One-Pass EAP-AKA Authentication in 3G-WLAN Integrated Networks

2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, 2007

The security architecture of the 3G-WLAN integrated networks specifies that a WLAN user, in order to get access to the 3G packet switched services or the public internet through the 3G PLMN, he must follow a two-pass EAP-AKA authentication procedure. This involves a double execution of EAP-AKA, which introduces a duplicated authentication overhead. This paper proposes a one-pass EAP-AKA authentication procedure for the 3G-WLAN integrated networks that reduces significantly the authentication traffic, compared to the two-pass EAP-AKA authentication, without compromising the provided level of security. The proposed procedure has minimal impact on the existing 3G-WLAN network infrastructure and functionality. A security analysis of the proposed authentication procedure is elaborated that identifies potential attacks and proposes possible countermeasures. In addition, a cost analysis is considered that compares the total number of messages required for user's authentication using the two-pass EAP-AKA and the proposed one-pass EAP-AKA authentication.

… Conference, 2004. VTC …, 2004

Recently, several authentication protocols have been proposed for wireless local area networks (WLANs) to improve security in hotspot public access and corporate networks, and some have been proposed for integrated 3G-WLAN networks. These authentication protocols are based on the extensible authentication protocol and have been directly applied to wireless networks based on their widespread use in wired networks. Depending on the 3G-WLAN architecture and how the WLAN is tied to the 3G network, these protocols could have large latency. Moreover they do not have mechanisms for authenticating the usage time of a mobile in a WLAN. In this paper, we first discuss these issues related to existing authentication protocols for a 3G-WLAN integrated network. Then, we propose a new authentication mechanism based on the dual signature concept used in secure electronic transactions that can be used in a loosely coupled architecture. Finally, we present a preliminary evaluation of the energy performance and latency of the existing and proposed protocols.

Wireless Personal Communications, 2004

Wireless communications have developed rapidly and have been applied for many services. Cellular (the third-generation) mobile networks and wireless local area network (WLAN) are two important technologies for providing wireless communications. The third-generation (3G) networks provide wider service areas, and "always-on" and ubiquitous connectivity with low-speed data rate. WLAN networks offer higher data rate and the easy compatibility of wired Internet, but cover smaller areas. In fact, 3G and WLAN possess complementary properties. Integrating 3G and WLAN networks may offer subscribers high-speed wireless data services and ubiquitous connectivity. For integrating two heterogeneous networks, several issues should be involved, authentication, billing, quality of service, and seamless roaming between 3G and WLAN networks. In this paper, we address the authentication and billing problems and propose two protocols that provide both authentication and billing services. One protocol utilizes a one-time password approach to authenticate subscribers. This protocol is efficient in both computation time and authentication procedures. Because of the restrictions of the password-based approach, this protocol could not offer the non-repudiation property for the billing problem. Another protocol is constructed on a public-key-based system (i.e., certificates). Although it requires more computation time than the password-based approach, non-repudiation is guaranteed. Performance analysis simulation results are given to validate our two protocols.

2009 Wireless Telecommunications Symposium, 2009

The 3rd Generation Partnership Project(3GPP) standard is developing System Architecture Evolution(SAE)/Long Term Evolution(LTE) architecture for the next generation mobile communication system. The SAE/LTE architecture provides secure service and 3G-WLAN interworking [9]. To provide secure 3G-WLAN interworking in the SAE/LTE architecture, Extensible Authentication Protocol-Authentication and Key Agreement(EAP-AKA) is used. However, EAP-AKA has several vulnerabilities such as disclosure of user identity, man-in-themiddle attack, Sequence Number(SQN) synchronization, and additional bandwidth consumption. Therefore, this paper analyzes threats and attacks in 3G-WLAN interworking and proposes a new authentication and key agreement protocol based on EAP-AKA. The proposed protocol combines Elliptic Curve Diffie-Hellman(ECDH) with symmetric key cryptosystem to overcome these vulnerabilities. Moreover, our protocol provides Perfect Forward Secrecy(PFS) to guarantee stronger security, mutual authentication, and resistance to replay attack. Compared with previous protocols which use public key cryptosystem with certificates, our protocol can reduce computational overhead.

International Journal of Computer Sciences and Engineering (IJCSE), 2015

In recent years, WLANs have been developing rapidly and are increasingly being used in many applications. The extensive application of WLAN has been using an authentication framework widely called as Extensible Authentication Protocol (EAP). The requirements for EAP methods (i.e. Authentication mechanisms built on EAP) in WLAN authentication have been defined in RFC 4017 are issues also increasingly receiving widespread attention. To achieve user efficiency and robust security, lightweight computation and forward secrecy, not included in RFC 4017, are also desired in WLAN authentication. However, all EAP methods and authentication protocols designed for WLANs so far do not satisfy all of the above properties. With detailed analysis of all EAP Methods and authentication protocols designed for WLANs, this article pointed out properties of all EAP method.

3rd National Conference of Innovative Research Trends in Computer Science Engineering & Technology 2014, 2014

In recent years, with more extensive application of WLAN has been using an authentication framework widely called as Extensible Authentication Protocol (EAP). The requirements for EAP methods (i.e. Authentication mechanisms built on EAP) in WLAN authentication have been defined in RFC 4017 are issues also increasingly receiving widespread attention. To achieve user efficiency and robust security, lightweight computation and forward secrecy, not included in RFC 4017, are desired in WLAN authentication. However, all EAP methods and authentication protocols designed for WLANs so far do not satisfy all of the above properties. With detailed analysis of all EAP Methods and authentication protocols designed for WLANs, this article pointed out properties of all EAP method.

2006

This paper presents an enhanced EAP-SIM authentication scheme for securing WLAN. The proposed scheme uses the Internet Key Exchange version 2 (IKEv2) protocol to protect the authentication procedure of EAP-SIM by encapsulating its packets. In this way the vulnerabilities of EAP-SIM authentication method are eliminated. After the employment of IKEv2, a Virtual Private Network (VPN) tunnel is established that protects data transferred over the air interface. The tunnel, which is based on IPsec, ensures confidentiality, authentication and integrity of the data exchanged in the WLAN environment. The proposed scheme has minimal impact on the existing network infrastructure. The user is still authenticated by proving the possession of a SIM card, in order to get subscribed in his home network for billing and charging purposes. The proposed scheme requires only that each end-point of the established VPN tunnel must have the appropriate IPsec software.

Research Journal of Applied Sciences, Engineering and Technology, 2014

The interworking of the 3G and the WLAN technique provides a perfect connectivity solution in terms of data rate, service cost and area coverage. However the Vertical Handover (VH) from the 3G to WLAN and the Horizontal Handover (HH) between WLAN domains present an additional security challenge. The V/H handover must be fast and secure without impacting the security in both networks. Several authentication methods have been proposed to secure the VH and HH. The Extensible Authentication Protocol Key Agreement (EAP-AKA) is the authentication protocol adopted by the 3rd Generation Partnership Project (3GPP) to authenticate User Equipment by the 3G Home Networks. The EAP-AKA protocol suffers from several weaknesses, such as user identity display and high authentication delay. In this study we propose a new simplify authentication method and key agreement for vertical and horizontal handovers based on the existed method EAP-AKA. Performances analysis of the proposed method show superior results in comparison to the existing EAP-AKA method in terms of bandwidth consumption, signaling cost and authentication delay. The security property of the new method is verified by using the formal security analyzer Automated Validation of Internet Security Protocols and Applications (AVISPA) which has a high talent in finding potential attacks automatically in security protocols.

2008 Fifth Annual Conference on Wireless on Demand Network Systems and Services, 2008

Next Generation Networks (NGN) provide multimedia services to mobile users through different access networks including WLAN. The security architecture of NGN specifies that a WLAN user must follow a multi-pass Authentication and Key Agreement (AKA) procedure, in order to get access to the IP multimedia subsystem (IMS) services. This includes a repetition of authentication steps and protocols which introduce an unnecessary overhead. This paper presents a onepass AKA procedure that eliminates the repeated steps without compromising the provided level of security. The presented procedure has minimal impact on the network infrastructure and functionality and does not require any changes to the existing authentication protocols. We investigate the induced performance improvement regarding the user authentication cost of the one-pass over the multi-pass AKA. To this end we consider a simple analytic model that quantifies the performance of onepass and multi-pass AKA. This study identifies the cases in which the one-pass AKA presents substantial benefits, e.g., when the mobile user has lengthy session time with short residence time in the service area of an access point.

Several schemes have been proposed for authenticating both the network and the mobile stations to one another in public access wireless networks. In this paper, we look at the weaknesses of such schemes and enumerate a set of four constraints for authentication in public access wireless networks. We then propose two authentication protocols that can overcome these weaknesses while satisfying the constraints. The first proposed protocol provides additional direct authentication to wireless clients to validate the network access point to prevent or to detect malicious attacks as early as possible. This adds additional burden to wireless devices whose resources are often limited. The second proposed protocol reduces the burden by providing indirect authentication with the help of a trusted server. In this paper, we also evaluate the performance of the existing schemes and the proposed schemes in terms of the size and number of messages, delay, energy consumption and security features.