A generic mechanism for efficient authentication in B3G networks

2008 Fifth Annual Conference on Wireless on Demand Network Systems and Services, 2008

Next Generation Networks (NGN) provide multimedia services to mobile users through different access networks including WLAN. The security architecture of NGN specifies that a WLAN user must follow a multi-pass Authentication and Key Agreement (AKA) procedure, in order to get access to the IP multimedia subsystem (IMS) services. This includes a repetition of authentication steps and protocols which introduce an unnecessary overhead. This paper presents a onepass AKA procedure that eliminates the repeated steps without compromising the provided level of security. The presented procedure has minimal impact on the network infrastructure and functionality and does not require any changes to the existing authentication protocols. We investigate the induced performance improvement regarding the user authentication cost of the one-pass over the multi-pass AKA. To this end we consider a simple analytic model that quantifies the performance of onepass and multi-pass AKA. This study identifies the cases in which the one-pass AKA presents substantial benefits, e.g., when the mobile user has lengthy session time with short residence time in the service area of an access point.

2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, 2007

The security architecture of the 3G-WLAN integrated networks specifies that a WLAN user, in order to get access to the 3G packet switched services or the public internet through the 3G PLMN, he must follow a two-pass EAP-AKA authentication procedure. This involves a double execution of EAP-AKA, which introduces a duplicated authentication overhead. This paper proposes a one-pass EAP-AKA authentication procedure for the 3G-WLAN integrated networks that reduces significantly the authentication traffic, compared to the two-pass EAP-AKA authentication, without compromising the provided level of security. The proposed procedure has minimal impact on the existing 3G-WLAN network infrastructure and functionality. A security analysis of the proposed authentication procedure is elaborated that identifies potential attacks and proposes possible countermeasures. In addition, a cost analysis is considered that compares the total number of messages required for user's authentication using the two-pass EAP-AKA and the proposed one-pass EAP-AKA authentication.

International Journal of Grid and High Performance Computing, 2010

Wireless Personal Communications, 2009

The incorporation of Wireless Local Area Networks (WLANs) within the third generation (3G) networks materializes the next generation of mobile/wireless systems, named 3G-WLANs integrated networks. This paper proposes an improved authentication procedure for the 3G-WLANs integrated networks that enables a WLAN user to get access to the 3G packet switched services or to the public Internet through the 3G public land mobile network. The proposed procedure reduces significantly the authentication overhead compared to the legacy one, without compromising the provided security services. A security analysis of the proposed authentication procedure is elaborated that ensures the correctness of the authentication procedure, the provision of advanced security services and the elimination of possible attacks that may threaten the proposed authentication procedure. In addition, an energy cost analysis is carried out that compares the energy consumption induced by the legacy and the proposed authentication procedures. Finally, a communication cost analysis is provided that estimates the cost improvement of the proposed over the legacy authentication procedure.

Journal of Ambient Intelligence and Humanized Computing, 2011

3G/UMTS-WLAN heterogeneous mobile network is a complementary platform for the trend of Beyond-3G (B3G) wireless communications. However, the design of a secured and fast re-authentication protocol in 3G/UMTS-WLAN interworking networks is a challenging task. Although EAP authentication and key agreement (EAP-AKA) protocol is adopted by the third generation partnership protocol (3GPP) to achieve authentication and security services in 3G/UMTS-WLAN interworking networks, it still suffers two main drawbacks. One is high re-authentication delays due to centralized re-authentication sessions within the RADIUS server and unnecessary multiple rounds of challenge-response messages traveling between the RADIUS server and the mobile station. The other is high intra-domain handover authentication delay incurred by EAP-AKA protocol without supporting intradomain handover authentication. Thus, this paper proposes a novel protocol named Fast Iterative Localized Re-authentication (FIL Re-authentication) to replace the fast re-authentication in EAP-AKA protocol. Furthermore, FIL Re-authentication makes use of iterative process and localized re-authentication process for speeding up re-authentication times and reducing intra-domain handover authentication delays in 3G/UMTS-WLAN interworking networks. Additional, the simulation model based on Network Simulator 2 (NS-2) is used to provide a valid implementation and finally the performance evaluation shows that proposed protocol surpasses standard EAP-AKA protocol in terms of authentication session time, authentication delay and handover authentication delay.

Wireless Personal Communications, 2004

Wireless communications have developed rapidly and have been applied for many services. Cellular (the third-generation) mobile networks and wireless local area network (WLAN) are two important technologies for providing wireless communications. The third-generation (3G) networks provide wider service areas, and "always-on" and ubiquitous connectivity with low-speed data rate. WLAN networks offer higher data rate and the easy compatibility of wired Internet, but cover smaller areas. In fact, 3G and WLAN possess complementary properties. Integrating 3G and WLAN networks may offer subscribers high-speed wireless data services and ubiquitous connectivity. For integrating two heterogeneous networks, several issues should be involved, authentication, billing, quality of service, and seamless roaming between 3G and WLAN networks. In this paper, we address the authentication and billing problems and propose two protocols that provide both authentication and billing services. One protocol utilizes a one-time password approach to authenticate subscribers. This protocol is efficient in both computation time and authentication procedures. Because of the restrictions of the password-based approach, this protocol could not offer the non-repudiation property for the billing problem. Another protocol is constructed on a public-key-based system (i.e., certificates). Although it requires more computation time than the password-based approach, non-repudiation is guaranteed. Performance analysis simulation results are given to validate our two protocols.

… Conference, 2004. VTC …, 2004

Recently, several authentication protocols have been proposed for wireless local area networks (WLANs) to improve security in hotspot public access and corporate networks, and some have been proposed for integrated 3G-WLAN networks. These authentication protocols are based on the extensible authentication protocol and have been directly applied to wireless networks based on their widespread use in wired networks. Depending on the 3G-WLAN architecture and how the WLAN is tied to the 3G network, these protocols could have large latency. Moreover they do not have mechanisms for authenticating the usage time of a mobile in a WLAN. In this paper, we first discuss these issues related to existing authentication protocols for a 3G-WLAN integrated network. Then, we propose a new authentication mechanism based on the dual signature concept used in secure electronic transactions that can be used in a loosely coupled architecture. Finally, we present a preliminary evaluation of the energy performance and latency of the existing and proposed protocols.

Telecommunication Systems, 2007

This paper analyses the security architectures employed in the interworking model that integrates third-generation (3G) mobile networks and Wireless Local Area Networks (WLANs), materializing Beyond 3G (B3G) networks. Currently, B3G networks are deployed using two different access scenarios (i.e., WLAN Direct Access and WLAN 3GPP IP Access), each of which incorporates a specific security architecture that aims at protecting the involved parties and the data exchanged among them. These architectures consist of various security protocols that provide mutual authentication (i.e., user and network authentication), as well as confidentiality and integrity services to the data sent over the air interface of the deployed WLANs and specific parts of the core network. The strengths and weaknesses of the applied security measures are elaborated on the basis of the security services that they provide. In addition, some operational and performance issues that derives from the application of these measures in B3G networks are outlined. Finally, based on the analysis of the two access scenarios and the security architecture that each one employs, this paper presents a comparison of them, which aims at highlighting the deployment advantages of each scenario and classifying them in terms of: a) security, b) mobility, and c) reliability.

2005

Controlled access to resources offered by network operators and service providers is a key component for any commercial deployment of a Beyond-3G (B3G) communication system: complex scenarios involving users accessing advanced multimedia services using heterogeneous network technologies in different administrative domains do require tight access control. This paper presents an authorization model that provides secured access control to network-dependent as well as to applicative services. Stemming from a new identity model that not only protects user's privacy but also allows for more powerful services, advanced authorization procedures are defined. We describe how innovative enhancements to authentication protocols easily and profitably make them usable for the purpose of authorization. A special focus is put on new registration procedures that can be built on top of these improvements in order to provide new security features to the infrastructure (e.g. granular access control rules, generic security model) while offering new security services to the end user (e.g. anonymity, fast attach procedure).

1997