This article was downloaded by: [Saravanan K] On: 14 March 2014, At: 10:41 Publisher: Taylor & Francis

Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

Journal of Discrete Mathematical Sciences and Cryptography

Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/tdmc20

FPGA implementation of Secure Authentication in WiMAX Networks using Modified WiMAX Bloom filter: A Hardware Approach
K. Saravanan & A. Senthilkumar
a a b

Department of Electronics and communication, Nehru Institute of Technology Coimbatore, India

b

Department of Electrical and Electronics Engineering, Dr. Mahalingam College of Engineering and Technology Pollachi, Tamilnadu, India. E-mail: Published online: 07 Mar 2014.

To cite this article: K. Saravanan & A. Senthilkumar (2013) FPGA implementation of Secure Authentication in WiMAX Networks using Modified WiMAX Bloom filter: A Hardware Approach, Journal of Discrete Mathematical Sciences and Cryptography, 16:6, 393-404, DOI: 10.1080/09720529.2013.858504 To link to this article: http://dx.doi.org/10.1080/09720529.2013.858504

PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the Content) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/termsand-conditions

Downloaded by [Saravanan K] at 10:41 14 March 2014

FPGA implementation of Secure Authentication in WiMAX Networks using Modified WiMAX Bloom filter: A Hardware Approach K. Saravanan * Department of and Communication Department of Electronics Electronics and communication Nehru Institute of Technology Anna University Chennai Coimbatore Tamilnadu India India A. Senthilkumar Department Department of of Electrical Electrical and and Electronics Electronics Engineering Engineering Dr. Mahalingam College of Engineering and Technology Dr. Mahalingam College of Engineering and Technology Pollachi, Tamilnadu Pollachi, Tamilnadu India India
Abstract
Secure authentication for WiMAX networks is highly challenging due to its lack of solid infrastructure and vulnerability to various attacks in wireless environment. In our research we propose a hardware approach for initial level secure authentication of subscriber mobile stations using a modified bloom filter. To the best of our knowledge this is the first of its kind which uses a bloom filter for WiMAX authentication. The design has been evaluated and tested using a Xilinx 65 nm Virtex-5 field-programmable gate array as the target technology. The performance matrices are false positive ratio, compactness, speed and security. Keywords: Bloom filter, H3 hash function, secure authentication, Connetion Identifier, WIMAX, AAA server, base station, False Positive Ratio, Power, throughput.

Downloaded by [Saravanan K] at 10:41 14 March 2014

1. Introduction Recently security issues are highly considered for WiMAX networks specified by IEEE802.16 due to lack of proper physical infrastructure. IEEE802.16 standards specifies a security sub-layer at the bottom of the MAC layer [2] to provide the mobile subscriber station (SS) with
*E-mail:saravanantlf@gmail.com E-mail:ask_rect@yahoo.com

Journal of Discrete Mathematical Sciences & Cryptography Vol. 16 (2013), No. 6, pp. 393404 Taru Publications

394

K. SARAVANAN AND A. SENTHILKUMAR

Downloaded by [Saravanan K] at 10:41 14 March 2014

authentication and privacy to protect the BS from unauthorized network access. The proposed hardware based authentication system, first of its kind to our best knowledge uses a modified bloom filter suggested for the Authentication Authorization Accounting (AAA) server side to which the BS communicates to authenticate the SS in its control. This authentication is considered as initial level authentication to validate the authority of SS to access BS. In future a wholesome hardware authentication will be developed based on this research. Bloom filter is an efficient data structure design and compact information representation technique for such membership queries [3]. Different variants of bloom filter have been emerged and still it requires optimization for efficient utilization in diverse applications. It consists of two sub blocks namely hashing block and mapping block. Generally, H3 hash function called as the universal hash is mostly used in bloom filters. Bloom filter is used to store any set of elements that to be queried in portable manner by performing multiple hash functions on each elements in the set and store its hashed value in a bit array vector fashion by setting appropriate bits. Initially the bloom filter has to be programmed by element insertion. After programming the bloom filter it can be used for fast querying about the programmed or inserted element. The query result may be sometimes false positive but never false negative. It is interesting to note that the computational time of the bloom filter is independent of the number of elements stored but it will affect the false positive ratio (FPR) of the result. Hence optimization and scalability can be achieved by proper design principle. We have modified the bloom filter suitable for WiMAX authentication at initial level. The protocol architecture of IEEE 802.16 is shown in Figure 1 and the general functional block diagram of bloom filter is shown in Figure 2.

Figure 1
IEEE 802.16 protocol architecture

SECURE AUTHENTICATION

395

Downloaded by [Saravanan K] at 10:41 14 March 2014

Figure 2
Functional block diagram of bloom filter

The proposed bloom filter design is to address the initial authentication of WiMAX networks specified in security sub layer in the protocol using hardware approach. The rest of the article is organized as follows, Survey of bloom filter concept and WiMAX security issues are discussed in section II. Section III discusses on FPR mathematical modeling of bloom filter. Section IV gives the proposed concept and section V gives the experimental results and simulation scenarios and conclusion is given in section VI. 2. Literature survey The security issues in WiMAX networks were discussed in [2] and various methods for security were given. The authentication procedures and various threats and challenges associated with it were discussed in [4]. The bloom filter concept was said in [3] and variants in bloom filter architecture were introduced in [5]. The bloom filter and its variants were made appropriable and compatible for diverse applications like network intrusion detection system, Pattern matching, Packet Classification, Detection of flooded attacks in internet, distributed caching of web servers, Dictionaries and Database aapplications [20],[24],[25],[26],[27],[28] and [29]. It is also used in various real time applications which require intensive querying and compact storage of membership. The proposed system for secure authentication was developed based on the requirements in the above researches using a modified bloom filter.

396

K. SARAVANAN AND A. SENTHILKUMAR

3. Mathametical analysis of FPR and Modified hash logical concepts A standard bloom filter for representing a set S = ^ X 1, X 2 ...X nh of n elements is described by an array of m bits initially all set to 0. Boom filter uses k independent hash functions ^h 1, h 2, ...h k h with range (1, 2.ffm) . For each element x ! S, , the bit h i (x) is set to 1 for 1 1 i 1 k . To check if an item y is in S, we check whether all h i (x) are set to 1. If not, then clearly y is not a member of S. If all h i (y) are set to 1, then y is a member of S but with the possibility of some false positive results (FPR). Hence false positive means treating a nonmember as a member. The probability of a false positive result for an element can be calculated as follows, The probability that a specific bit to be 0 is,
^ 1 - 1/mhkm = e - kn/m

Downloaded by [Saravanan K] at 10:41 14 March 2014

(1)

Let p = e - kn/m then the probability of false positive or the probability that a specific bit to be 1 is,
^ 1 - ^ 1 - 1/mhkn hk = ^ 1 - e - kn/mhk = FP

(2)

This gives the mathematical representation of false positive probability ratio (FPR) denotes as FP and that can occur using a bloom filter for any compact querying applications. This FPR cannot be completely avoided but it can be relatively reduced by choosing less number input elements, larger arrays of bloom filter which is evident from the above equations and also by choosing appropriate hashing functions yielding further optimization to fix low FPR in prior. The logical computations of H3 hash functions can be computed with simple Exclusive-OR (EXOR) and AND operations, making them very efficient for hardware implementation. The input for H3 hash logic is generally 8 bit in size. The hash logic fetches 4 bit output with help of secure random matrix D consisting of eight 4-bit random binary values {d1 to d8}. For example, to the given input x = 00011010 2, the hash value H (x) is computed as given below. Let x = 00011010 and the random matrix D is assigned the random value as follows,

SECURE AUTHENTICATION

397

Jd1 N J1100 N Kd2O K 0001O K O K O K d3 O K0100O Kd4 O K 1110 O D=K O=K 1001 O d5 K O K O K d6 O K 0110 O K d7 O K 1101 O K O K O L d8 P L 1111 P H (x) = H (00011010) Downloaded by [Saravanan K] at 10:41 14 March 2014 = 0.d1 ^ 0.d2 ^ 0.d3 ^ 1.d4 ^ 1.d5 ^ 0.d6 ^ 0.d7 ^ 0.d8 = 1010 The ^ operator indicates logical EXOR operation. The hash value is manipulated as 10102. The proposed bloom filter uses a modified H3 hashing by using a transposition encryption technique known only to the administrator for security reasons. We have adopted a specific shifting position and modified the universal H3 logic and termed it as transposition encryption. The operation is illustrated in Figure 3. The 4 bit hashed value represented as A, B, C and D is post processed to fetch a new hash value. Each bit in the output is shifted in their position as shown in the Figure 3. It is to be noted that, before shifting the first bit and the third bit, they are logically EXOR operated with a pre-assigned key value k for adding security. Thus the final hash value for the given input is computed and this value is further decoded for indexing the membership of the input in the bloom filter.

Figure 3
Transposition technique adopted

398

K. SARAVANAN AND A. SENTHILKUMAR

4. Functional model and concept We propose the bloom filter with some design variations of standard counting bloom filter [6] and utilize for efficient secure authentication in WiMAX networks. In our work we modify the bloom filter suitable for WiMAX applications with necessary variations in design units in order to program it with 16 bit connection identifier field (CID) of every member SS MAC address of a particular IEEE 802.16 network [2]. we have modeled the m, n and k values of the bloom filter such that the proposed system work with very less FPR and possible throughput in the range of 1.6 Gbps when operated with typical frequency of 200 MHz in FPGA. This range of throughput is highly suitable for WiMAX applications for its high speed. Further FPGA implementation makes the design reconfigurable. Since our bloom filter uses a modified H3 hashing, high security is provided with less hash collisions. The hashed value of 16 bit CID values are stored in Linear feedback shift register (LFSR) counter array. The proposed design is shown in Figure 4 The proposed design uses two bloom filters for efficient storage and querying. The bloom filters are first programmed with corresponding hashed CID values of subscriber stations using modified H3 hash logic by incrementing the corresponding LFSR based on the decoded value. While querying, the same hashing logic is performed on the given input and then the zero detectors, multiplexers which uses the same hashed value

Downloaded by [Saravanan K] at 10:41 14 March 2014

Figure 4
Block diagram of exprimented modified bloom filter

SECURE AUTHENTICATION

399

as selection lines and final AND logic are used to sense the membership as shown in Figure 4. The entire logic for the proposed modified WiMax bloom filter architecture is coded using Verilog hardware discription language and implemented in virtex 5 FPGA. 5. Experimentation and simulation scenario The experimental results are discussed in this section. The 16 bit CID values with necessary binary conversion are given as input to the modified WiMAX bloom filter. The bloom filter is first programmed with CID values of all the member SS by making the addmember line HIGH in the program so that the paticular CID value is hashed with secure hash function and the hashed value of that CID value is stored in the LFSR array and the stored CID can be deleted from by setting deletemember line in the program HIGH and thus removing the paticular SS from the network access. After programming the bloom filter with all member SS CIDs, the bloom filter is ready for its querying opereation by setting the querry line HIGH and keeping addmember line and deletemember line LOW. The simulation of the entire design is illustrated in Figure 5. The Floor planner of the design after synthesis is shown in Figure 6 The internal blocks after synthesizing the bloom filter will appear as shown in Figure 7.

Downloaded by [Saravanan K] at 10:41 14 March 2014

Figure 5
Entire simulation of modified bloom filter

400

K. SARAVANAN AND A. SENTHILKUMAR

Figure 6
The floor planner of modified bloom filter

Downloaded by [Saravanan K] at 10:41 14 March 2014

Figure 7
The internal block after synthesis

The power estimation after synthesising the bloom filter and FPR values for various m and n values are tabulated in Table 1. The false positive ratio for WiMAX bloom filter is analyzed for various m and n values and shown in Figures 8, 9 and 10 respectively to fix suitable low FPR bound according to m and n values. Table 1
Performance summary FPR Performance summary Total Power FPR m 256 512 1280 1536 1792 2048 2304 1280 5888 n 48 48 82 100 118 136 154 82 316 FPR 0.077124079 0.005948123 0.000553344 0.000623889 0.000678142 0.000721021 0.000755703 0.000553344 0.000129482 81mW

SECURE AUTHENTICATION

401

Downloaded by [Saravanan K] at 10:41 14 March 2014

Figure 8
FPR versus m value

Figure 9
FPR versus n value

The overall performance of the network will be highly enhanced by deploying secure authentication provision using bloom filter. The power consumption is also very less in the range of 81mW for our design and moreover this is an interoperable solution developed considering the security issues of all other versions of IEEE802.16 networks hence it will enhance the performance of the network as a whole.

402

K. SARAVANAN AND A. SENTHILKUMAR

Downloaded by [Saravanan K] at 10:41 14 March 2014

Figure 10
FPR versus m and n values

6. Conclusion and future works The secure authentication of IEEE802.16 networks using a modified bloom filter is an innovative and initiative logical hardware approach adding credit to our original work. The modified bloom filter we designed consumes very low power in the order of 81mW also works with very low false positive ratio and provides high throughput in the order of 1.6 Gbps. In future we are planning to still reduce the FPR to negligible value by suitably modifying the design and also address other problems related to security issues in WiMAX networks using hardware approaches. We like to consider detection of all kind of threats such as ID theft, Rouge BS attack [4] and other vital security issues. References [1] IEEE Standard for Local and Metropolitan Area Networks: Part 16: Air Interface for Broadband Wireless Access Systems, IEEE Std, Vol. 802(16), 2009. [2] Chin-Tser Huang, and J. Morris Chang., Iowa State University Responding to security issues in WiMAX, IEEE computer society, Oct 2009. [3] B. Bloom., Space/Time Tradeoffs in Hash Coding with Allowable Errors, Comm. ACM, Vol. 13(7), 1970, pp. 422426. [4] Kamran Sameni1., et al. Analysis of Attacks in Authentication Protocol of IEEE 802.16e International Journal of Computing and Network Technology an International Journal, Dec. 2012.

SECURE AUTHENTICATION

403

[5] L. Fan, P. Cao, J. Almeida, and A. Broder., Summary Cache: A Scalable Wide Area Web Cache Sharing Protocol, IEEE/ACM Trans. Networking, Vol. 8(3), 2000, pp. 281293. [6] Michael paynter and taskin kocak., Fully pipelined bloom filter Architecture, IEEE Communication Letters, Vol. 12(11), 2008, pp 855. [7] Deke Guo, Jie Wu, Honghui Chen, Ye Yuan and Xueshan Luo., The Dynamic Bloom Filters for Deep Packet Inspection. IEEE Transaction on knowledge and data engineering, Vol. 22(1), 2010. Downloaded by [Saravanan K] at 10:41 14 March 2014 [8] Christian Esteve Rothenberg, Carols, Fabio and F. Magalhaes The Deletable Bloom Filter: A new member of the bloom family, IEEE Communication Letters, Vol. 14(6), 2010. [9] S. Adibi, B. Lin, P. H. Ho, G. B. Agnew, and S. Erfani., Authentication Authorization and Accounting (AAA) Schemes in WiMAX, University of Waterloo, Broadband Communication Research Centre (BBCR)IEEE International Conference., 2006, pp. 210215. [10] Michael Mitzenmacher Compressed Bloom Filters, IEEE/ACM Transactions on networking, Vol. 10(5), 2002. [11] Paulo Srgio Almeida, Carlos Baquero, Nuno Preguia, Scalable Bloom Filter, Information Processing Letters, 2007. [12] Bin Xiao, and Yu Hua, Using Parallel Bloom Filters for Multiattribute Representation on Network Services IEEE transactions on parallel and distributed systems, Vol. 21(1), 2010. [13] Michael Paynter and Taskin Kocak, Fully Pipelined Bloom Filter Architecture IEEE communications letters, Vol. 12, 2008 [14] Rafael P. Laufer et al, Generalized Bloom Filter to Secure Distributed Network Applications, Journal on Computer Networks, Elsever, 2011. [15] F. Hao, M. Kodialam, and T. Lakshman., Building High Accuracy Bloom Filters Using Partitioned Hashing, proc. ACM sigmetrics. [16] H. Song, S. Dharmapurikar, J. Turner, and J. Lockwood., Fast Hash Table Lookup Using Extended Bloom Filter: An Aid to Network Processing, Proc. ACM SIGCOMM, 2005. [17] Taskin Kocak and Ilhan Kaya., Low-Power Bloom Filter Architecture for Deep Packet Inspection IEEE COMMUNICATION letters, Vol. 10(3), 2006. [18] Abhishek Kumar, Li Li, Jia Wang, Space Code Bloom Filter for Efficient Traffic Flow Measurement ACM, 1581137737/03/0010.

404

K. SARAVANAN AND A. SENTHILKUMAR

[19] S. Dharmapurikar and J. Lockwood., Fast and scalable pattern matching for network intrusion detection systems, IEEE Journal on Selected Areas in Communications, Vol. 24, 2006, pp. 17811792. [20] Andrei Broder and Michael Mitzenmacher, Network applications of Bloom Filters: A Survey, Internet Mathematics., Vol. 1(4), 2003, pp. 485509. [21] A. Whitaker and D. Wetherall. Forwarding without Loops in Icarus. In Proceedings of the Fifth IEEE Conference on Open Architectures and Network Programming (OPENARCH), IEEE Computer Society, 2002, pp. 6375. [22] Sarang Dharmapurikar, Praveen Krishnamurthy, and David E. Taylor. Longest prefix matching using Bloom filters ACM Sigcomm, August, 2003. [23] Deke Guo Yuan He Panlong Yang., Receiver-oriented design of Bloom filters for data-centric routing Computer Networks, Elsevier publications., Vol. 54, 2010, pp. 165174. [24] Tao Chen, Deke Guo, et al. A Bloom filters based dissemination protocol in wireless sensor networks Journal on Adhoc networks, Elsevier publications, 2010. [25] A. G. Alagu Priya, Hyesook Lim., Hierarchical packet classification using a Bloom filter and rule-priority tries Computer Communications, Vol. 33, 2010, pp. 12151226. [26] Nitesh B. Guinde and Sotirios G. Ziavras, Efficient hardware support for pattern matching in network intrusion detection, computers & security, Vol. 29, 2010, pp. 756769. [27] Dimitris Geneiatakis, Nikos Vrakas, Costas Lambrinoudakis, Utilizing bloom filters for detecting flooding attacks against SIP based services computers & security, Elsevier publications, Vol. 28, 2009, pp. 578591. [28] R. Rajagopalan and P. K. Varshney., Data-aggregation techniques in sensor networks: a survey, IEEE Communications Surveys & Tutorials, Vol. 8(4), 2006, pp. 4863. [29] Abhishek Das, David Nguyen, and Joseph Zambreno., Gokhan Memik, and Alok Choudhary, An FPGA-Based Network Intrusion Detection Architecture, IEEE transactions on information forensics and security, Vol. 3(1), 2008. Received February, 2013; Revised August, 2013

Downloaded by [Saravanan K] at 10:41 14 March 2014