and mobile nodes need to change access points frequently during the movement. Therefore, changing APs smoothly is the key issue in IEEE 802.11 networks [6], [7].

There are two phases in a handoff process: MAC layer handoff and network layer handoff. When the mobile node finds the quality of the signal, which can be measured by the received signal strength indication (RSSI) or the signal to noise ratio (SNR), is below the predefined level in the MAC layer, the mobile node initiates the handoff process to find a new AP that has the best quality of signal in the mobile node’s neighborhood. Then, the mobile terminal authenticates with the new AP. If the authentication passes, the mobile terminal can connect to the new AP; otherwise, the association is denied. After that, the new data routing path between the mobile node and its correspondent nodes should be re-established to maintain communication in the network layer. A comprehensive survey of existing handoff management solutions is given in [3].

The IEEE 802.11 [10] protocol outlines the basic steps of the handoff process. Unfortunately, the original handoff latency is several hundred milliseconds [4], while the requirement for real-time applications for MAC layer handoff latency is less than 50 ms. Therefore, much research has proposed ways to reduce the handoff latency in recent years. However, most of these schemes do not consider a complete authentication process which is useful in real scenarios.

In this paper, a Tunnel-based sEcure Authentication SchemE (TEASE) is proposed to improve handoff performance for WiFi networks. The tunnel technique is introduced to reduce handoff latency and to provide secure communications. During the MAC layer handoff, when the mobile terminal selects the new access point which has the best signal quality, it starts a fast authentication process. The ID of the new access point, which can be the MAC address of the new access point, is sent to the old access point. The old access point uses MAC addresses of the new access point and the mobile terminal to generate the temporary tunnel key. The temporary tunnel key is then sent to the mobile terminal and the new access point. After the mobile terminal receives the temporary tunnel key, it triggers a general open system authentication with the new access point.

If the open system authentication is passed, the mobile terminal is permitted to associate with the new access point conditionally. The condition is that all of the data packets sent from the mobile terminal to the new access point are encrypted by the temporary tunnel key, and these packets are then forwarded to the old access point. The old access point will send these packets to their destinations finally. In the meantime, the new access point triggers the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) [2] process with the authentication server to generate the new Pairwise Master Key (PMK) and Pairwise Transient Key (PTK). After receiving the new PMK and PTK, the temporary tunnel key becomes obsolete, and the mobile terminal can communicate with the new access point as usual. According to experimental results, our fast authentication scheme using tunnels can shorten the MAC layer’s authentication latency significantly, and the packet loss ratio is also acceptable to achieve smooth handoff.

The rest of this paper is organized as follows. Section 2 offers a background and discussion of some related works. Our proposed scheme is presented in Section 3, and security analysis of our scheme is proposed in Section 4. Section 5 describes the simulation results and provides some discussion on its performance. Finally, Section 6 summarizes and concludes this paper.

Section snippets

Previous and related work

The whole handoff process defined in the IEEE 802.11 protocol can be divided into three phases: scan, reauthentication and reassociation [4]. During the scan phase, mobile terminals broadcast probe messages and select new access points which have the best signal quality based on the response messages. In the reauthentication phase, authentication is completed to make sure the current connection is safe. Finally, mobile terminals associate with the new access points in the reassociation phase. A

TEASE protocol

In this section, TEASE is proposed to support a smooth handoff in WiFi-based wireless networks. In general, during the handoff process, the new access point can accept the connection request from the mobile terminal conditionally, and a tunnel is established between the old access point and the new access point to forward data packets. Meanwhile, a complete authentication such as EAP-TLS is processed in the background. Therefore, in parallel with the authentication of the new access point, the

Security analysis

In general, there are three requirements for secure wireless communications: confidentiality, availability and integrity. All of these requirements are considered in the design of our authentication scheme. In this section, we are going to describe how our authentication protocol meets these requirements.

