Document Sample

Chinese Journal of Electronics Vol.20, No.1, Jan. 2011 An Elliptic Curve Based Handoﬀ Authentication Protocol for WLAN∗ WAN Changsheng1 , HU Aiqun1 and ZHANG Juan2 (1.Radio Department, Southeast University, Nanjing 210096, China) (2.Accounting Department, Nanjing University, Nanjing 210093, China) Abstract — This paper proposes a novel handoﬀ au- tion. thentication protocol for WLAN. It uses an elliptic curve To focus on handoﬀ authentication and key agreement in based mechanism to design an authentication and key WLAN, we ﬁrst assume that the Authentication server (AS) agreement protocol for handoﬀ in the 802.11r domain, and in the Extended service set (ESS) has Pre-established security it can eﬀectively defend all known attacks to WLAN in- cluding the denial-of-service attack and the domino eﬀect association (PSA) with APs and STAs respectively (Fig.1). attack. Moreover, our scheme includes only two messages Secondly, we assume the STA can associate with the candidate between two parties, and requires few cpu cycles. There- BSS after our scheme (using the same mechanism deﬁned by fore, during handoﬀ authentication process, our scheme FBSST[8] ). enjoys both computation eﬃciency and communication ef- ﬁciency as compared to the 802.11r authentication scheme. Key words — WLAN, Handoﬀ authentication, Elliptic curve. I. Introduction Fig. 1. Trust model in WLAN [1] Handoﬀ among Access points (AP) is highly desirable The architecture of our scheme (we name it EBSST) is to Stations (STA)[1] in WLAN, and secure low-latency hand- summarized as follows: The AS initially generates and dis- oﬀ authentication is challenging. tributes some elliptic curve based keying materials to the APs When the STA hands oﬀ from the current AP to a tar- and STAs. During subsequent handoﬀ authentication process, get AP, it needs to authenticate with the target AP, and then the AP and the STA can authenticate each other using those associate with it[1] . The IEEE 802.11 basic speciﬁcation[1] de- keying materials without the participation of the AS, and es- ﬁned two authentication schemes named shared key authen- tablish a shared key using the Elliptic curve Diﬃe-Hellman tication and open system authentication in 1997. However, algorithm (ECDH)[12] . they are vulnerable to various attacks[2−4] . The IEEE 802.11f In the EBSST, since the AS is not involved in the handoﬀ work group and IETF seamoby work group deﬁned the con- process, the DOS attack aimed to it is avoided. Since the EB- text transfer protocol for handoﬀ authentication[5,6] . But it is SST scheme does not depend on the trust relationship among vulnerable to the domino eﬀect attack[7] . APs, the domino eﬀect attack is avoided. The security cost Currently, the IEEE 802.11r group is designing a Fast BSS of EBSST is more eﬃcient than FBSST scheme[8] and other transition scheme (FBSST)[8] to address handoﬀ authentica- public key based schemes, which will be explained in Section tion. However, the FBSST scheme still suﬀers from a variety V. Moreover, our scheme requires only two messages between of attacks. In Section II, we will show how DOS and domino two parties, while the FBSST scheme[8] requires 4 messages eﬀect attacks work in FBSST. and 3 parties. Therefore, the EBSST enjoys both eﬃciency Public key authentication schemes have been used in wire- and security beneﬁts. less networks[9,10] , which strongly rely on public-key certiﬁ- cate distribution, that is particularly costly in wireless envi- ronment. Ref.[11] designed a trust delegation based authenti- II. Issues in the FBSST Scheme cation scheme for wireless networks, in which the trust dele- The IEEE 802.11r WG deﬁned the FBSST protocol, which gation initialization process has to be re-established, when the aiming to reduce the handoﬀ delay when the STA roams mobile terminal roams from one trust delegation to another. among APs within the ESS domain. It mainly includes two Hence it doesn’t meet the requirement of handoﬀ authentica- parts: the domain initialization process and the fast base sta- ∗ Manuscript Received July 2008; Accepted Oct. 2010. This work is supported by the 863 Hi-Tech Research and Development Program of China (No.2007AA01Z433), Chinese 242 Plan (No.2009A99). 