2009 International Conference on Computational Intelligence and Security

Performance of Authentication Protocols in LTE Environments

Lianfen Huang*, Ying Huang, Zhibin Gao,
Dept. of Communication Engineering Xiamen University Xiamen, China lfhuang@xmu.edu.cn*
AbstractLong-Term Evolution (LTE) is the next-generation network beyond 3G. Authentication service is one of the most essential services in LTE networks, which has significant effects on internet security. In this paper, we survey and compare three authentication protocols: Password Authentication Protocol, Lightweight Extensible Authentication Protocol, and Extensive Authentication Protocol-Transport Layer Security. We present our implementation approach for the LTE testbed. From the experimental results, we conclude that PAP and LEAP are not sufficiently secure due to their vulnerability to dictionary attacks, while EAP-TLS can provide robust security if the network users are not very concerned with the overhead. Our proposed LTE testbed is meaningful and can be used to test the efficiency of other protocols. Keywords-PAP; LEAP; EAP-TLS; LTE; Diameter

Jianan Lin, Xueyuan Jiang

Dept. of Electronic Engineering Xiamen University Xiamen, China

Authentication service is one of the most essential services in LTE networks, which has significant effects on internet security. In this paper, we study and evaluate the performance of some typical authentication protocols, such as PAP, LEAP and EAP-TLS. Based on the measurements in LTE network simulation, we make an appropriate performance comparison among these protocols. The rest of this paper is organized as follows. In section 2, we present some background information on authentication protocols. Section 3 describes the experimental setup, including system configuration and protocol stack. In section 4 and 5, we show the experimental results and analyze the performance. Finally, conclusion is presented in section 6. II. PRELIMINARIES In this section, we present some background information on authentication protocols. A. Diameter Protocol The Diameter protocol[1] was derived from the RADIUS protocol with a lot of improvements in different aspects, and is generally considered to be the next generation Authentication, Authorization, and Accounting (AAA) protocol. The Diameter protocol has been widely used in the IMS architecture for IMS entities to exchange AAA-related information. Because the IMS system might be the next important issue in the telecom industry, we believe that a clear understanding of the Diameter protocol is necessary for understanding the essence of the IMS architecture. The Diameter based protocol is extended for each particular application, which has been extended for Diameter NASREQ Application[4], in order to support NASREQ function. In this circumstance, the diameter client is also named network access server (NAS). It is expected that Diameter will become more and more important. Opendiameter is a project to implement Diameter for open source community. B. PAP The Password Authentication Protocol (PAP) is a Link Control Protocol in the PPP suite, which is a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon the establishment of initial link. After the Link Establishment phase is complete, an Id/Password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated. PAP is not a robust authentication method, due
293

I.

INTRODUCTION

The recent increase of mobile data usage and the emerge of new applications such as MMOG (Multimedia Online Gaming), mobile TV and Web 2.0, streaming contents have motivated the 3rd Generation Partnership Project (3GPP) to work on the Long-Term Evolution (LTE), which is the nextgeneration network beyond 3G. In addition to enabling migrations from fixed to mobile for Internet applications such as Voice over IP (VoIP), video streaming, and mobile TV etc, LTE networks will also support an explosion in demand for connectivity from new generation consumer devices tailored to those new mobile applications. LTE system architecture is evolved from 3GPP. It integrates the NodeB, RNC and CN of WCDMA and TDSCDMA architecture. The system architecture is simplified and only contains two network elements, eNodeB and EPC. eNodeB is a merger of NodeB and RNC, and EPC (Evolved Packet Core) is the all-IP mobile core network for 3GPP LTE. EPC embodies three logical entities: MME (Mobility Management Entity), S-GW (Serving Gateway), and P-GW (PDN Gateway). P-GW is the termination towards of PDN's, which implements policy enforcement, charging support, DHCPv4 or DHCPv6 functions. In the LTE EPC architecture, P-GW locates at the edge of the core network and subscribes contact external IP network via P-GW. It implements the AAA (authentication, authorization and accounting) services, and serves as one of the extended applications based on diameter/radius protocol named NASREQ.

978-0-7695-3931-7/09 $26.00 2009 IEEE DOI 10.1109/CIS.2009.50

to the passwords are sent over the circuit in text format, and there is no protection from sniffing, playback or repeated trial and error attacks. Figure 1 shows the message flow of PAP.

Figure 1. Message Flow for PAP.

C. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, and used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control. LEAP uses dynamic Wired Equivalent Privacy (WEP) keys that change with more frequent authentications between the client and authentication server. WEP keys are less likely to be cracked -- and less long-lived if cracked -- due to this frequency. Figure 2 shows the message flow of LEAP.

D. EAP-TLS EAP is PPP Extensible Authentication Protocol. The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagram over point-to-point links. The EAP is a general protocol for PPP authentication, which supports multiple authentication mechanisms. It is a PPP extension that can provide support for additional authentication methods within PPP. And it does not select a specific authentication mechanism at link control phase, but postpones this process until the authentication phase. This allows the authenticator to request more information before determining the specific authentication mechanism. TLS Protocol provides privacy and data integrity between two communicating applications. The protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The TLS Handshake Protocol provides connection security, and allows the server and client to authenticate each other and negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or start to receive data. EAP types include Identity, MD5-challenge, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-SRP, etc. EAP-TLS[3] is a certificate-based authentication mechanism, which supports mutual authentication between server and client, and the cryptographic algorithm consultation mechanisms. EAP-TLS has a higher degree of security and needs the use of certificates on both client and server side. Figure 3 shows the message flow of EAP-TLS.

Figure 3. Message Flow for EAP-TLS. Figure 2. Message Flow for LEAP.

294

III.

TESTBED IMPLEMENTATION SETUP

In this section, we present details of our testbed including hardware equipments and software configurations. Our platform is a miniature of LET EPC, on which we carry out a variety of experiments designed to address performance of security protocols. Figure 4 shows the architecture of our testbed.

The entity MME and P-GW are both simulated under Windows OS. The software environments require opendiameter, ACE, openssl, etc. Opendiameter[5] is opensource software for the Diameter and Diameter related protocols. The TLS protocol as well as encryption and decryption algorithm in OpenSSL is the base for establishing the certificate authentication mechanisms. D. Clients and Server Diameter server authenticates UE and is simulated under Linux OS based on opendiameter and openssl. UE A and B are both simulated under Windows OS to provide better user interface and the ease for operation. UE and network elements (MME, S-GW, P-GW) communicates with each other in socets. UE A and B send authentication requests and act as the control platforms of the simulation process. For example, they can indicate the instruction of simulation to control the process and obtain the simulation results. UE A is valid, however UE B is invalid (attacker). It intercepts the packets between P-GW and diameter server, and then carry out the dictionary attacks and replay attacks in an attempt to imitate UE A to gain authentications. IV. EXPERIMENTAL RESULTS In this section, we present experimental results obtained for aforementioned authentication protocols. We provide experimental data in authentication time, authentication messages and authentication success ratio. A. Authentication Time Figure 5 shows average authentication time (AT in sec) for those three protocols.

Figure 4. Architecture of LTE EPC testbed.

A. MME The Mobility Management Entity (MME) is the main signaling node in the EPC, which is responsible for paging initialization and authentication of the mobile device. It also keeps location information at the Tracking Area level for each user and involved in choosing the right gateway during the initial registration process. MME connects to eNodeBs through the S1-MME interface and connects to S-GW through the S11 interface. B. S-GW The Serving Gateway (S-GW) is the main packet routing and forwarding node in EPC. It also plays the role of a mobility anchor in inter-eNodeB and inter-RAT handovers. Charging (based on Quality of Service for example) and packet marking are other functions within this node. The SGW connects to the MME via S11 interface and to eNodeB via the S1-U interface. The interface between the S-GW and P-GW is S5/S8. The S-GW logical entity is simulated under Linux OS using NS-2 in cygwin. C. P-GW Packet Data Node Gateway (P-GW) enforces the network AAA (authentication, authorization and accounting) function. It provides UE with network access function and enforces the policy and charging function, IP address allocation, DHCP function, etc. The authentication function of P-GW is our focus in this paper.

Figure 5. Authentication Time.

B. Authentication Messages Table I shows the number of authentication messages (AM) for three protocols. It helps us to understand why

295

authentication time for a particular protocol is higher than other protocols.

TABLE I.
AUTHENTICATION MESSAGES

V.

PERFORMANCE ANALYSIS

In this section, we analyze different aspects of experimental results obtained. A. Comparative study of Authentication Time Figure 5 shows that the authentication time for PAP is shortest. This is due to the fact that PAP is a very simple protocol for the peer to establish its identity using a 2-way handshake. Figure 5 also shows that EAP-TLS authentication time is longer than LEAP. Because EAP-TLS uses digital certificate for mutual authentication that involves exchange of several control packets. B. Comparative study of Security As we can see from Figure 6, both PAP and LEAP are vulnerable to dictionary attacks. As shown in Figure 7, only PAP is vulnerable to replay attacks. Figure 6 and 7 show that EAP-TLS is robust to both dictionary attacks and replay attacks. Therefore, PAP is not a robust authentication method. Because the passwords are sent over the circuit "in the clear", and there is no protection from playback or dictionary attacks. Although LEAP supports mutual authentication and session key derivation, it has some flaws. Because an eavesdropper can easily sniff the challenge-response pair sent between the client and the AS during the MSCHAP authentication, LEAP is vulnerable to dictionary attacks. The security performance of EAP-TLS is the best among the three protocols, which is robust to most attacks, including dictionary attacks and replay attacks. That is the reason that it is trusted by many network security vendors. Although EAP-TLS provides excellent security, the overhead of certificates may be its Achilles' heel. VI. CONCLUSION In this paper, we survey and compare three authentication protocols: PAP, LEAP and EAP-TLS. We introduce the methods of implement the LTE testbed. From the experimental results and analysis, we can conclude that PAP and LEAP are not sufficiently secure due to their vulnerability to dictionary attacks. EAP-TLS can provide reliable security performance, however, its overhead should be considered. The experimental results show that we have successfully implemented the LTE testbed, which can be used to test many other protocols in the future. ACKNOWLEDGMENT The authors would like to thank the International Cooperation Project of Tsinghua University and Xiamen University from Comba Inc for their continued financial support. REFERENCES

Protocols PAP LEAP EAP-TLS

Authentication Messages 9 17 21

C. Authentication Success Ratio Figure 6 and Figure 7 show that how valid users authentication success ratio drops under dictionary attacks or replay attacks.

Figure 6. Dictionary Attack.

Figure 7. Replay Attack.

[1] [2]

P. Calhoun, J. Loughney, E. Gutman, G. Zorn, and J. Arkko, Diameter Base Protocol, IETF RFC 3588, Sept. 2003. L Blunk and J. Vollbrecht. PPP Extensible Authentication Protocol (EAP), IETF RFC 2284, March

296

[3] [4] [5] [6]

[7]

B. Aboba and D. Simon. PPP EAP TLS Authentication Protocol., IETF RFC 2716, October 1999. Calhoun P ,Zorn G,Spence D , et al . Diameter Network Access Server Application, IETF RFC4005 ,2005. OpenDiameter, http://www.opendiameter.org. Jyh-Cheng Chen and Yu-Ping Wang, Extensible Authentication Protocol (EAP) and IEEE 802.1x: Tutorial and Empirical Experience, IEEE Radio Communications. 2005 Dec;suppl:26-32 K. Baek, S. W. Smith, and D. Kotz, A survey of wpa and 802.11i rsn authentication protocols.Dartmouth College Computer Science, Tech. Rep.2004 Nov; TR2004-524.

[8]

A. K. Agarwal and W. Wang, Measuring performance impact of security protocols in wireless local area networks, International Conference on Broadband Networks-Broadband Wireless Networking Symposium, 2005 Oct. [9] Cisco. Dictionary Attack on Cisco LEAP. Tech Note, available at http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml, August 2003. [10] Cameron Macnally. Cisco LEAP protocol description, available at http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt

297