A Relay-assisted Handover Pre-authentication Protocol in the LTE Advanced Network

Size: px

Start display at page:

Download "A Relay-assisted Handover Pre-authentication Protocol in the LTE Advanced Network"

Giles Leonard
6 years ago
Views:

1 ICNS 2012 : he Eighth International Conference on Networing and Services A Re-assisted Handover Pre-authentication Protocol in the LE Advanced Networ Ling ie he Department of Information Science and echnique he Chengdu University Chengdu Sichuan China tlcd4579@gmailcom Di He he Department of Electronic Engineering he Shanghai Jiaotong University Shanghai China dihe@sjtueducn Abstract With the help of reing he Long erm Evolution Advanced networ is improved on the coverage and capacity But reing concept brings many problems on handover management In this paper a re node is introduced in the system structure We extend the handover procedure to support reing and transmit security context We design a re assisted handover pre-authentication protocol which happened before the mobile node handovers to the target cell his article focuses on formal analysis of our proposed security protocol Finally an improved strand space and ideal formal analysis method which includes message authentication code is introduced We use it to prove that our proposed protocol can meet the security and authentication proprieties Keywords- Long erm Evolution; re; handover; security; strand space; ideal I INRODUCION he Long erm Evolution Advanced networ (LE-A is considered as one of the main standards for the 4 th generation broadband wireless networ Recently due to the increasing demand for high transport rate and capacity the reing concept is introduced he implementation of re can overcome the restriction of coverage especially at the cellular boundary With the help of re node ( located at the overlap between two adjacent cells the user equipment ( being served by a source cell can pre-handover to the target cell he handover interrupt rate and de will be reduced significantly here are many papers have taled about handover schemes happened in the re LE-A networ In [1] five re handover scenarios are categorized in multi-hop cellular networ (MCN Several handover framewors for re enhanced LE Networ are introduced in [2] Some re handover procedures supporting centralized and decentralized reing are illustrates Butthese articles do not discuss security and authentication issues In the 3GPP draft [3] a Re Node ( is connected to an evolution Node B ( wirelessly he serving the is called Donor (D he Draft gives an end-to-end authentication and ey agreement (AKA procedure when the first attaches to the LE he 3GPP draft [4] proposes many solutions that support LE re node security Butthese standards do not discuss pre-handover authentication issue In this paper a re-assisted handover pre-authentication protocol is provided he and arget D authenticate mutually before handover occurs his protocol will reduce the handover de significantly But this paper focuses on only formal analysis of our proposed security protocol he performance of our proposed protocol will be discussed in future wors he rest of the paper is organized as follows he system architecture is given in Section II In Section III the proposed re assisted handover authentication protocol is presented he extended strand space is introduced in Section IV he security is proved using this strand space model Section V gives a brief introduction of the performance improvement Section VI concludes this paper II SYSEM SRUCURE he system architecture of the proposed scheme is illustrated in Figure1 During the handovers from cell 1 to cell 2 the signal strength between the and the sourcing D decreases When the signal strength falls below certain threshold handover will happen However the still remain in the source cellular he will try to find one located at the coverage area between the source D and the target D he helps the to preauthentication to the target D Cell1 Source D S1 MME X2 S1 serving -GW Cell2 arget D Figure 1 Re handover structure he LE-A consists of the following major components: User Equipment (: It is mobile host Copyright (c IARIA 2012 ISBN:

