An Elliptic Curve Based Handoff Authentication Protocol for WLAN

Document Sample
An Elliptic Curve Based Handoff Authentication Protocol for WLAN Powered By Docstoc
					Chinese Journal of Electronics
Vol.20, No.1, Jan. 2011

 An Elliptic Curve Based Handoff Authentication
               Protocol for WLAN∗
                               WAN Changsheng1 , HU Aiqun1 and ZHANG Juan2
                              (1.Radio Department, Southeast University, Nanjing 210096, China)
                            (2.Accounting Department, Nanjing University, Nanjing 210093, China)

    Abstract — This paper proposes a novel handoff au-               tion.
thentication protocol for WLAN. It uses an elliptic curve               To focus on handoff authentication and key agreement in
based mechanism to design an authentication and key                 WLAN, we first assume that the Authentication server (AS)
agreement protocol for handoff in the 802.11r domain, and
                                                                    in the Extended service set (ESS) has Pre-established security
it can effectively defend all known attacks to WLAN in-
cluding the denial-of-service attack and the domino effect           association (PSA) with APs and STAs respectively (Fig.1).
attack. Moreover, our scheme includes only two messages             Secondly, we assume the STA can associate with the candidate
between two parties, and requires few cpu cycles. There-            BSS after our scheme (using the same mechanism defined by
fore, during handoff authentication process, our scheme              FBSST[8] ).
enjoys both computation efficiency and communication ef-
ficiency as compared to the 802.11r authentication scheme.
   Key words — WLAN, Handoff authentication, Elliptic

                    I. Introduction                                                  Fig. 1. Trust model in WLAN
    Handoff among Access points (AP) is highly desirable                 The architecture of our scheme (we name it EBSST) is
to Stations (STA)[1] in WLAN, and secure low-latency hand-          summarized as follows: The AS initially generates and dis-
off authentication is challenging.                                   tributes some elliptic curve based keying materials to the APs
    When the STA hands off from the current AP to a tar-             and STAs. During subsequent handoff authentication process,
get AP, it needs to authenticate with the target AP, and then       the AP and the STA can authenticate each other using those
associate with it[1] . The IEEE 802.11 basic specification[1] de-    keying materials without the participation of the AS, and es-
fined two authentication schemes named shared key authen-            tablish a shared key using the Elliptic curve Diffie-Hellman
tication and open system authentication in 1997. However,           algorithm (ECDH)[12] .
they are vulnerable to various attacks[2−4] . The IEEE 802.11f          In the EBSST, since the AS is not involved in the handoff
work group and IETF seamoby work group defined the con-              process, the DOS attack aimed to it is avoided. Since the EB-
text transfer protocol for handoff authentication[5,6] . But it is   SST scheme does not depend on the trust relationship among
vulnerable to the domino effect attack[7] .                          APs, the domino effect attack is avoided. The security cost
    Currently, the IEEE 802.11r group is designing a Fast BSS       of EBSST is more efficient than FBSST scheme[8] and other
transition scheme (FBSST)[8] to address handoff authentica-          public key based schemes, which will be explained in Section
tion. However, the FBSST scheme still suffers from a variety         V. Moreover, our scheme requires only two messages between
of attacks. In Section II, we will show how DOS and domino          two parties, while the FBSST scheme[8] requires 4 messages
effect attacks work in FBSST.                                        and 3 parties. Therefore, the EBSST enjoys both efficiency
    Public key authentication schemes have been used in wire-       and security benefits.
less networks[9,10] , which strongly rely on public-key certifi-
cate distribution, that is particularly costly in wireless envi-
ronment. Ref.[11] designed a trust delegation based authenti-
                                                                           II. Issues in the FBSST Scheme
cation scheme for wireless networks, in which the trust dele-          The IEEE 802.11r WG defined the FBSST protocol, which
gation initialization process has to be re-established, when the    aiming to reduce the handoff delay when the STA roams
mobile terminal roams from one trust delegation to another.         among APs within the ESS domain. It mainly includes two
Hence it doesn’t meet the requirement of handoff authentica-         parts: the domain initialization process and the fast base sta-

    ∗ Manuscript Received July 2008; Accepted Oct. 2010. This work is supported by the 863 Hi-Tech Research and Development Program

of China (No.2007AA01Z433), Chinese 242 Plan (No.2009A99).
166                                            Chinese Journal of Electronics                                                2011

tion transition process.                                           initial R0KH, the R1KH verifies and decrypts the PMK-R1.
    The domain initialization process occurs when the STA          only then, can the R1KH on the target AP verify message 1
roams into the 802.11r domain. During this process, the STA        using the PMK-R1. Then the R1KH on the target AP sends
and the network access server (usually the network access          keying materials back to the STA to negotiate the PTK for
server is the AP that the STA is currently attached to) es-        association. Message 4 is signed by the PMK-R1 key. When
tablish an 802.1X authentication process. After the 802.1X         the STA gets this message, it verifies it using PMK-R1. Then
authentication process, the 802.11r key hierarchy is estab-        the STA and the R1KH on the target AP generate PTK from
lished. The R0KH on the network access server (we call it          PMK-R1 and other keying materials exchanged between them
initial R0KH) get the first level key called PMK-R0 from the        respectively.
802.1X authenticator. During the subsequent FBSST process,              From above, we can see that the FBSST protocol is a
this R0KH will generate the second level key called PMK-R1         Kerberos-like three-party authentication scheme. A little dif-
and distribute it to the R1KHs on the target APs that the          ference between the FBSST protocol and the 802.1X protocol
STA wants to authenticate with. Note that there are two lev-       is that the FBSST protocol uses the initial R0KH as the central
els of key holders called R0KH and R1KH in the 802.11r key         server during authentication process, while the 802.1X proto-
hierarchy, which are deployed on all the APs in the 802.11r        col usually uses an AAA server as the authentication server
domain. However, only the R0KH on the AP that is involved          during authentication. The main advantage of using the initial
in the domain initialization process holds the PMK-R0 of the       R0KH instead of the AAA server is that the Denial-of-Service
STA. The 802.11r document also assumes that the channel be-        attack aiming to the AAA server is avoided. However, there
tween the R0KH and the R1KH provides confidentiality and            are still several issues with the FBSST protocol.
integrity protection.)                                                  (1) The 802.11r document requires that the R0KHs need
    The fast base station transition process occurs after the      to establish trust relationships with the R1KHs in the 802.11r
domain initialization process. When the STA wants to asso-         domain. Usually every AP in the domain is deployed with one
ciate with a target AP in the 802.11r domain, it communicates      R0KH and one R1KH. Assuming there are nap APs in the
with the target AP using two sorts of mechanism called over-       802.11r domain, then the total security associations between
the-air and over-the-ds transitions. As an example, this paper     the R0KHs and the R1KHs will be n2 . So the deployment
analyzes the security issues                                       of security associations between R0KHs and R1KHs will be
of the over-the-air transi-                                        impossible when nap increases.
tion. And the security is-                                              (2) Denial-of-Service attack: In the FBSST scheme, only
sues of the over-the-ds are                                        when the target access point received message 3 from the ini-
similar. There are four                                            tial R0KH, can it verify message 1 and decide whether to deny
messages in the over-the-                                          the STA or not. Therefore, the attacker may create a lot of
air transition (Fig.2), and                                        illegal transition request messages, and sends it to the target
they are described as fol-                                         access point. Since the latter can not verify the message, it
                                 Fig. 2. Over-the-air transition   has to communicate with the initial R0KH, and the initial
                                                                   R0KH may need to verify and decrypt a lot of messages sent
    Message 1 The STA initializes the fast base station
                                                                   from the target AP. Hence the Denial-of-Service attack occurs.
transition process by sending a transition request message to
                                                                   Note that the Denial-of-Service attack can not be completely
the target AP directly (some keying materials and the STA’s
                                                                   avoided. Here we judge whether a scheme is vulnerable to DoS
information are included in the message), which is protected
                                                                   attack based on the following principle: Once an AP is under
by a signature algorithm such as AES-CMAC algorithm using
                                                                   Denial-of-Service attack from its area, it should not propagate
the PMK-R1 key generated from PMK-R0 by itself.
                                                                   the attack to other APs or AS. Unfortunately, in the 802.11r
    Message 2 Upon receiving the request message, the tar-
                                                                   scheme, the Denial-of-Service attack will be propagated from
get AP gets the identifier of the initial R0KH and the PMK-
                                                                   the target AP to the initial R0KH.
R0name from the message. Usually the initial R0KH is not
                                                                        (3) Domino effect attack: the domino effect attack here
the R0KH on the target AP (instead the initial R0KH is the
                                                                   refers to the fact that compromise of one access point will
R0KH on the network access server involved in the domain
                                                                   lead to compromise of another. Unfortunately, for the case of
initialization process), and it can not verify message 1 for it
                                                                   802.11r protocol, the domino effect attack still works. Once
does not have PMK-R1 of the STA. So the R1KH of the target
                                                                   the R0KH on an AP in the 802.11r domain is compromised,
AP will have to communicate with the initial R0KH to get the
                                                                   the attacker can establish a successful authentication process
PMK-R1. Note that the messages between the R1KH and the
                                                                   by setting the R0KH-ID in the request message to the com-
R1KH are firstly encrypted by an algorithm such as AES, and
                                                                   promised AP.
then signed by an algorithm such as AES-CMAC (this is for
                                                                        In general, the FBSST does not solve the domino effect at-
providing confidentiality and integrity protection).
                                                                   tack issue, while it imports even more efficiency and security
    Message 3 When the initial R0KH receives the message           issues.
from R1KH, it verifies the message and decrypts the informa-
tion of the STA. Then the initial R0KH generates PMK-R1,
and sends it back to the R1KH. This message is encrypted and                III. Proposed EBSST Scheme
signed too.                                                           As shown in Section II, symmetric key based handoff au-
    Message 4 When getting the message back from the               thentication schemes are vulnerable to a variety of attacks. So
                              An Elliptic Curve Based Handoff Authentication Protocol for WLAN                                                   167

a public key based scheme is desirable to provide strong secu-           Step 3 The AS computes the products N of all elements in
rity properties. However, public key based schemes are costly,       the set BSSPRI, and then computes GN = N G = (N mod n)G.
partly due to the complex certificate distribution/verification            Step 4 The AS broadcasts GM to all the APs in the domain
                                                                     which is signed by the AS to provide integrity protection and mes-
process and partly due to their long-bit modular exponentia-
                                                                     sage source authentication. To protect the replay attack, a times-
tion operations.                                                     tamp can also be added to the message too.
     To reduce the certificate management cost, this paper de-            Step 5 The AS sends ST AKEY IN G = {GN , r, M, Gr , T } to
signes a novel public key distribution scheme. In our scheme,        the STA under the protection of their PSA as shown in Fig.1. Since
all the STAs in the domain share a public key, while every STA       private secret is included in the STAKEYING message, the PSA
hold a different private key and base point. The AS broadcasts        should provide confidentiality and integrity protection.
the shared public key to all the APs in the domain, and the              Upon receiving the STAKEYING message from the AS,
APs can authenticate the STAs using this public key. Hence
                                                                     the STA computes its private key as follows: ksta =
the public-key distribution process is simplified, and the certifi-
                                                                     (M/r) mod n. Therefore, according to Lemma 1, ksta , GM
cate verification process is avoided. To design a shared public
                                                                     constructs the public-private key pair of the AP with the base
key scheme, the following lemma is used in our scheme.
                                                                     point Gr .
     Lemma 1 Giving an elliptic curve T , and two public-                2. Handoff authentication
private key pairs k1 , K1 and k2 , K2 with the same base
                                                                         The handoff authentication process includes two simple
point G, where k1 is a divisor of k2 , then k2 /k1 , K2 forms a
new public-private key pair with the base point K1 .
                                                                         Message 1 The STA sends message Q1 = {Gr , y1 }ksta
     Proof of Lemma 1: K2 = k2 G = k2 /k1 ∗ (k1 G) = K2 /k1 K1
                                                                     to the target AP, in which y1 is the public key of the STA’s
     Our scheme includes three independent parts: EBSST ini-         ECDH public-private key pair x1 , y1 , and Q1 is protected by
tialization, handoff authentication and optional big-number           the STA’s private key ksta using an elliptic curve signature
transporting mechanism.                                              mechanism (e.g. signature mechanism defined in Section IV
     1. EBSST initialization                                         of Ref.[12]).
     The AS initiates the EBSST by creating two sets of prime            Message 2 Upon receiving message Q1 , the target AP
numbers: set STAPRI and set BSSPRI. These two sets are               verifies Q1 using the public key GM it holds and the base
used for storing secret of the APs and STAs, so the elements         point Gr included in Q1 . Then the target AP sends message
in the two sets should not be equal. The length of those prime       Q2 = {Gj , y2 }kbss to the STA, in which y2 is the public key
numbers will affect the security strength of our scheme, which        of the AP’s ECDH public-private key pair x2 , y2 , and Q2 is
will be analyzed in Section IV.                                      protected by the target AP’s private key kbss using an elliptic
     After creating the two sets, the AS creates an elliptic curve   curve signature mechanism (e.g. signature mechanism defined
T = (p, a, b, G, n, h) over Fp using the technique defined by         in Section IV of Ref.[12]).
SECG[12] .                                                               After getting the Q2 message, the STA verifies Q2 using
     When an AP in the domain requests for EBSST support,            the public key GN it holds and the base point Gj included in
the AS initializes the APs as follows:                               Q2 . Then the target AP and the STA can generate a shared
     Step 1 The AS randomly generates a prime number j, adds
                                                                     key kptk respectively, using the ECDH key generating mecha-
it to the set BSSPRI, computes Gj = jG = (j mod n)G (note that
nG = O).
                                                                     nism defined in Ref.[12].
     Step 2 The AS computes the product M of all elements in             However, there are two points to be indicated: Firstly, the
the set STAPRI, and then computes GM = M G = (M mod n)G.             EBSST scheme does not rely on the trust relationship with
     Step 3 The AS computes the products N of all elements in        the current AP. So the STA can initiate the EBSST scheme
the set BSSPRI, and then computes GN = N G = (N mod n)G.             over the current AP or over air. Secondly, the receivers in the
     Step 4 The AS broadcasts GN to all the STAs in the domain       handoff authentication process should check that Gr and Gj
which is signed by the AS to provide integrity protection and mes-
                                                                     in the messages should not be equal to the domain base point
sage source authentication. To protect the replay attack, a times-
tamp can also be added to the message too.
                                                                     G, the public keys GM and GN . The reason will be revealed
                                                                     in Section IV.
    Step 5 The AS sends BSSKEY IN G = {GM , j, N, Gj , T } to
the AP under the protection of their PSA as shown in Fig.1. Since
                                                                         3. Big-number transporting mechanism
private secret is included in the BSSKEYING message, the PSA             There are two big numbers to be stored and transported
should provide confidentiality and integrity protection.              in the EBSST scheme (e.g. M and N ). If there are msta
    Upon receiving the BSSKEYING message from the AS, the            elements in the STAPRI, and those elements are bsta bits in
AP computes its private key as follows: kbss = (N/j) mod n.          length, then M may be as long as (msta + 1)bsta bits. For
Therefore, according to Lemma 1, kbss , GN constructs the            some scenarios, the transport of such a big number may not
public-private key pair of the AP with the base point Gj .           be acceptable. To address this, M can be expressed as follows:
    The STA initialization process is similar to that of the AP                         log bsta M                     log
                                                                                                                             (2bsta )
                                                                         M = (2bsta )      (2   )    + (M − (2bsta )                        )
initialization process. When the STA requests for EBSST ser-
vice, the AS initializes the STA as follows:
                                                                         Then, M can be transported by the two numbers:
     Step 1 The AS randomly generates a prime number r, adds                                                             log      M
it to the set STAPRI, and then computes Gr = rG = (r mod n)G.         log (2bsta ) M with log msta bits and (M − (2bsta ) (2bsta ) )
     Step 2 The AS computes the product M of all elements in         with bsta bits.
the set STAPRI, and then computes GM = M G = (M mod n)G.                 The big number N can be stored and transported similarly.
168                                            Chinese Journal of Electronics                                                    2011

                IV. Security Analysis                                   3. Security strength analysis
                                                                        The EBSST uses public key cryptography to exchange the
     In this section, we shall analyze the authentication proper-
                                                                    symmetric key (kptk ), so we analyze its security strength re-
ties of the EBSST, and possible attacks on it. Then, we shall
                                                                    ferring to RFC3766[13] .
analyze the security strength of the EBSST scheme.
                                                                        Assuming kptk is a 128-bit AES key, moduli with about
     1. Authentication properties
                                                                    2100 bits will have about the same resistance against attack[13] .
     The basic authentication property is to conform or deny
                                                                    This indicates that factoring a 2100-bit integer, which is the
an entity’s claimed identity. Proposition 1 shows EBSST has
                                                                    product of two big prime numbers, will need the same time
the basic authentication property.
                                                                    as attacking a 128-bit symmetric key. So, the prime number
     Proposition 1 If the target AP can verify the Q1 mes-
                                                                    length for the element in the four sets can be set as short as
sage successfully, then Gr is the legal identity of the STA as-
                                                                    2100/2 ≈ 1024bits. Due to the use of elliptic curve based sig-
signed by the AS.
                                                                    nature, the parameter p for the elliptic curve T can be set
     Proof Gr is computed by the AS using G and r, and
                                                                    as short as 193 bits, while the scheme still enjoys the same
distributed only to the STA. So, the one claiming Gr belongs
                                                                    security level as that of 2100 moduli[13] .
to it must prove that it holds r. In the EBSST scheme, the Q1
                                                                        The EBSST scheme uses the ECDH algorithm for sym-
message is signed by the STA using its private key ksta , and
                                                                    metric key negotiation, and the multiplier should be twice as
the target AP verifies it using the related public key Gr , GM .
                                                                    large as the symmetric key[13] . Hence, the length of x1 and x2
If the target AP can verify the Q1 message successfully, then
                                                                    which is usually a prime number, should be set as more than
the STA must have the private key ksta . Since ksta is com-
                                                                    128bits×2 = 256bits in length.
puted from r, which is a secret of STA, and can not be factored
from the big number M , the STA must have r. Proposition
1 follows. Note that the const number 1 is a divisor of M                          V. Efficiency Analysis
too. Thus M mod n, GM forms the public-private key pair                 In this section, we shall analyze the handoff authentica-
with the base point G. So in Section III.2, we require that Gr      tion efficiency of the EBSST scheme, and then compare it with
transported in Q1 should not be equal to G.                         that of FBSST scheme[8] . For the case of symmetric key based
     Another authentication property is key agreement prop-         schemes, the number of cpu cycles of encryption and decryp-
erty. The EBSST uses the ECDH algorithm for negotiating             tion mechanisms are the same on both the 32-bit cpu and
the kptk , so it has the property of key agreement.                 64-bit cpu. However, public key based schemes will strongly
     2. Possible attacks on the EBSST                               rely on the cpu types. Usually, the number of cpu cycles on
     In this section, we consider three major types of threats      the 32-bit processor is 16 times as that of 64-bit processors,
to handoff authentication in WLAN, namely, domino effect              when processing the same public key encryption/decryption
attack, DOS attack and the man-in-the-middle attack.                algorithm. This conclusion can be computed from RFC3776,
     The domino effect attack here refers to the fact that com-      where the number of cpu cycles of a 1024-bit modular expo-
promise of one AP will lead to compromise of another. Propo-        nentiation on a 64-bit processor is similar to that of 256-bit
sition 2 shows that the EBSST is immune to the domino effect         modular exponentiation on a 32-bit processor, and the num-
attack.                                                             ber of cpu cycles of 256-bit modular exponentiation on a 32-bit
     Proposition 2 In the EBSST scheme, if AP1 with                 processor is to that of 1024-bit modular exponentiation on a
BSSKEY IN G1 = {GM , j1 , N, Gj1 , T } is compromised, then         32-bit processor. This paper mainly compares the security cost
AP2 with BSSKEY IN G2 = {GM , j2 , N, Gj2 , T } can not be          of the two schemes on the 64-bit processors.
compromised using the keying material BSSKEY IN G1 .                    We analyze the security cost of EBSST during handoff
     Proof To compromise AP2, the attacker must get j2 .            using four factors: time of signing using the private key
Since j1 and j2 are two randomly generated prime numbers,           (cps ), time of verification using the public key (cpv ), time
the attacker can not compute j2 from j1 and other public key        of key generating using ECDH algorithm (cpg ). On the 64-
materials. Proposition 2 follows.                                   bit processors, these three factors can be computed as follow:
     In the FBSST protocol, the R1KH on the target AP has to        cps = cpv = cpg = 450, 000cpucycles/5 = 90, 000cpucycles[13] .
consult the initial R0KH for PMK-R1, and it can only authen-        So, the efficiency of EBSST described using the term cpu cycle
ticate the STA after message 3 in Section II is received. The       is shown in Table 1.
significant implication of this drawback is that DOS attack to
                                                                                    Table 1. Cpu cycles of EBSST
the initial R0KH is possible. In the EBSST scheme, since only
                                                                                   STA        cps + cpv + cpg  270,000
the target AP and the STA are involved in the handoff au-                        Target AP     cps + cpv + cpg  270,000
thentication process, the DOS attack will not be propagated                       Total     2cps + 2cpv + 2cpg 540,000
to other entities such as other APs or AS in the domain.
     The ECDH algorithm is used for key negotiation in EB-              The efficiency of FBSST relies on the cipher suit. This pa-
SST, which is vulnerable to the man-in-the-middle attack.           per takes the AES-128 algorithm as an example, which is the
However, in the EBSST, the ECDH messages are protected              most popular algorithm today. Similar to the EBSST scheme,
by the elliptic curve signature algorithm and only the autho-       the security cost of FBSST[8] can be analyzed using three fac-
rized AP (or STA) can generate a legal signature, so the man        tors: time of key generating using HMAC-SHA1 algorithm
in the middle can not tamper the ECDH messages. Hence, the          (Csg ), time of encrypting one block using a 128-bit AES key
man-in-the-middle attack on the EBSST is avoided.                   (Cse ), time of decrypting one block using a 128-bit AES key
                             An Elliptic Curve Based Handoff Authentication Protocol for WLAN                                         169

(Csd ). During handoff, there are four keys to be generated           [3] IEEE 802.11-00/362:2000, “Unsafe at any key size: an analysis
(i.e. PMK-R1, PMK-R1name, PTK, PTKname). Referring                       of the WEP encapsulation”.
to Refs.[14, 15], Csg = 32 + (2 + 2) × 1110 = 4472cpucycles,         [4] N. Borisov, I. Goldberg and D. Wagner, “Intercepting Mobile
                                                                         Communications: The Insecurity of 802.11”, Proc. of IEEE
Cse = 6168cpucycles and Csd = 10992cpucycles. The hand-
                                                                         MOBICOM, New York, USA, pp.180–189, 2001.
off authentication process in FBSST includes four messages            [5] IEEE 802.11f:2003, Recommended Practice for Multi-Vendor
(Fig.2). The message length between the target AP and the                Access Point Interoperability via an Inter-Access Point Proto-
STA is ranged from 1280-bit to 4096-bit (see the definition               col Across Distribution Systems Supporting IEEE 802.11 Oper-
of the message integrity check field in Ref.[8]), and the mes-            ation.
sage length between the target AP and the initial R0KH is            [6] IETF RFC4067:2005, Context Transfer Protocol (CXTP).
similar. So, as an average, we assume the message length in          [7] IETF RFC4962:2007, Guidance for Authentication, Authoriza-
                                                                         tion, and Accounting (AAA) Key Management.
the FBSST is 1280 + 4096bits/2 = 2688bits = 21AESblocks.
                                                                     [8] IEEE 802.11r:2008, Fast BSS Transition.
Note that the channel between the target AP and the initial          [9] L. Lamport, “Password authentication with insecure communi-
R0KH provides integrity and confidentiality protection[8] , so            cation”, Commun. ACM, Vol.24, No.11, pp.770–772, 1981.
the messages between the STA and the target AP are pro-            [10] A. Evans et al., “A user authentication scheme not requiring se-
tected using AES-CMAC algorithm, while the messages be-                  crecy in the computer”, Commun. ACM, Vol.17, No.8, pp.437–
tween the target AP and the initial R0KH are protected by                442, 1974.
                                                                   [11] C. Tang, D.O. Wu, “An efficient mobile authentication scheme
both the AES-CMAC algorithm and AES encryption algo-
                                                                         for wireless networks”, IEEE Trans. Wireless Commun., Vol.7,
rithm (i.e. the sender of the message encrypts the message               No.4, pp.1408–1416, 2008.
and then generates a message authentication code to the en-        [12] SECG SEC1:2000, Elliptic Curve Cryptography.
crypted message). So, the efficiency of FBSST described using        [13] IETF RFC3766:2004, Determining Strengths for Public Keys
the term cpu cycles is shown in Table 2.                                 Used for Exchanging Symmetric Keys.
                                                                   [14] O. Elkeelany et al., “Performance analysis of IPSec protocol:
               Table   2. Cpu cycles of FBSST
                                                                         Encryption and authentication”, Proc. of IEEE Communica-
           STA              42Cse + 4Csg      276944
                                                                         tions Conference, New York, USA, pp.1164–1168, 2002.
       Target AP       105Cse + 21Csd + 2Csg  887446               [15] C. Xenakis et al., “A generic characterization of the overheads
      Initial R0KH      63Cse + 21Csd + 2Csg  628360                     imposed by IPsec and associated cryptographic algorithms”,
           Total       210Cse + 42Csd + 8Csg 1,792,750                   The International Journal of Computer and Telecommunica-
    Table 1 and Table 2 show that the computation cost of                tions Networking, Vol.50, No.17, pp.3225–3241, 2006.
                                                                                                  WAN Changsheng           received B.S.
EBSST scheme is around 30% as that of the FBSST scheme
                                                                                              degree in applied physics from Univer-
on the 64-bit processors. Note that the total computation cost                                sity of Science and Technology of China,
of the EBSST on the 32-bit processor is 16 times as that of                                   Hefei in 1999, and Ph.D. degree in physical
64-bit processors (i.e. 540, 000 × 16 = 8, 640, 000cpucucles),                                electronics from University of Science and
and the computation cost of EBSST scheme is around 5 times                                    Technology of China, in 2004. From July
as that of the FBSST. This conclusion seems to contradict                                     2004 to Oct. 2005, he was with ZTE Cor-
our traditional opinion, in which computation cost of public                                  poration at Nanjing, as a senior engineer.
                                                                                              From Nov. 2005 to Mar. 2007, he was with
key based schemes is usually 103 times as that of symmetric
                                                                                              Huawei Technologies Co. Ltd, Nanjing, as
key based schemes. However, it is correct. The computation          a staff engineer. Since Apr. 2007, he has been with Southeast
cost of FBSST is so high because the message length of the          University, Nanjing as a teacher. His research interests are in the
FBSST is very long, and, as a three-party protocol, there are       areas of network security, wireless communication, IP and routing
too many encryption/decryption operations. The computa-             technology, and data mining. (Email:
tion cost of EBSST is low because the 64-bit processor greatly         HU Aiqun         received B.S. degree in signal processing from
reduced the computation cost of modular exponentiation.            Southeast University, Nanjing in 1987, and Ph.D. degree in signal
                                                                   processing from Southeast University, in 1992. Since July 1992,
                                                                   he has been with Southeast University, Nanjing, as a teacher. He
                    VI. Conclusion                                 was promoted as an associated professor in 1995, and a professor in
    In this paper, we have presented an efficient handoff au-         2000. Now, he is the leader of Information Security Laboratory in
thentication and key agreement protocol for WLAN, and an-          the School of Information Science and Technology, Southeast Uni-
                                                                   versity. Since 2001, he has been a member of the expert team of
alyzed its security. After the initial key distribution, the STA
                                                                   information security subject for the Chinese 863 Plan. His research
and the AP can authenticate each other and establish a shared      interests are in the areas of network security, wireless communica-
key without the participation of other APs or AS in the do-        tion, and signal processing.
main. This paper takes the WLAN environment as an example                                         Zhang Juan       received B.S. degree
of wireless networks. However, the scheme can also be used in                                in international trade from Hubei Univer-
other wireless networks.                                                                     sity, Wuhan, in 1999, M.S. degree in in-
                                                                                             ternational trade from Hubei University,
                                                                                             Wuhan, in 2002, and Ph.D. degree in ac-
                          References                                                         counting & auditing from Wuhan univer-
[1] IEEE 802.11: 1997, Wireless LAN medium access control                                    sity, in 2005. Since Sept. 2005, she has
    (MAC) and physical layer(PHY) specification.                                              been with Nanjing University, Nanjing, as
                                                                                             a teacher. Her research interests are in the
[2] W.A. Arbaugh, N. Shankar, Y.C. Justin, “Your 802.11 Wire-
    less network has No clothes”, Proc. of IEEE Wireless LANs                                areas of network security, accounting, au-
                                                                   diting, and data mining.
    and Home Networks, Singapore, pp.131–141, 2001.

Shared By: