Académique Documents
Professionnel Documents
Culture Documents
1. Introduction
Pervasive computing has emerged as a new computing and communication environment with the aim of providing services anytime and anywhere for anyone. Vehicular networks may be one of the currently emerging research areas in pervasive computing. Vehicular networks have received attention for their potential in traffic efficiency, road safety, infotainment, Internet access, and pervasive sensing applications [1]. Especially, the new emerging infotainment applications demand vehicular networks to support multimedia and real-time services [2]. Therefore, provisioning of seamless mobility is essential for next generation vehicular networks. As one of the network layer mobility solutions, Fast Handover for Mobile IPv6 [3] (FMIPv6) reduces the handover latency resulting from Mobile IPv6 procedure, via movement detection and a new Care of Address (NCoA) configuration, using the information in advance. Mobile Node (MN) can perform a binding update and receive data destined to MN as soon as a new link to a New Access Router (NAR) is established. However, without corresponding verification of FBU, an adversary can redirect a victim node's traffic, or cause a DoS (Denial of Service) attack. To avoid these attacks, the FMIPv6 signaling messages between MN and Access Router (AR) must be secured to ensure FMIPv6 support for a legitimate MN that has been authorized to obtain such services.
*This work was supported by the Engineering Research Center of Excellence Program of Korea Ministry of Education, Science and Technology(MEST) / Korea Science and Engineering Foundation(KOSEF), grant number R11-2008007-03002-0
2. Related work
There are several existing handover authentication schemes [4, 7] that provide a shared handover key for securing FMIP between MN and AR. In [4], the proposed mechanism utilizes SEND [5] and an additional public/private key pair, the CGA (Cryptographically Generated Addresses) [6] public key pair, to encrypt/decrypt a shared handover key sent from AR to MN. However, the CGA protocol does not recommend using the CGA public key for encrypting the handover key due to potential vulnerabilities such as the Sybil and DoS attacks [6]. In [7], the secure handover scheme establishes handover keys using shared keys. The scheme generates HIK (Handover Integrity) using HMK (Handover Master Key) shared between MN and HKS (Handover Key Server) after the bootstrapping authentication. The HKS-based scheme has a good security feature, but incurs from authentication traffic and RTT (Round Trip Time) latency. These latency problems are unsuitable for realtime services such as infotainment application in vehicular networks.
In order to solve the aforementioned problems in the existing schemes, our scheme focuses on high security via mutual authentications between MN and AAA server, and reduction of authentication traffic and the RRT latency via pre-authentication.
3. Proposed Protocol
In this section, we introduce the proposed secure binding update authentication scheme in FMIPv6. The details of the protocol are depicted in figure 1. The secure handover authentication scheme consists of a bootstrapping phase, for pre-authentication, and a handover authentication phase using a handover authentication key (HAK). Our scheme is described with the notation summarized in Table 1.
Table 1 Notation Description Identity of participant MN Nonce of participant MN Master Key between MN and AAA server Handover Encryption Key between MN and Nth Access Router Handover Key between MN and Nth Access Router Encryption of message M with key HEK. One-way hash function Concatenation operator
(1)
KDF, Key Derivation Function, is a function which derives a secret key from a secret value or other known information such as a password or passphrase. Key derivation functions internally often use a cryptographic hash function [9]. IDAR is the global IP address of AR, with respect to MN. IDMN is the linklayer address of the MN that is sent by the MN in preauthentication.
(2)
(3)
perform protocol falsification and bounded verification via infinite numbers of sessions.
Where HKreq_MAC is the value of H(HEK, IDMN ||IDPAR||IDNAR||NonceMN) and HKres_MAC is the value of H(HEK,IDMN ||IDPAR ||IDNAR||NonceMN,|| NonceNAR ) MN derives HEK via Eq. (1). After the exchange of the two messages, MN and NAR generate a handover key, HK, for handover authentication. HK is generated as follows:
HK = PRF ( HEK , IDNAR || IDMN || NonceMN || NonceNAR )
(4)
HK is derived using the pseudo-random function (PRF), HEK, and concatenation of the addresses of NAR and the mentioned MN, and the nonces of MN and NAR. PRF is a pseudo-random number function that produces a sequence of values based on a seed and the current state. Given identical seeds, PRF always outputs an identical sequence of values [9]. Next, MN transmits a Fast Binding Update (FBU) message including NCoA to PAR via Msg3. Msg3 contains FBU_MAC as well as the FBU message. FBU_MAC is the value of H(HKN,NCoA||NonceNAR). HI_MAC is forwarded to NAR with HI (Handover Initiate) via Msg4. HI_MAC is the value of H(HKN, NCoA||NonceMN). When the message is received, NAR generates HK using Eq. (4), and verifies that what is received is equal to what is generated. If verification is successful, then NAR transmits a Handover Acknowledge (Hack) message and assumes that HKN is shared and Handover is secure. When a Hack message is received, PAR transmits an FBack message to notify the result to MN and NAR. Then, the packet sent to MN is forwarded to NAR.
For the specification of our scheme, we abstracted the details of the proposed secure binding update authentication scheme as shown in Figure 2. We assumed that pre-authentication has already occurred.
Msg1.MNNAR : HKreq[HKreq_MAC.{IDMN.IDNAR, IDPAR.NMN}_HEK] % where HK_MAC = H(IDMN.IDNAR, IDPAR.NMN) )
Msg2.NARMN :HKres[HKres_MAC.{ IDMN.IDNAR, IDPAR.NMN .NNAR }_HEK] % where HKres_MAC=H(IDMN.IDNAR, IDPAR.NMN .NNAR) Msg3. MNPAR :FBU, FBU_MAC % where FBU_MAC = PRF(HK, NCoA, NNAR) and Msg4.PARNAR:HI, HI_MAC %where HI_MAC =PRF(HK, NCoA, NMN)
guarantees integrity. The last two goals mean that MN and NAR are authenticated mutually. Therefore, the handover between MN and NAR is authenticated securely.
goal % the HEK(sec_hek_mn and sec_hek_ar) is secret % between the MN and the NAR secrecy_of sec_hek_MN, sec_hek_ar % the HK(sec_hk_mn and sec_hk_ar) is secret % between the MN and the NAR secrecy_of sec_hk_MN, sec_hk_ar % authentication and integrity of the HEK_mac1 in Figure 3 authentication_on nmn % authentication and integrity of HEK_mac2 in Figure 3 authentication_on nar % the MN authenticates the NAR authentication_on hk1 % the NAR authenticates the MN authentication_on hk2 end goal
Figure 3 shows the sequences of events represented in HLPSL. The sequences are represented with a general notation. The HLPSL specification uses participants to enact each role, and also specifies how many concurrent sessions of the protocol are running. Figure 4 shows the HLPSL code specifying an intruders initial knowledge, and the concurrent sessions. Overall, four sessions of the protocol were modeled and checked concurrently, to ensure that the goal of Figure 5 is realized. In Figure 4, the first two identical sessions are useful for finding replay attacks.
role environment() def= intruder_knowledge={mn,ar,kdf,prf,i} composition session(mn,ar,f1,f2,f3,kdf,prf) /\session(mn,ar,f1,f2,f3,kdf,prf) /\session(i,ar,f1,f2,f3,kdf,prf) /\ session(mn,i,f1,f2,f3,kdf,prf) end role
We specified the following goals: secrecy of HEK and HK between MN and NAR; authentication and integrity of messages exchanged; and mutual authentication between MN and NAR; Figure 5 shows the security related goal in the HLPSL specification. For secrecy, the goal facts assert which values should be kept secret between participants. For instance, the first phrase in Figure 5, secrecy_of sec_hek_mn, sec_hek_ar, means that sec_hek_mn and sec_hek_ar are secret. Here, sec_hek_mn is HEK of MN and sec_hek_ar is HEK of NAR. Therefore, HEK is shared and kept secret between MN and NAR. The second phrase means that HAK is shared and kept secret between MN and NAR. For authentication, the goal facts are used to check that a participant correctly believes that its intended peer is present in the current session, has reached a certain state, and agrees on a certain value, which typically is fresh. In Figure 6, the third phrase, authentication_on n_mn, means that n_mn is authenticated by NAR. Here, n_mn is the nonce of MN. The nonce is encrypted by HEK and sent to NAR with the hashed value of the nonce of MN. The encrypted and hashed values are used for authentication and integrity. The fourth phrase means that the nonce of NAR is authenticated by MN, and
6. Conclusion
In this paper, we proposed a secure binding update authentication scheme based on pre-authentication. The scheme guarantees mutual authentication, secrecy, and integrity between MN and ARs. In addition, our scheme reduces the authentication latency due to preauthentication between MN and an authentication server. This scheme is suitable for vehicular networks, since these networks provide a prediction path to anticipate a vehicles route and prepare it for known hazards.
Figure 6 Result of OFMC
7. References
[1] N. Ravi and L. Iftode, A Note on Pervasive Computing, In Proc. CMPPC07, 2007 [2] Q. Mussabbir, W. Yao, Z. Niu, and X. Fu, Optimized FMIPv6 Using IEEE 802.21 MIH Services in Vehicular Networks, IEEE Transactions on Vehicular Technology, Vol. 56, No. 6, Nov. 2007. [3] R. Koodli, Mobile IPv6 Fast Handovers, RFC4068, April 2008. [4] J. Kempf and R. Koodli, Distributing a symmetric FMIPv6 handover key using SEND, RFC5269, Nov 2007 [5] J. Arkko, J. Kempf, B. Zill, and P. Nikander, SEcure Neighbor Discovery (SEND), RFC3971, March 2005 [6] T. Aura, Cryptographically Generated Addresses (CGA), RFC 3972, March 2005. [7] V. Narayanan, N. Venkitaraman, H. Tschofeng, G. Giaretta, and J. Bournelle, Establishing handover keys using shared keys, IETF draft-vidya-mipshop-handover-keys-aaa04, March 2007. [8] D. Stanley, J. Walker, and B. Aboba, Extensible authentication protocol (EAP) method requirements for wireless LANs, RFC 4017; March 2005 [9] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. [10] L. Vigan, Automated Security Protocol Analysis with the AVISPA Tool. In Proc. MFPS'05, ENTCS 155:61-86, Elsevier 2005 [11] Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, J. Mantovani, S. Modersheim, and L. Vigneron, A High Level Protocol Specification Language for Industrial Security-Sensitive Protocols. In Proc. SAPS04, Austrian Computer. Society, 2004. [12] D. Basin, S. Modersheim, L. Vigano, An On-The-Fly Model-Checker for Security Protocol Analysis, In Proc. of ESORICS'03, LNCS 2808, pp. 253-270, 2003. [13] P. Ammirati and G. Delzanno, Constraint-based Automatic Verification of Time Dependent Security Properties, In Proc. SPV03, 2003. [14] H.Wang and A.R. Prasad, Fast Authentication for Interdomain Handover, In Proc. ICT 2004, LNCS 3124, pp.973982, August 2004.
5. Security Analysis
Table 2 shows the comparison of the existing schemes and our scheme. Our scheme is more secure and efficient than the existing schemes. In [4], there is no additional latency with an authentication server, but potential attacks such as Sybil and Dos have been found. In [7], certain attacks such as replay, MITM, DoS have not been found, but there is an RRT latency and authentication traffic with an authentication sever. Our scheme is safe against known attacks and more efficient than [7] because the number of messages exchanged with the authentication server during handover is less than that of [7].
Table 2 Comparison of the existing schemes and our scheme
Kempf et al [4] Known attacks Crypto Algorithm # of Msgs exchanged with server during handover Potential Sybil and DoS attacks RSA, Hash Narayanan et al [7] Safe Symmetric key, Hash Two Our scheme Safe Symmetric key, Hash None
None