2 ICNS 2012 : he Eighth International Conference on Networing and Services III Re Networ (: It provides multi-hop Wireless connectivity from the to the arget D Donor (D: It is an serving the RELAY ASSISED HANDVER PRE-AUHENCAION PROOCOL USIM/AuC /HSS K CKIK A Notations Before we describe the re assisted pre-authentication protocol we will specify some of notations used in the protocol as shown in able I /MME ASME ABLE I NOAIONS NAS enc/int symbol Explanation X he Key nown by the X MAC( X h Message authentication code produced by X { h} X he message is encrypted by the ey X N X he nonce value produced by X ID he identification of X X Concatenation KDF ( X h Security ey produce function by X B Handover Key Hierarchy According to the 3GPP draft [4] the calculation of and Re is based on the ey hierarchy in Figure 2 he is achieved from traditional AKA authentication method defined in the draft [5]he handover ey is produced according to the method published in the draft he re ey is calculated as in (1 Re =KDF ( SSID re (1 C Re Assisted Handover Procedure Figure 3 shows the re assisted pre-handover procedure his procedure is based on [2] We extended this procedure to include the calculation and transmission of security ey All the handover messages are protected by the ey in Figure 2 he Steps are as follows: Step 1: he sends the measurement control message to the Step 2: he sends the measurement report message to the and forward it to the Source D Step 3: Based on the measurement report the Source D maes handover decision If handover is allowed the source D initiates / UP enc/int /Re RRC enc/int Re Re enc/int the handover process he source D will calculate as the handover ey for the target Figure 2 Handover ey hierarchy D[5] It can also produce the ey Re for the Step 4: he source D sends the handover request message to the arget D his message includes and Re which are protected by the RRC ey Step 5: he target D accepts the handover request message Step 6: After completing admission control the target D sends the handover request acnowledge message to the source D Step 7: he source D sends the handover command message to the securely his message includes Re for the Step 8: he receives the handover command message and Re for the It sends the handover command message to the which includes Re SSID Step 9: he uses information received from the handover command message to create It calculates Re simultaneously Nowthe has eys and Re Copyright (c IARIA 2012 ISBN:

3 ICNS 2012 : he Eighth International Conference on Networing and Services Source D 1 Measurement control 2 Measurement Report 3 HO Decision Derive Refrom arget D 10 re assisted handover authentication protocol MME 4 Handover Request ( Re 5 Admission control 6 Handover Request Ac 7 Handover Command ( Re 8 Handover Command (Re ssid 9 Derive Re from a and Re ssid 11Handover Confirm 17 Release Resources 12 Handover Complete 13 User Plan Update Request 14 User Plan Update Responses 15 Handover Complete Ac 16 Release Resources Serving Gateway Figure 3 Re-assisted handover Pre-authentication Sequence Step 10: he achieves re-assisted handover preauthentication with the arget D through the Step 11: he sends the handover confirm message to the and forward it to the arget D Step 12: he arget D sends the handover complete message to the MME Step 13: he MME sends the user plan update Request message to the Serving GW Step 14: he Serving GW sends the user plan update Response message to he MME Step 15: he MME sends the handover complete Ac message to the arget D Step 16: he arget D sends the release resource message to the Source D Step 17: he Source D sends the release resource message to the D Re Assisted Handover Pre-authetication Protocol In this section a detailed description of our proposed pre-authentication protocol is given It is the step 10 in figure 3 he extension of the step 10 sequence in Figure 3 is showed in Figure 4 Step10 1: When the still remain in the cell 1 it begins the pre-authentication procedure with the help of he sends the re handover authentication request message to the he generates two nonces N2 is used for the other N1 is used for arget D he nonce is encrypted by the ey nown only by the and the arget D he calculates the message authentication code (MAC of the and the arget D Step 102: Upon receiving the re authentication request message the decrypts the message and verifies the MAC using the ey Re If the verifications succeed the authenticates the he produces a nonce N1 and generates the MAC using the ey Re he nonce and the identification of the re are encrypted using the ey Re hen the sends a arget authentication request message to the arget D Step 103: When this message reaches the arget D the arget D carries out the same MAC computation If the verification is correct he arget D will successfully authenticate the and the Re he arget D produces two nonces N1 and N 2 he arget D constructs arget authentication response messages include the session ey U as in (2 share between the and arget D and the ey R as in (3 share between the and arget D he arget D uses the MAC algorithm to produce two message authentication codes for the and the =KDF ( N1 N1 +1 ID ID (2 U R =KDF ( Re N1 +1 N2 ID ID (3 Step 104: he receives the arget authentication response message and uses the ey re to decrypt the R as in (3 he verifies the MAC and authenticates the arget D hen it calculates the ey U R as in (4 between the and hen it adds the MAC of the into the Copyright (c IARIA 2012 ISBN:

