A Secure Vertical Handoff Scheme for UMTS-WLAN Interworking by bestt571


More Info
									slangiS & smetsyS nO ecnerefnoC lanoitanretnI 5002SSCI EEEI
    A Secure Vertical Handoff Scheme for UMTS-WLAN Interworking

                     Yen-Chieh Ouyang , Chung-Hua Chu, and Chang-Bu Jang
     National Chung-Hsing University , 250 , Kuo-Kwang Road , Taichung , 402 , Taiwan , R.O.C.
      The handoff processes to 802.11 WLAN and the
UMTS still could be hijacked through middle of a
communication session. In this paper, we propose a secure
vertical handoff scheme for the interworking between
UMTS and 802.11 WLAN networks. The Dynamic Key
Exchange Procedure (DKEP) is applied to prevent session
hijacking during a UMTS handover to a 802.11 WLAN
environment and have provided security for both mobile
station (MS) and access point (AP). DKEP includes three
phases and all the steps of the phases are protected by
public-key encryption. The MS and AP compute their
session key individually. The security analysis of DKEP is
done by using the SPEARII. The results show that no
information can be hijacked between MS and AP. The
scheme is guaranteed in various secure aspects. For                     Fig. 1. Architecture of integration.
example, user identity, efficient authentications and key
distributions can be protected, thus avoiding denial of
service, key reuse, and so on.                                      We assume that a MS is a dual-mode terminal
Key words: vertical handoff, dynamic key                      with two interfaces – a UMTS interface and a 802.11
Exchange procedure, secure aspect                             WLAN interface, and we also assume that an AP
                                                              includes a RADIUS server and AR function (see
1 Introduction                                                Figure 1). So the AP can do certification and
     In recent years, 802.11 WLAN already offer               authentication. The 802.11 WLAN users can use date
mobile users broadband, high-speed wireless Internet          connection (UMTS PS service) and the UMTS users
access but are often found lacking with respect to            can use voice connection (UMTS CS service). The
roaming and mobility support. By contrast, UMTS               two interfaces can be auto switch in the different
will provide wide coverage and nearly universal               system. Figure 1 displays the UMTS-WLAN
roaming, but will not realistically live up to the bit        interworking architecture where the Serving GPRS
rate expectations placed on them. They can’t replace          Support Node (SGSN) is the integration point [1]. The
each other. When WLAN and UMTS coexist, the                   Radio Network Controller (RNC) performs radio
handoff mechanism should be created and provided.             specific tasks, such as converting packets into radio
Many researches have proposed about it in fact [8, 9,         frames, managing the radio resources, and controlling
10, 11], but it is insufficient to the security               handover etc. The Gateway GPRS Support Node
requirements. Therefore we will focus on the security         (GGSN) is the node that can be accessed by the
of the communication sessions when a handoff                  packet data network due to evaluation of the packet
mechanism is trigged. The DKEP is proposed for a              date protocol (PDP) address. It contains routing
secure vertical handoff procedure from UMTS to                information for PS-attached users. The routing
WLAN. A security scheme of a vertical handoff from            information is used to tunnel network protocol data
WLAN to UMTS is also presented. The remainder of              units (N-PDUs) to the MS’s current point of
this paper is organized as follows. In section 2 we           attachment, i.e. the SGSN. The GGSN may request
describe the architecture for interworking of 802.11          location information from the home location register
WLAN and the UMTS. In section 3 the proposed                  (HLR) via the optional Gc interface. The GGSN is the
DKEP for the security handoff is trigged from UMTS            first access point of packet data network (PDN)
to WLAN. In section 4 the analysis of the handoff             interconnection with a public land mobile network
procedure is presented. In section 5 we further verify        (PLMN) supporting GPRS (i.e. the Gi reference point
and survey the DKEP using SPEAR II. Section 6 is              is supported by the GGSN). The GGSN functionality
the conclusion.                                               is common for all types of RANs. The SGSN is the
                                                              node that is serving the MS. The SGSN supports
2   Architecture for Interworking of 802.11                   GPRS for A/Gb mode (i.e. the Gb interface is
    WLANand the UMTS                                          supported by the SGSN) and/or Iu-mode (i.e. the Iu

                                                        ~ 1120 ~
slangiS & smetsyS nO ecnerefnoC lanoitanretnI 5002SSCI EEEI
interface is supported by the SGSN). When the PS is        with a human-chosen password, and it is hard to trace
attached, the SGSN establishes a mobility                  and      detect.    The     OTP1       is   equal     to
management context containing information                  HASH[HASH[pass-phrase,challenge text]]. The OTP2
pertaining to mobility and security for the MS. At         is equal to HASH[pass-phrase, challenge text]. Note
PDP Context Activation, the SGSN establishes a PDP         that the Counter is a positive integer and will decrease
context, which is used for routing purposes with the       by one after each successful connection. When it
GGSN that the subscriber will be using [2].                reaches to zero, the MS should request a new one time
      The 802.11 WLAN can be connected at GGSN,            password (OTP). The value of the Counter can’t
but during the 802.11 WLAN user handover to UMTS,          exceed the number of iterations of OTPs [5].
the SGSN needs to recreate the mobility state and
acquire or reestablish the session (PDP) and radio
access bearer (RAB) contexts that the GGSN does not
have. In this situation, the handover procedure was
proposed by Jaseemuddin [1]. The HLR contains
GPRS subscription data and routing information. The
HLR is accessible from the SGSN via the Gr interface
and from the GGN via the Gc interface. Home
Environment (HE) [6] may have pre- computed the
required number of authentication vectors and
retrieved them from the HLR database, or may
compute them on demand [3]. The different networks
would share the same authentication, transport,
signaling and billing infrastructures, independently
from the protocols used at the physical layer on the
radio interface [4]. The WLAN sends traffic directly
into the SGSN, so the configuration and the design of
network elements have to be modified to sustain the                    Fig. 2. The initialization phase.
increased load [4].
                                                           B. Key exchange phase
3 A Security Vertical Handoff between WLAN                      In practice, the key generation phase is used to
    to UMTS using DKEP                                     negotiate a new session key for every communication
      The goal of using the dynamic key exchange           session between the MS and the AP. The MS has to do
procedure (DKEP) is to create a secure handoff             the initialization phase first. These steps are shown in
scheme when a handoff mechanism is trigged between         Figure 3[5]
MS and AP using the DKEP can protect
communication data on air for a UMTS user handover
to the environment of the 802.11 WLAN. When the
air interface is protected, it can prevent from several
attacking methods. In the DKEP, the MS and the AP
get mutual authentication through the authentication
server. A message authentication code (MAC),
produced by HASH functions, is added to every
packets and then encrypted together. We assume that
the authentication server (RADIUS) is served for only
at a single AP domain. There are three phases in
dynamic key exchange protocol, which includes
“initialization phase”, “key exchange phase”, and
“refresh password phase”.

A. Initialization phase
     In this phase the MS on-line registers itself as a
legal member through the AP. The detailed steps are
shown in Figure 2 [5].
     The reason to use a one time password is that if                 Figure 3. The key exchange phase.
varies per session, the length is long enough compared

                                                     ~ 1121 ~
slangiS & smetsyS nO ecnerefnoC lanoitanretnI 5002SSCI EEEI
C. Refresh password phase
     When the Counter decreases to zero, the MS
should change its OTP; otherwise the AP has the right
to prohibit the MS from using its services. The steps
are given in Figure 4[5].

        Figure 4. The refresh password phase.

D. The Secure Handoff from UMTS to WLAN
     During the UMTS user handover to a WLAN
environment, we use the DKEP to build a secure
handoff procedure. Figure 5 displays a detail handoff         Figure 5. Secure handoff procedure from UMTS to
procedures between MS-AP, AP-SRNC and                                       WLAN using DKEP.
                                                            4) DKEP has strong mutual authentication
E. Security Vertical Handoff Procedure from WLAN to      procedure based on the OTP which can avoid a
UMTS                                                     man-in-middle attack.
     When the handoff from WLAN to UMTS is                  5) Using the DKEP can protect an AP from denial
trigged, UMTS authentication procedure [3] is used to    of service (DOS) attacks and session hijack attacks
build a secure handoff. The procedure is shown in        because every message frame includes MAC were
Figure 6.                                                encrypted by a dynamic session key.
                                                            6) Each new shared element will be protected by a
4 Security Analysis of the DKEP and the handoff          similar key exchange procedure.
    process                                                 7) DKEP is compatible with any existing cipher
A. Analysis of the DKEP and the advantages of the        algorithms.
handoff from UMTS to WLAN                                   8) All the message frame and exchanging element
    The security performance improvements of the         are protected by a shared secret channel.
DKEP protocols are evaluated using several secure           9) DKEP is secure against passive attacks
criteria. These criteria were selected by secure         (eavesdropping/replay attacks) is based on the counter
requirements defined in 3GPP. And the DKEP make          number and its own session key.
the security advantages of the handoff procedure            10) DKEP is secure against dictionary attacks
apparently.                                              because the MS uses the initial password to produce
   1) DKEP has no more initial vectors, and avoids       an OTP with a different challenge. The MS requires
exhaust of IVs to cause key reuse.                       certification (e.g. Cert(MS)) on the AP so the MS’s
   2) DKEP extends the lifetime of the shared secret     certification is not based on the MS’s password and
channel with Counter times.                              ID.
   3) Using DKEP, each new session will generate a          11) DKEP can be used on any client-server wireless
different session key.                                   and wired environments.

                                                   ~ 1122 ~
slangiS & smetsyS nO ecnerefnoC lanoitanretnI 5002SSCI EEEI
                                                         procedures are shown in Figure 7. The visual GNY
                                                         environment is a component of the SPEAR and is
                                                         used to construct GNY statements necessary for
                                                         protocol analysis. From the result of BAN analysis of
                                                         DKEP, we can see that the procedure has high
                                                         confidentiality against attacks (see figure 8, 9, 10, 11
                                                         and 12).

   Figure 6. Secure handoff procedure from WLAN to

B. The Advantages of the Handoff from WLAN to
   UMTS                                                        Figure 7. Simulation of the DKEP in SPEARII
     The UMTS authentication procedure has
following features [3]:
   1) Using an encryption key shared by a group of
users to protect the user’s identity.
   2) Message authentication and replay inhibition
have not been suppressed by an attacker.
   3) Integrity protection of critical signaling
messages protects against denial of service attacks.
   4) A sequence number in the challenge allows the
USIM [3] to verify the freshness of the cipher key.

5 Further Verification and Survey for the DKEP
    in SPEAR II
      The goal of the Security Protocol Engineering
and Analysis Resource II (SPEAR II) tool is to
facilitate cryptographic protocol engineering and aid
users in distilling the critical issues during an
engineering session by presenting them with an
appropriate level of detail and guiding them as much
as possible.
      BAN logic systems have successfully been used
to reveal flaws in the protocols. A popular BAN is
GNY, and the SPEARII is based on the GNY logic
system. We use SPEARII to make cryptographic
protocol analysis for DKEP and the examine                                 Fig. 8 Analysis result.

                                                   ~ 1123 ~
slangiS & smetsyS nO ecnerefnoC lanoitanretnI 5002SSCI EEEI

           Fig. 9 Assumptions of supplicant                   Fig. 11 The goals of supplicant

              Fig. 10 Assumptions of AP                         Fig. 12 The goals of AP

                                              ~ 1124 ~
slangiS & smetsyS nO ecnerefnoC lanoitanretnI 5002SSCI EEEI
6 Conclusions                                             WLANs”, IEEE Security Technology, 2003, Carnahan
     In this paper, we propose a secure vertical          Conference, October 14-16, 2003.
handoff process when a handoff mechanism is trigged       [6] G. M. Koien, and Thomas Haslestad, “Security
between UMTS and 802.11 WLAN networks. In order           aspects of 3G-WLAN interworking”, Comm. Mag.,
to prevent users’ privacy from intuited eavesdropping     IEEE, Volume: 41, Issue: 11, Nov. 2003.
and spoofing, a robust handoff procedure is necessary.    [7] All information about SPEARII can be found at
The DKEP is used to resolve these security problems       http://www.cs.uct.ac.za/Research/DNA/resources/publ
when the UMTS users handover to 802.11 WLAN.              ications_repository/saul1999_SPEAR_SATNAC.pdf
Using the DKEP, we can achieve high confidentiality       http://dimacs.rutgers.edu/Workshops/Security/progra
and strong mutual authentication. The other situation     m2/hutch/
is that 802.11 WLAN users handover to a UMTS              [8] Kalle Ahmavaara, Henry Haverlnen, Roman
environment. We use UMTS authentication procedure         Pichna, “Interworking Architecture between 3GPP
to build a secure vertical handoff while the WLAN         and WLAN Systems”, IEEE Communications
users handoff to a UMTS environment. The UMTS             Magazine, November 2003.
authentication provides a permanent user identity         [9] Ming hui Shi, Xuemin (Sherman) Shen, and Jon W.
IMSI and user location, so that user services can’t be    Mark, “IEEE 802.11 Roaming and Authentication in
determined by eavesdropping. From the security            Wireless LAN/Cellular Mobile networks”, IEEE
analysis, we know that the security of the handoff        Wireless Communications Magazine, August 2004.
between WLAN and UMTS will be improved and                [10] Milind M. Buddhikot, Girish Chandranmenon,
guaranteed.                                               Seungjae Han, Yui-Wah Lee, Scott Miller, and Luca
                                                          Salgarelli, “Design and Implementation of a
Appendix: Symbols used in this paper                      WLAN/CDMA2000 Interworking Architecture”,
Kp: AP’s public key.                                      IEEE Communications Magazine, November 2003.
Cert(x): a certificate related with x.                    [11] Qian Zhang, Chuanxiong Guo, Zihua Guo, and
E_AsymK[x]: encrypts x by using                           Wenwu Zhu, “Efficient Mobility Management for
            asymmetric algorithm with key K.              Vertical Handoff between WWAN and WLAN”,
E_SymK[x]: encrypts x by using                            IEEE Communications Magazine, November 2003.
              symmetric algorithm with key K.
ID: the identity of the MS.
Ru and RT: Ru and RT are both random
           numbers. But Ru is not equal to RT.
Counter: the counter of OTP.
||: this vertical bar is used to denote
    concatenation of strings.
HASH[x]: a one-way hash function which x
     is the input. It is used to create the MAC.


[1] M. Jaseemuddin, “An architecture for integrating
UMTS and 802.11 WLAN networks”, IEEE
Symposium on Computers and Communication, 2003.
(ISCC 2003). Proceedings. Eighth IEEE International
Symposium on, pp. 716-723, June 30-July 3 2003.
[2] 3GPP TS 23.060, “3GPP General Packet Radio
Service (GPRS), Service Description, Stage 2(Release
6)”, June 2003.
[3] 3GPP TS 33.102, “3G Security, Security
architecture (Release 5)”, June 2003.
[4] M. Buddhikot, G., Chandranmenon, S. Han, Y. W.
Lee, S. Miller, L. Salgarelli, “Integration of 802.11
and third-generation wireless data networks”,
[5] Y. C. Ouyang, R. L. Chang and J. H. Chiu, “A
New Security Key Exchange Channel for 802.11

                                                    ~ 1125 ~

To top