166 Chinese Journal of Electronics 2011 tion transition process. initial R0KH, the R1KH veriﬁes and decrypts the PMK-R1. The domain initialization process occurs when the STA only then, can the R1KH on the target AP verify message 1 roams into the 802.11r domain. During this process, the STA using the PMK-R1. Then the R1KH on the target AP sends and the network access server (usually the network access keying materials back to the STA to negotiate the PTK for server is the AP that the STA is currently attached to) es- association. Message 4 is signed by the PMK-R1 key. When tablish an 802.1X authentication process. After the 802.1X the STA gets this message, it veriﬁes it using PMK-R1. Then authentication process, the 802.11r key hierarchy is estab- the STA and the R1KH on the target AP generate PTK from lished. The R0KH on the network access server (we call it PMK-R1 and other keying materials exchanged between them initial R0KH) get the ﬁrst level key called PMK-R0 from the respectively. 802.1X authenticator. During the subsequent FBSST process, From above, we can see that the FBSST protocol is a this R0KH will generate the second level key called PMK-R1 Kerberos-like three-party authentication scheme. A little dif- and distribute it to the R1KHs on the target APs that the ference between the FBSST protocol and the 802.1X protocol STA wants to authenticate with. Note that there are two lev- is that the FBSST protocol uses the initial R0KH as the central els of key holders called R0KH and R1KH in the 802.11r key server during authentication process, while the 802.1X proto- hierarchy, which are deployed on all the APs in the 802.11r col usually uses an AAA server as the authentication server domain. However, only the R0KH on the AP that is involved during authentication. The main advantage of using the initial in the domain initialization process holds the PMK-R0 of the R0KH instead of the AAA server is that the Denial-of-Service STA. The 802.11r document also assumes that the channel be- attack aiming to the AAA server is avoided. However, there tween the R0KH and the R1KH provides conﬁdentiality and are still several issues with the FBSST protocol. integrity protection.) (1) The 802.11r document requires that the R0KHs need The fast base station transition process occurs after the to establish trust relationships with the R1KHs in the 802.11r domain initialization process. When the STA wants to asso- domain. Usually every AP in the domain is deployed with one ciate with a target AP in the 802.11r domain, it communicates R0KH and one R1KH. Assuming there are nap APs in the with the target AP using two sorts of mechanism called over- 802.11r domain, then the total security associations between the-air and over-the-ds transitions. As an example, this paper the R0KHs and the R1KHs will be n2 . So the deployment ap analyzes the security issues of security associations between R0KHs and R1KHs will be of the over-the-air transi- impossible when nap increases. tion. And the security is- (2) Denial-of-Service attack: In the FBSST scheme, only sues of the over-the-ds are when the target access point received message 3 from the ini- similar. There are four tial R0KH, can it verify message 1 and decide whether to deny messages in the over-the- the STA or not. Therefore, the attacker may create a lot of air transition (Fig.2), and illegal transition request messages, and sends it to the target they are described as fol- access point. Since the latter can not verify the message, it Fig. 2. Over-the-air transition has to communicate with the initial R0KH, and the initial lows. R0KH may need to verify and decrypt a lot of messages sent Message 1 The STA initializes the fast base station from the target AP. Hence the Denial-of-Service attack occurs. transition process by sending a transition request message to Note that the Denial-of-Service attack can not be completely the target AP directly (some keying materials and the STA’s avoided. Here we judge whether a scheme is vulnerable to DoS information are included in the message), which is protected attack based on the following principle: Once an AP is under by a signature algorithm such as AES-CMAC algorithm using Denial-of-Service attack from its area, it should not propagate the PMK-R1 key generated from PMK-R0 by itself. the attack to other APs or AS. Unfortunately, in the 802.11r Message 2 Upon receiving the request message, the tar- scheme, the Denial-of-Service attack will be propagated from get AP gets the identiﬁer of the initial R0KH and the PMK- the target AP to the initial R0KH. R0name from the message. Usually the initial R0KH is not (3) Domino eﬀect attack: the domino eﬀect attack here the R0KH on the target AP (instead the initial R0KH is the refers to the fact that compromise of one access point will R0KH on the network access server involved in the domain lead to compromise of another. Unfortunately, for the case of initialization process), and it can not verify message 1 for it 802.11r protocol, the domino eﬀect attack still works. Once does not have PMK-R1 of the STA. So the R1KH of the target the R0KH on an AP in the 802.11r domain is compromised, AP will have to communicate with the initial R0KH to get the the attacker can establish a successful authentication process PMK-R1. Note that the messages between the R1KH and the by setting the R0KH-ID in the request message to the com- R1KH are ﬁrstly encrypted by an algorithm such as AES, and promised AP. then signed by an algorithm such as AES-CMAC (this is for In general, the FBSST does not solve the domino eﬀect at- providing conﬁdentiality and integrity protection). tack issue, while it imports even more eﬃciency and security Message 3 When the initial R0KH receives the message issues. from R1KH, it veriﬁes the message and decrypts the informa- tion of the STA. Then the initial R0KH generates PMK-R1, and sends it back to the R1KH. This message is encrypted and III. Proposed EBSST Scheme signed too. As shown in Section II, symmetric key based handoﬀ au- Message 4 When getting the message back from the thentication schemes are vulnerable to a variety of attacks. So An Elliptic Curve Based Handoﬀ Authentication Protocol for WLAN 167 a public key based scheme is desirable to provide strong secu- Step 3 The AS computes the products N of all elements in rity properties. However, public key based schemes are costly, the set BSSPRI, and then computes GN = N G = (N mod n)G. partly due to the complex certiﬁcate distribution/veriﬁcation Step 4 The AS broadcasts GM to all the APs in the domain which is signed by the AS to provide integrity protection and mes- process and partly due to their long-bit modular exponentia- sage source authentication. To protect the replay attack, a times- tion operations. tamp can also be added to the message too. To reduce the certiﬁcate management cost, this paper de- Step 5 The AS sends ST AKEY IN G = {GN , r, M, Gr , T } to signes a novel public key distribution scheme. In our scheme, the STA under the protection of their PSA as shown in Fig.1. Since all the STAs in the domain share a public key, while every STA private secret is included in the STAKEYING message, the PSA hold a diﬀerent private key and base point. The AS broadcasts should provide conﬁdentiality and integrity protection. the shared public key to all the APs in the domain, and the Upon receiving the STAKEYING message from the AS, APs can authenticate the STAs using this public key. Hence the STA computes its private key as follows: ksta = the public-key distribution process is simpliﬁed, and the certiﬁ- (M/r) mod n. Therefore, according to Lemma 1, ksta , GM cate veriﬁcation process is avoided. To design a shared public constructs the public-private key pair of the AP with the base key scheme, the following lemma is used in our scheme. point Gr . Lemma 1 Giving an elliptic curve T , and two public- 2. Handoﬀ authentication private key pairs k1 , K1 and k2 , K2 with the same base The handoﬀ authentication process includes two simple point G, where k1 is a divisor of k2 , then k2 /k1 , K2 forms a messages: new public-private key pair with the base point K1 . Message 1 The STA sends message Q1 = {Gr , y1 }ksta Proof of Lemma 1: K2 = k2 G = k2 /k1 ∗ (k1 G) = K2 /k1 K1 to the target AP, in which y1 is the public key of the STA’s Our scheme includes three independent parts: EBSST ini- ECDH public-private key pair x1 , y1 , and Q1 is protected by tialization, handoﬀ authentication and optional big-number the STA’s private key ksta using an elliptic curve signature transporting mechanism. mechanism (e.g. signature mechanism deﬁned in Section IV 1. EBSST initialization of Ref.[12]). The AS initiates the EBSST by creating two sets of prime Message 2 Upon receiving message Q1 , the target AP numbers: set STAPRI and set BSSPRI. These two sets are veriﬁes Q1 using the public key GM it holds and the base used for storing secret of the APs and STAs, so the elements point Gr included in Q1 . Then the target AP sends message in the two sets should not be equal. The length of those prime Q2 = {Gj , y2 }kbss to the STA, in which y2 is the public key numbers will aﬀect the security strength of our scheme, which of the AP’s ECDH public-private key pair x2 , y2 , and Q2 is will be analyzed in Section IV. protected by the target AP’s private key kbss using an elliptic After creating the two sets, the AS creates an elliptic curve curve signature mechanism (e.g. signature mechanism deﬁned T = (p, a, b, G, n, h) over Fp using the technique deﬁned by in Section IV of Ref.[12]). SECG[12] . After getting the Q2 message, the STA veriﬁes Q2 using When an AP in the domain requests for EBSST support, the public key GN it holds and the base point Gj included in the AS initializes the APs as follows: Q2 . Then the target AP and the STA can generate a shared Step 1 The AS randomly generates a prime number j, adds key kptk respectively, using the ECDH key generating mecha- it to the set BSSPRI, computes Gj = jG = (j mod n)G (note that nG = O). nism deﬁned in Ref.[12]. Step 2 The AS computes the product M of all elements in However, there are two points to be indicated: Firstly, the the set STAPRI, and then computes GM = M G = (M mod n)G. EBSST scheme does not rely on the trust relationship with Step 3 The AS computes the products N of all elements in the current AP. So the STA can initiate the EBSST scheme the set BSSPRI, and then computes GN = N G = (N mod n)G. over the current AP or over air. Secondly, the receivers in the Step 4 The AS broadcasts GN to all the STAs in the domain handoﬀ authentication process should check that Gr and Gj which is signed by the AS to provide integrity protection and mes- in the messages should not be equal to the domain base point sage source authentication. To protect the replay attack, a times- tamp can also be added to the message too. G, the public keys GM and GN . The reason will be revealed in Section IV. Step 5 The AS sends BSSKEY IN G = {GM , j, N, Gj , T } to the AP under the protection of their PSA as shown in Fig.1. Since 3. Big-number transporting mechanism private secret is included in the BSSKEYING message, the PSA There are two big numbers to be stored and transported should provide conﬁdentiality and integrity protection. in the EBSST scheme (e.g. M and N ). If there are msta Upon receiving the BSSKEYING message from the AS, the elements in the STAPRI, and those elements are bsta bits in AP computes its private key as follows: kbss = (N/j) mod n. length, then M may be as long as (msta + 1)bsta bits. For Therefore, according to Lemma 1, kbss , GN constructs the some scenarios, the transport of such a big number may not public-private key pair of the AP with the base point Gj . be acceptable. To address this, M can be expressed as follows: The STA initialization process is similar to that of the AP log bsta M log (2bsta ) M M = (2bsta ) (2 ) + (M − (2bsta ) ) initialization process. When the STA requests for EBSST ser- vice, the AS initializes the STA as follows: Then, M can be transported by the two numbers: Step 1 The AS randomly generates a prime number r, adds log M it to the set STAPRI, and then computes Gr = rG = (r mod n)G. log (2bsta ) M with log msta bits and (M − (2bsta ) (2bsta ) ) 2 Step 2 The AS computes the product M of all elements in with bsta bits. the set STAPRI, and then computes GM = M G = (M mod n)G. The big number N can be stored and transported similarly. 168 Chinese Journal of Electronics 2011 IV. Security Analysis 3. Security strength analysis The EBSST uses public key cryptography to exchange the In this section, we shall analyze the authentication proper- symmetric key (kptk ), so we analyze its security strength re- ties of the EBSST, and possible attacks on it. Then, we shall ferring to RFC3766[13] . analyze the security strength of the EBSST scheme. Assuming kptk is a 128-bit AES key, moduli with about 1. Authentication properties 2100 bits will have about the same resistance against attack[13] . The basic authentication property is to conform or deny This indicates that factoring a 2100-bit integer, which is the an entity’s claimed identity. Proposition 1 shows EBSST has product of two big prime numbers, will need the same time the basic authentication property. as attacking a 128-bit symmetric key. So, the prime number Proposition 1 If the target AP can verify the Q1 mes- length for the element in the four sets can be set as short as sage successfully, then Gr is the legal identity of the STA as- 2100/2 ≈ 1024bits. Due to the use of elliptic curve based sig- signed by the AS. nature, the parameter p for the elliptic curve T can be set Proof Gr is computed by the AS using G and r, and as short as 193 bits, while the scheme still enjoys the same distributed only to the STA. So, the one claiming Gr belongs security level as that of 2100 moduli[13] . to it must prove that it holds r. In the EBSST scheme, the Q1 The EBSST scheme uses the ECDH algorithm for sym- message is signed by the STA using its private key ksta , and metric key negotiation, and the multiplier should be twice as the target AP veriﬁes it using the related public key Gr , GM . large as the symmetric key[13] . Hence, the length of x1 and x2 If the target AP can verify the Q1 message successfully, then which is usually a prime number, should be set as more than the STA must have the private key ksta . Since ksta is com- 128bits×2 = 256bits in length. puted from r, which is a secret of STA, and can not be factored from the big number M , the STA must have r. Proposition 1 follows. Note that the const number 1 is a divisor of M V. Eﬃciency Analysis too. Thus M mod n, GM forms the public-private key pair In this section, we shall analyze the handoﬀ authentica- with the base point G. So in Section III.2, we require that Gr tion eﬃciency of the EBSST scheme, and then compare it with transported in Q1 should not be equal to G. that of FBSST scheme[8] . For the case of symmetric key based Another authentication property is key agreement prop- schemes, the number of cpu cycles of encryption and decryp- erty. The EBSST uses the ECDH algorithm for negotiating tion mechanisms are the same on both the 32-bit cpu and the kptk , so it has the property of key agreement. 64-bit cpu. However, public key based schemes will strongly 2. Possible attacks on the EBSST rely on the cpu types. Usually, the number of cpu cycles on In this section, we consider three major types of threats the 32-bit processor is 16 times as that of 64-bit processors, to handoﬀ authentication in WLAN, namely, domino eﬀect when processing the same public key encryption/decryption attack, DOS attack and the man-in-the-middle attack. algorithm. This conclusion can be computed from RFC3776, The domino eﬀect attack here refers to the fact that com- where the number of cpu cycles of a 1024-bit modular expo- promise of one AP will lead to compromise of another. Propo- nentiation on a 64-bit processor is similar to that of 256-bit sition 2 shows that the EBSST is immune to the domino eﬀect modular exponentiation on a 32-bit processor, and the num- attack. ber of cpu cycles of 256-bit modular exponentiation on a 32-bit Proposition 2 In the EBSST scheme, if AP1 with processor is to that of 1024-bit modular exponentiation on a BSSKEY IN G1 = {GM , j1 , N, Gj1 , T } is compromised, then 32-bit processor. This paper mainly compares the security cost AP2 with BSSKEY IN G2 = {GM , j2 , N, Gj2 , T } can not be of the two schemes on the 64-bit processors. compromised using the keying material BSSKEY IN G1 . We analyze the security cost of EBSST during handoﬀ Proof To compromise AP2, the attacker must get j2 . using four factors: time of signing using the private key Since j1 and j2 are two randomly generated prime numbers, (cps ), time of veriﬁcation using the public key (cpv ), time the attacker can not compute j2 from j1 and other public key of key generating using ECDH algorithm (cpg ). On the 64- materials. Proposition 2 follows. bit processors, these three factors can be computed as follow: In the FBSST protocol, the R1KH on the target AP has to cps = cpv = cpg = 450, 000cpucycles/5 = 90, 000cpucycles[13] . consult the initial R0KH for PMK-R1, and it can only authen- So, the eﬃciency of EBSST described using the term cpu cycle ticate the STA after message 3 in Section II is received. The is shown in Table 1. signiﬁcant implication of this drawback is that DOS attack to Table 1. Cpu cycles of EBSST the initial R0KH is possible. In the EBSST scheme, since only STA cps + cpv + cpg 270,000 the target AP and the STA are involved in the handoﬀ au- Target AP cps + cpv + cpg 270,000 thentication process, the DOS attack will not be propagated Total 2cps + 2cpv + 2cpg 540,000 to other entities such as other APs or AS in the domain. The ECDH algorithm is used for key negotiation in EB- The eﬃciency of FBSST relies on the cipher suit. This pa- SST, which is vulnerable to the man-in-the-middle attack. per takes the AES-128 algorithm as an example, which is the However, in the EBSST, the ECDH messages are protected most popular algorithm today. Similar to the EBSST scheme, by the elliptic curve signature algorithm and only the autho- the security cost of FBSST[8] can be analyzed using three fac- rized AP (or STA) can generate a legal signature, so the man tors: time of key generating using HMAC-SHA1 algorithm in the middle can not tamper the ECDH messages. Hence, the (Csg ), time of encrypting one block using a 128-bit AES key man-in-the-middle attack on the EBSST is avoided. (Cse ), time of decrypting one block using a 128-bit AES key An Elliptic Curve Based Handoﬀ Authentication Protocol for WLAN 169 (Csd ). During handoﬀ, there are four keys to be generated [3] IEEE 802.11-00/362:2000, “Unsafe at any key size: an analysis (i.e. PMK-R1, PMK-R1name, PTK, PTKname). Referring of the WEP encapsulation”. to Refs.[14, 15], Csg = 32 + (2 + 2) × 1110 = 4472cpucycles, [4] N. Borisov, I. Goldberg and D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proc. of IEEE Cse = 6168cpucycles and Csd = 10992cpucycles. The hand- MOBICOM, New York, USA, pp.180–189, 2001. oﬀ authentication process in FBSST includes four messages [5] IEEE 802.11f:2003, Recommended Practice for Multi-Vendor (Fig.2). The message length between the target AP and the Access Point Interoperability via an Inter-Access Point Proto- STA is ranged from 1280-bit to 4096-bit (see the deﬁnition col Across Distribution Systems Supporting IEEE 802.11 Oper- of the message integrity check ﬁeld in Ref.[8]), and the mes- ation. sage length between the target AP and the initial R0KH is [6] IETF RFC4067:2005, Context Transfer Protocol (CXTP). similar. So, as an average, we assume the message length in [7] IETF RFC4962:2007, Guidance for Authentication, Authoriza- tion, and Accounting (AAA) Key Management. the FBSST is 1280 + 4096bits/2 = 2688bits = 21AESblocks. [8] IEEE 802.11r:2008, Fast BSS Transition. Note that the channel between the target AP and the initial [9] L. Lamport, “Password authentication with insecure communi- R0KH provides integrity and conﬁdentiality protection[8] , so cation”, Commun. ACM, Vol.24, No.11, pp.770–772, 1981. the messages between the STA and the target AP are pro- [10] A. Evans et al., “A user authentication scheme not requiring se- tected using AES-CMAC algorithm, while the messages be- crecy in the computer”, Commun. ACM, Vol.17, No.8, pp.437– tween the target AP and the initial R0KH are protected by 442, 1974. [11] C. Tang, D.O. Wu, “An eﬃcient mobile authentication scheme both the AES-CMAC algorithm and AES encryption algo- for wireless networks”, IEEE Trans. Wireless Commun., Vol.7, rithm (i.e. the sender of the message encrypts the message No.4, pp.1408–1416, 2008. and then generates a message authentication code to the en- [12] SECG SEC1:2000, Elliptic Curve Cryptography. crypted message). So, the eﬃciency of FBSST described using [13] IETF RFC3766:2004, Determining Strengths for Public Keys the term cpu cycles is shown in Table 2. Used for Exchanging Symmetric Keys. [14] O. Elkeelany et al., “Performance analysis of IPSec protocol: Table 2. Cpu cycles of FBSST Encryption and authentication”, Proc. of IEEE Communica- STA 42Cse + 4Csg 276944 tions Conference, New York, USA, pp.1164–1168, 2002. Target AP 105Cse + 21Csd + 2Csg 887446 [15] C. Xenakis et al., “A generic characterization of the overheads Initial R0KH 63Cse + 21Csd + 2Csg 628360 imposed by IPsec and associated cryptographic algorithms”, Total 210Cse + 42Csd + 8Csg 1,792,750 The International Journal of Computer and Telecommunica- Table 1 and Table 2 show that the computation cost of tions Networking, Vol.50, No.17, pp.3225–3241, 2006. WAN Changsheng received B.S. EBSST scheme is around 30% as that of the FBSST scheme degree in applied physics from Univer- on the 64-bit processors. Note that the total computation cost sity of Science and Technology of China, of the EBSST on the 32-bit processor is 16 times as that of Hefei in 1999, and Ph.D. degree in physical 64-bit processors (i.e. 540, 000 × 16 = 8, 640, 000cpucucles), electronics from University of Science and and the computation cost of EBSST scheme is around 5 times Technology of China, in 2004. From July as that of the FBSST. This conclusion seems to contradict 2004 to Oct. 2005, he was with ZTE Cor- our traditional opinion, in which computation cost of public poration at Nanjing, as a senior engineer. From Nov. 2005 to Mar. 2007, he was with key based schemes is usually 103 times as that of symmetric Huawei Technologies Co. Ltd, Nanjing, as key based schemes. However, it is correct. The computation a staﬀ engineer. Since Apr. 2007, he has been with Southeast cost of FBSST is so high because the message length of the University, Nanjing as a teacher. His research interests are in the FBSST is very long, and, as a three-party protocol, there are areas of network security, wireless communication, IP and routing too many encryption/decryption operations. The computa- technology, and data mining. (Email: wanchangsheng@seu.edu.cn) tion cost of EBSST is low because the 64-bit processor greatly HU Aiqun received B.S. degree in signal processing from reduced the computation cost of modular exponentiation. Southeast University, Nanjing in 1987, and Ph.D. degree in signal processing from Southeast University, in 1992. Since July 1992, he has been with Southeast University, Nanjing, as a teacher. He VI. Conclusion was promoted as an associated professor in 1995, and a professor in In this paper, we have presented an eﬃcient handoﬀ au- 2000. Now, he is the leader of Information Security Laboratory in thentication and key agreement protocol for WLAN, and an- the School of Information Science and Technology, Southeast Uni- versity. Since 2001, he has been a member of the expert team of alyzed its security. After the initial key distribution, the STA information security subject for the Chinese 863 Plan. His research and the AP can authenticate each other and establish a shared interests are in the areas of network security, wireless communica- key without the participation of other APs or AS in the do- tion, and signal processing. main. This paper takes the WLAN environment as an example Zhang Juan received B.S. degree of wireless networks. However, the scheme can also be used in in international trade from Hubei Univer- other wireless networks. sity, Wuhan, in 1999, M.S. degree in in- ternational trade from Hubei University, Wuhan, in 2002, and Ph.D. degree in ac- References counting & auditing from Wuhan univer- [1] IEEE 802.11: 1997, Wireless LAN medium access control sity, in 2005. Since Sept. 2005, she has (MAC) and physical layer(PHY) speciﬁcation. been with Nanjing University, Nanjing, as a teacher. Her research interests are in the [2] W.A. Arbaugh, N. Shankar, Y.C. Justin, “Your 802.11 Wire- less network has No clothes”, Proc. of IEEE Wireless LANs areas of network security, accounting, au- diting, and data mining. and Home Networks, Singapore, pp.131–141, 2001.

DOCUMENT INFO

Shared By:

Categories:

Tags:

Stats:

views: | 7 |

posted: | 10/15/2011 |

language: | English |

pages: | 5 |

OTHER DOCS BY yaofenji

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.