Simulation results

This section presents the experiments and simulation results. Our fast authentication scheme is implemented using the Network Simulator — ns2 (Release 2.33) [18]. Four mobility models are used to generate the mobile client’s movement path: Bounded Random Mobility Model (BRMM), Brownian Motion Mobility Model (BMMM), Random Direction Mobility Model (RDMM), and Random Waypoint Mobility Model (RWMM). For each experiment, 30 simulations are performed. Table 1 illustrates the general simulation

Conclusion

A complete authentication process plays an important role in seamless secure wireless networks. This paper proposes a novel MAC layer authentication scheme that uses tunnel technology to minimize interruption time during the handoff process. Instead of completing a whole authentication process defined in IEEE 802.11i, we allow the access points to accept connections conditionally. Temporary tunnel keys are used to encrypt communication between the mobile terminals and their new access points

Zhenxia Zhang received his B.Sc. and M.Sc. in Computer Science from Zhejiang University, China, respectively in 2004 and 2006. He is now a Ph.D. student at PARADISE Research Laboratory at University of Ottawa. His current research interests are in the field of mobility management, handoff, wireless ad hoc and mesh networks, and wireless sensor networks.

References (29)

  • B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz, Extensible authentication protocol (EAP), June 2004....
  • B. Aboba, D. Simon, PPP EAP TLS authentication protocol, October 1999. http://www.ietf.org/rfc/rfc2716.txt,...
  • I.F. Akyildiz et al.

    A survey of mobility management in next-generation all-IP-based wireless systems

    IEEE Wireless Communications

    (2004)
  • Mishra Minho Arunesh et al.

    An empirical analysis of the ieee 802.11 mac layer handoff process

    ACM SIGCOMM Computer Communication Review

    (2003)
  • F. Bersani, H. Tschofenig, The EAP-PSK protocol: a pre-shared key extensible authentication protocol (EAP) method,...
  • A. Boukerche, Handbook of Algorithms for Wireless Networking and Mobile Computing,...
  • A. Boukerche

    Algorithms and Protocols for Wireless and Mobile Ad Hoc Networks

    (2008)
  • S.R. Fluhrer, I. Mantin, A. Shamir, Weaknesses in the key scheduling algorithm of RC4, in: The 8th Annual International...
  • Y. He, D. Perkins, BASH: a backhaul-aided seamless handoff scheme for wireless mesh networks, in: WoWMoM 2008, June...
  • IEEE Standard 802.11, IEEE standard for information technology-telecommunications and information exchange between...
  • ITU, Itu-t recommendation g.711, 1989. http://www.itu.int/rec/T-REC-G.711-198811-I/en,...
  • B. Jackson, History of voip, November 2007....
  • M. Kassab, A. Belghith, J.-M. Bonnin, S. Sassi, Fast pre-authentication based on proactive key distribution for 802.11...
  • Y. Liao, L. Cao, Practical schemes for smooth MAC layer handoff in 802.11 wireless networks, in: WoWMoM 2006, June...
  • Cited by (0)

    Zhenxia Zhang received his B.Sc. and M.Sc. in Computer Science from Zhejiang University, China, respectively in 2004 and 2006. He is now a Ph.D. student at PARADISE Research Laboratory at University of Ottawa. His current research interests are in the field of mobility management, handoff, wireless ad hoc and mesh networks, and wireless sensor networks.

    Azzedine Boukerche is a full professor and holds a Canada Research Chair position at the University of Ottawa (uOttawa). He is a Fellow of the Canadian Academy of Engineering and the founding director of the PARADISE Research Laboratory, School of Information Technology and Engineering (SITE), Ottawa. Prior to this, he held a faculty position at the University of North Texas, and he was a senior scientist at the Simulation Sciences Division, Metron Corp., San Diego. He was also employed as a faculty member in the School of Computer Science, McGill University, and taught at the Polytechnic of Montreal. He spent a year at the JPL/NASA-California Institute of Technology, where he contributed to a project centered about the specification and verification of the software used to control interplanetary spacecraft operated by JPL/NASA Laboratory. His current research interests include wireless ad hoc and sensor networks, wireless networks, mobile and pervasive computing, wireless multimedia, QoS service provisioning, performance evaluation and modeling of large-scale distributed systems, distributed computing and large-scale distributed interactive simulation. He has published several research papers in these areas. He served as a guest editor for the Journal of Parallel and Distributed Computing (special issue for routing for mobile ad hoc, special issue for wireless communication and mobile computing, and special issue for mobile ad hoc networking and computing), ACM/Kluwer Wireless Networks, ACM/Kluwer Mobile Networks Applications, and Journal of Wireless Communication and Mobile Computing. He serves as an Associate Editor of IEEE Transactions on Vehicular Technology, Elsevier Ad Hoc Networks, Wiley International Journal of Wireless Communication and Mobile Computing, Wileys Security and Communication Network Journal, Elsevier Pervasive and Mobile Computing Journal, IEEE Wireless Communication Magazine, and Elsevier’s Journal of Parallel and Distributed Computing. He served as an Associate Editor of IEEE Transactions on Parallel and Distributed systems and SCS Transactions on Simulation. He was the recipient of the Best Research Paper Award at IEEE/ACM PADS 1997, ACM MobiWac 2006, ICC 2008, ICC 2009 and IWCMC 2009, and the recipient of the Third National Award for Telecommunication Software in 1999 for his work on a distributed security systems on mobile phone operations. He has been nominated for the Best Paper Award at the IEEE/ACM PADS 1999 and ACM MSWiM 2001. He is a recipient of an Ontario Early Research Excellence Award (previously known as Premier of Ontario Research Excellence Award), Ontario Distinguished Researcher Award, and Glinski Research Excellence Award. He is a co-founder of the QShine International Conference on Quality of Service for Wireless/Wired Heterogeneous Networks (QShine 2004). He served as the general chair for the Eighth ACM/IEEE Symposium on Modeling, Analysis and Simulation of Wireless and Mobile Systems, and the Ninth ACM/IEEE Symposium on Distributed Simulation and Real-Time Application (DS-RT), the program chair for the ACM Workshop on QoS and Security for Wireless and Mobile Networks, ACM/IFIPS Europar 2002 Conference, IEEE/SCS Annual Simulation Symposium (ANNS 2002), ACM WWW 2002, IEEE MWCN 2002, IEEE/ACM MASCOTS 2002, IEEE Wireless Local Networks WLN 03–04; IEEE WMAN 04–05, and ACM MSWiM 98–99, and a TPC member of numerous IEEE and ACM sponsored conferences. He served as the vice general chair for the Third IEEE Distributed Computing for Sensor Networks (DCOSS) Conference in 2007, as the program co-chair for GLOBECOM 2007–2008 Symposium on Wireless Ad Hoc and Sensor Networks, and for the 14th IEEE ISCC 2009 Symposium on Computer and Communication Symposium, and as the finance chair for ACM Multimedia 2008. He also serves as a Steering Committee chair for the ACM Modeling, Analysis and Simulation for Wireless and Mobile Systems Conference, the ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks, and IEEE/ACM DS-RT.

    Hussam Ramadan is a professor in the Department of Information Systems, College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia. He received his Ph.D. Degree in Computer Science and Engineering in 1995 from the University of Louisville, USA and his B.S. Degree in Electrical Engineering in 1988 from the George Washington University, USA. He is currently the Dean of the College of Computer and Information Sciences, King Saud University. His research interest is in the areas of parallel and distributed simulation, distributed computing and modeling and simulation methodologies.

    This work is partially supported by NSERC, Canada Research Chairs Program, the Ontario Research Fund (ORF), ORNEC, the Early Ontario Researcher Award, the Ontario Centres of Excellence (OCE), and MRI Funds.

    View full text