4 ICNS 2012 : he Eighth International Conference on Networing and Services re authentication response message and sends it to the U R =KDF ( Re N2 Re N2 +1 ID D (4 Step 105: he receives the re authentication message and decrypts U and U R he uses the same MAC algorithm to authenticate the and arget D 1 Re handover Authentication Request arget D 2 arget handover Authentication Request 3 arget handover Authentication Response 4 Re handover Authentication Response Figure 4 Re assisted handover pre-authentication protocol he protocol described in detail below: : { N 1 } MAC N 1 ID ( { N 2 ID } MAC ( 2 Re Re N ID arget D: { N 1 } MAC N 1 ID ( { N1 N 2 ID ID } Re MAC ( Re N1 N2 arget D : { N1 N1 1 ID ID U MAC( KU N1 N1 1 ID { N1 1 N 2 ID ID ID } : { R Re ( Re R N1 1 N 2 MAC N1 N1 1 ID ID U MAC( KU N1 N1 1 ID { N 2 N 2 1 ID ID ID } U R Re } } MAC ( Re U R 1 his protocol happens before the handovers to the target cell Due to space limitations we do not discuss the performance of the proposed protocol his paper will pay more attention on security formal analysis IV SECURIY FORMAL ANALYSIS In this section we will use strand space formal analysis method to prove that our protocol is secure Although strand space method [6] is efficient there are some shortcomings We extend strand space to include message authentication code (MAC item A Extend Strand Space We define the set A of terms he element in A is the information exchanged among subjects In particular we will assume: A set of texts (represent the atomic messages A A set of cryptographic eys K disjoint from K A A unary operator inv : K K hree binary operators encr : K A A join : A A A MAC : K A A 1 As usual we will write inv(k as K encr ( K m as{ m} K and join( a b as ab We redefine axioms as follows Axiom 1: for m m A and 1 2 K 1 2 K If { m} { m } 1 then m m and ; If MAC( 1 m MAC( 2 m then m m and 1 2 Axiom 2: for m m m m A and K (1 m0m1 m0m1 m0 m1 m1 m1 (2 m { 0} 0m1 m (3 m0 m1 K (4{ m 0 } K (5 m0m1 MAC( m0 (6 MAC( m0 K We extend it to include MAC item according to [7] Definition 1 A strand space is a set with a trace mapping tr : ( A Copyright (c IARIA 2012 ISBN:

5 ICNS 2012 : he Eighth International Conference on Networing and Services Definition 2 A penetrator trace is one of the following: M ext message :< +t> wheret F Flushing :<-g> ee : <-g+g+g> G Concatenation : <-g-h +gh> S Separating into components:<-gh +g+h> K Key :< +> where K E Encryption: <--h + { h} > D Deception : <--h - { h} +h> MAC Message authentication code: <- -h MAC ( h > Definition 3 Let C be a set of edges and let C be the set of nodes incident with any edge inc C is bundle if : (1 C is finite (2 If n1 C and term( n 1 is negative then there is a unique n 2 such that n 2 n 1 C (3 If n1 C and n2 n1 then n 2 n 1 C (4 C is acyclic Definition 4 If C is a bundle and s then the C is the largest height of s denoted C- height (s i length( tr( s such that s and s i C Definition 5 An infiltrated strand space is a pair with a strand space and such that tr ( p is a penetrator trace for all p Definition 6 he sub-term relation is defined Inductively so that: (1 a t for t iff a =t (2 a for K iff a = (3 a { g} iff a g or a = { g} (4 a gh iff a h a g or a = gh (5 a MAC ( g iff a g or a = MAC ( g We redefine the ideal and honest idea [8] including the MAC Definition 7 If a -ideal of A is a subset I of A such that for all h I g A and (1 gh hg I (2{ h} I (3 MAC( h I he smallest - ideal containing h is denoted I [h] Definition 8 h is a sub-term of g written h g defined as g I [h] Proposition 1 is a transitive reflextive relation More over if h g A and then (1 h h g and g g h (2 h { h} (3 h MAC ( h Definition 9 If S A I is the smallest - ideal containing S s A is a - subterm t A written s t iff t I [s] S A I [ S] I [ x] Definition 10 Support of Proposition 2 if Lemma 1 Let S S S i1 0 xs {{ g} MAC( g : g I g I [ Si ] } then I [ S] i I[ Si ] Proposition 3 Suppose S A and every s S is simple If gh I then either g I or h I Proposition 4 Suppose ; S A and for every s S s is simple and is not of the form { g} or MAC ( g if { } I [ S] or MAC( h I [ S] then h [ S ] h I Lemma 2 Suppose 1 2 and MAC ( h 1 1 MAC ( h 2 2 hen MAC ( h 1 1 h 2 Proposition 5 Suppose S A and every s S is simple and is not of the form MAC ( h or { h} If MAC( h I [ S] or { h} I [ S] then or Proposition 6 Suppose C is a bundle over A If m is minimal in { m C : term( m I} then m is an entry point for I Definition 11 A set I A is honest relative to a bundle C if and only if whenever a penetrator node p is an entry point for I p is an M node or a K node heorem 1 Suppose C is a bundle over 1 A S S hen I is honest i Copyright (c IARIA 2012 ISBN:

6 ICNS 2012 : he Eighth International Conference on Networing and Services 1 Corollary 1 Suppose C is a bundle S and S If term( m I [ S] for some m C then for some regular node n C n is an entry point for I Corollary 2 Suppose C is a bundle 1 S S and no regular node C is an entry point for I hen any term of the form{ g} and MAC ( g for S does not originate on a penetrator strand B he Bundle We will use extended honest and ideal concept to prove the security of our proposed protocol he goal of this protocol is to mutually authenticate hop-by-hop he bundle of our proposal is shown in Figure 5 M1M 2 M 4M 6 arget D M1 M 3 M 4M 5 Figure 5 Our propose strand space M1= { N 1 ID } MAC ( 1 N ID M2= { N 2 ID } MAC ( 2 Re Re N ID M3= { N1 N 2 ID ID } Re MAC ( Re N1 M4= { N1 N1 1 ID ID } M5= MAC U MAC( KU N1 N1 1 ID { N1 1 N 2 ID ID ID } R ( Re R N1 1 N 2 ID M6= { N 2 N 2 1 ID ID ID } Re U R Re MAC ( Re U R 1 ID Definition 12 An infiltrated strand space space if is the union of three inds of strands: (1 Penetrator s strand s ; (2 s Strand s [ N1 N 2 N1 N 2 ID ID U U R ] with trace defined to be: < M1 M 2 M 4 M 6 > ( is a ID (3 Re s strand s [ N 2 N 2 N1 N 2 ID ID ID R U R H G] with trace defined to be: H M 2 H M 3 G M 5 G M 6 > (4 arget D s Strand s arget D [ N1 N1 N 2 N1 U R ID ID ID H] with trace defined to be: < H M 3 M 4 M 5 > For U K R U R K { } U R U R Re x 1 x Proposition 7 he set and arget D are disjoint each other C Security Analysis We first prove that session eys can not be disclosed unless penetrator posses one of the long term eys heorem 2 suppose C is a bundle in strand space name session ey R are uniquely originating ; R ; and s has C - height 3 Let S { Re R } and \ S For every node m C term( m I [ R ] PROOF: By proposition 2 it suffices to prove that stronger statement that for every node m term( m I [ S] 1 Since S and S by Corollary 1 It suffices to show that no regular node m is an entry point for I Copyright (c IARIA 2012 ISBN:

7 ICNS 2012 : he Eighth International Conference on Networing and Services We will argue by contradiction and assume m is a regular node which is an entry point for I Since m is an entry point for I by the definitions it follows that term (m is an element of I By proposition 2 this implies that one of the eys Re R is a sub term of term (m Now no regular node contains any ey Re as a sub-term In fact the only session eys which occur as sub-terms of term(m for m regular are the session eys emanating from the arget D If m is a positive regular node on a strand s then R term (m implies either: (1 s arg et D and m s 2 in which case R is the session ey; (2 s and m s 3 R H In case 2 m is not an entry point for I because H s 1 which is a preceding negative node So m is not entry point of I So consider case 1 By the unique origination of R s S arg et D so term (m = M5 or term (m =M4 By Proposition 3 either 1 { R N1 1 N 2 ID ID ID} I [ S] Re 2 { N1 N1 1 ID ID } I [ S] U MAC( Re R N1 1 3 I [ S] 4 MAC K N1 N1 1 ID ( U I Butthe first and the second are impossible he third and the fourth are impossible by Proposition 5 Similarly we can prove that U and U R are secure So we can conclude that session eys can not be disposed Our protocol is secure D Authetication Analysis In this section we will prove the authentication guarantees to its and arget D Proposition 8 Consider a bundle C in Suppose arget D name and hen no term of the form { g } MAC( g can originate on a penetrator node in C PROOF: Let S { } and o apply Corollary 2 we must chec that no regular node is an entry point for I or equivalently the does not originate on any regular node A ey originates on a regular node only if it is a session ey originating on a arget D strand s However by the definition of arg et D arg et D the session ey is never a long term ey Hence we may apply Corollary 2 to I so any term { g } MAC( g can only originate on a regular node Lemma 3 Consider a bundle C in Suppose R N name and Re B hen no term of the form { g} MAC( Re g can originate Re on a penetrator node inc Proposition 9 1 If { H} originates on a regular strand s then If s arg et D then H U N1 N1 1 ID and U 2 If { H} Re originates on a regular strand s then If s arg et D then H R N1Re 1 IDRe and R If s then H U R 1 ID and U R 3 If MAC( H originates on a regular strand s then If s then H N1 If s arg et D then H U N1 N1 1 ID 4 If MAC( Re H originates on a regular strand s then If s Copyright (c IARIA 2012 ISBN:

8 ICNS 2012 : he Eighth International Conference on Networing and Services H N1 Or H U R 1 ID (5 If MAC( Re H originates on a regular strand s then If s arg then H R Re et D N1 Re 1 N 2 1 PROOF: By the definition of originating if the term H originates on m then m is positive If s arg et D then m s 2 hus the encrypted subterm of term (m { U N1 N1 1 ID } is of from (1 If the term MAC( H originates on m then m is positive If s then m s 1 he subterm of this term is of the form (3 If s If the term MAC( H originates on m then m is positive hen the positive nodes of the s is m s 3 and the sub-term of this term is of the form (4 Corollary 3 Suppose s is a regular strand of (1 IF { U N1 N1 1 ID ID } originates on s then s arg et D he term originates on the node s 2 and U originates on s (2 If { R N1 1 N 2 ID ID ID} Re originates on s then s arg et D he term originates on the node s 2 and R originates on s (3 If { U R N 2 N 2 1 ID ID ID } Re originates on s then s the term originates on the node s 3 and U R originates on s (4 If { N 1 } originates on s then (5 If ID s then the term { N 1 } originates on node s 1 ID Re ID { N 2 } originates on s then s { N 2 } originates on node ID Re s 1 (6 If MAC ( N1 originates on s then s MAC( N1 originates on node s 1 (7 If MAC ( Re N 2 } originates on s then s MAC ( Re N 2 } originates on node s 1 (8 If MAC ( Re N1 originates on s then s MAC( Re N1 origin ates on node s 2 MAC( Re R N1 1 N 2 (9 If originates on s then s arg et D MAC( Re R N1 1 N 2 originates on s 2 MAC( Re U R 1 If originates on s then s the MAC( Re U R 1 originates on s 3 PROOF: Since s is regular s arg et D Apply proposition 9 he following theorem asserts that if a bundle contains a strand s then under reasonable assumptions there are regular strand s s arg et D Which agrees on the arget D heorem 3 Support C is a bundle in ; arg et D ; N1 N 2 is uniquely originating in C ; and If s has C - height 2 then there are regular strands : (1 s of height 3 at least Re Copyright (c IARIA 2012 ISBN:

9 ICNS 2012 : he Eighth International Conference on Networing and Services (2 s arg et D of height 2 PROOF: According to the trace of s Since by Lemma 3 M 6 originates Re on a regular node in C By Corollary 3 this node belongs to a strand s which has C - height 3 at least Since by Lemma 3 M 4 originates Re on a regular node in C By Corollary 3 this node belongs to a strand s arg which C - height 2 et D heorem 4 Support C is a bundle in ; arg et D N1 N 2 N1 are uniquely originating in C ; and If Re s arg has C- height 2 then there are regular et D strands : (1 s of height 2 at least (2 s of height 1 at least PROOF: According to the trace of Since s arg et D by lemma 3 M 3 originates Re on a regular node in C By Corollary 3 this node belongs to a strand s which C - height 2 at least Since by lemma 3 M1 originates Re on a regular node in C By Corollary 3 this node belongs to a strand s which C - height 1 at least heorem 5 Support C is a bundle in ; arg et D ; N 2 N1 N1 are uniquely originating in C ; and Re If s has C -height 3 then there are regular strands : (1 s arg et D of height 2 (2 s of height 1 at least PROOF: According to the trace of s Since Re by lemma 3 M 5 originates on a regular node inc By Corollary 3 this node belongs to a strand s arg with C - height 2 Since et D Re by lemma 3 M1 originates on a regular node in C By Corollary 3 this node belongsto a strand s have height 1 at least So we can conclude that and arget d can authenticate each other V PERFORMANCE EVALUAION In this section we will discuss the performance of our proposal scheme In the traditional handover scheme the will tear down the connection with the Source first When the moves into the target cellular it will establish the connection with the arget he handover messages are transmitted from the to the Source then to the MME and finally to the serving GW as in figure 1 and arget will finish end-to-end authentication using AKA protocol But in the re-assisted handover procedure the handover messages are transmitted among the source D and arget D With the help of the the handover information does not need to be transmitted on the S1 interface he handover de will be reduced significantly In our extended re-assisted handover procedure security eys are carried on the handover messages hey are protected by the RRC ey Some security eys are transmitted to the target D and before the handover happens With the help of the wireless connection is established among the and the arget D Before the handovers to the target D Our proposed pre-authentication protocol can be executed among the and raget D hop-by-hop Because this protocol is happened before handover the overhead is not calculated on handover de When the handovers to the target D it does not need to run the AKA protocol from scratch he only needs to finish local authentication process with the target D he handover authentication de will be reduced VI CONCLUSION Reing is ey technique in future LE-A networ Re node is introduced to extend coverage and capacity In order to enable reing handover procedure architecture and protocol have to be modified his paper introduced a new re assisted handover mechanism Handover messages are exchanged among and D We consider the security issue about the re-assisted handover procedure Before the moves into the target cellular security contexts are transferred on the handover messages to the target cellular With the aid of the re nodes the performs pre-authentication protocol when the still remain in the source cellular he and arget D mutual authenticate using hop-by-hop communications When the handovers to the target cellular it does not need to perform end-to-end authentication from scratch Handover authentication de is reduced significantly he security formal analysis is our main tas We also extend traditional strand space including message authentication Copyright (c IARIA 2012 ISBN:

10 ICNS 2012 : he Eighth International Conference on Networing and Services code We use the extended ideal and honest idea to prove the security of our pre-authentication protocol But in this paper we do not discuss the handover de and loss rate In future wor we will evaluate the overhead of our scheme using simulation and analytical methods ACKNOWLEDGMEN his research wor is supported by the National Natural Science Foundation of China (NSFC under Grant No and the SMC young scholar sponsorship of Shanghai Jiao ong University REFERENCES [1] C Sunghyun E W Jang and J M Cloffi Handover in multihop Cellular networ IEEE Communication Magzine Vol 47 pp July 2009 [2] O eyeb V V Phan B Raaf and D Redana Handover framewor for re enhanced LE networs IEEE International Conference on communications worshops pp 1 5 June 2009 [3] he 3GPP draft Evolved Universal errestrial Radio Access (E-URA and Evolved Universal errestrial Radio Access Networ (E-URAN; Overall description; Stage 2 [4] he 3GPP draft Feasibility Study on LE Re Node Security [5] he 3GPP draft GPP System Architecture Evolution (SAE; Security architecture [6] F J hsyer Fabreqa J C Herzog and J D Guttman Strand spaces: Why is a Security Protocol Correct proceedings of IEEE Symposium on security and Privacy pp May 1998 [7] Y Li Li P Dai Yuan and G Yue Xiang Analysis and Improvement of Sensor Networs Security Protocol Journal on Communications Vol 32 No 5 pp May 2011 [8] F J hayer Fabreqa J C Herzog and J D Guttman Strand Spaces: Honest Ideals on Strand spaces Proceedings of the 11th IEEE Computer Security Foundations Worshop pp June 1998 Copyright (c IARIA 2012 ISBN:

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction