Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Mobile Computing: Authentication and Shared Key Establishment Scheme, Papers of Computer Science

A scheme for mobile computers to authenticate with base stations and establish a shared key for secure communication. The scheme involves the use of public and private keys, nonces, and a trusted home computer acting as the controlling authority. The document also discusses improvements to the scheme for multicast packets and proxy homes, as well as the sequence of messages required to arrive at the shared keys.

Typology: Papers

Pre 2010

Uploaded on 08/16/2009

koofers-user-qhb
koofers-user-qhb 🇺🇸

1

(1)

10 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Secure Wireless LANs
V.Bharghavan
CS Division, Department of EECS
University of California at Berkeley
Berkeley, CA - 94720
Abstract
Mobile computing is a major area
of
current re-
search. A variety
of
wirelessly networked mobile de-
vices now make it possible
for
a physically untethered
computer to function in a fully networked manner.
Recent research has focussed on providing the mobile
user a seamless environment
of
wired and
wireless
net-
works. One
of
the major hurdles in providing such
a
seamless environment is that wireless media are inher-
ently less secure.
In this paper, we propose a security scheme
for
wireless media which permits secure communication
over a single wireless channel. Our scheme allows both
communicating parties to authenticate each other and
establish a shared key
for
secure communication. An
unauthorized snooper cannot even discover the iden-
tity
of
the communicating
parties.
Mobile computers
are thus provided a highly secure wireless environment.
We describe an eficient practical implementation
of
the scheme and prove
its
correctness.
1 Introduction
Recent years have witnessed the rapid develop-
ment of mobile computing devices, PDAs, palmtops,
and portable computers. A crucial technology t,hat
has enabled this development is wireless networking.
In the very near future, wireless LANs connecting a
variety of static workstations and mobile portables
are expected to be commonplace. Much research ef-
fort has recently been directed towards providing a
seamless environment of wired and wireless networks.
This task is complicated by the fact that wired and
wireless media have very different characteristics. One
major factor is that wireless is inherently less secure
than wire. Most traditional applications do not prc+
vide user level security schemes based on the fact that
physical network wiring provides some level of secu-
rity. For a seamless wireless a.nd wired networking
environment that still provides the same measure of
security but does not require rewriting old applica-
tions, wireless needs to be made at least as secure as
wire. This paper describes an eficient and practical
scheme to secure the wireless media. The scheme de-
scribed here is being implement.ed as a part of the sin-
B
le channel LCMACA wireless media access protocol
31 at UC Berkeley.
In this paper, we propose a security scheme which
authenticates both communicating end stations of a
wireless channel and then provides a sha.red key using
which these two stations can communicate securely.
We prove the correctness of the scheme using the
Burrows-Abadi-Needham Logic of Authentication [5].
The rest of the paper is organized as follows. Sec-
tion 2 describes the development environment and the
goals of our security scheme. Section 3 describes the
generic scheme and proves its correctness. Section 4
proposes successive performance motivated improve-
ments to the scheme and arrives at a practical security
scheme. Section 5 describes an implementation of the
scheme. Section 6 concludes the paper.
2 Background
2.1 Development Environment
We are developing a mobile computing envi-
ronment consisting of indoor wireless nanocells, sup-
ported by a wired backbone network. The computers
in our environment are static workstations or mobile
notebooks. Each static computer has a wired network
interface, and each mobile computer has a wireless
network interface. Some special static computers -
base stations - have both wired and wireless network
interfaces, and serve to provide network connectivity
to mobile computers. A mobile computer can achieve
network connectivity only by communicating with a
base station; mobile computers are prohibited from
communicating with each other. The geographical re-
gion over which a base station provides connectivity
is called its cell. The wireless medium in our environ-
ment is a single channel near-field radio with a band-
width of 256kbps and range of about 30 feet.
Each mobile computer has a home computer on the
wired backbone network. A home computer is trusted
fully about any information pertaining to its mobile
computer. In our environment, home computers and
base stations are considered to be trusted special ma-
chines.
The wireless network-
ing protocol stack is TCP/Mobile-IP/LCMACA. One
relevant point about wireless MAC layer addressing is
that the MAC layer device address used for a mobile
computer is dynamically assigned randomly by a base
station when the mobile computer first enters its cell
[4]. The base station maps the dynamic MAC address
to the internet address for every mobile computer in
its cell. Thus merely seeing the MAC device address
in a packet gives no information about the identity of
the sender or receiver.
10
pf3
pf4
pf5
pf8

Partial preview of the text

Download Mobile Computing: Authentication and Shared Key Establishment Scheme and more Papers Computer Science in PDF only on Docsity!

Secure Wireless LANs

V.Bharghavan

CS Division, Department of EECS

University of California at Berkeley

Berkeley, CA - 94720

Abstract

Mobile computing is a major area of current re- search. A variety of wirelessly networked mobile de- vices now make it possible for a physically untethered computer to function in a fully networked manner. Recent research has focussed on providing the mobile user a seamless environment of wired and wireless net-

works. One of the major hurdles in providing such a

seamless environment is that wireless media are inher- ently less secure. In this paper, we propose a security scheme for wireless media which permits secure communication over a single wireless channel. Our scheme allows both communicating parties to authenticate each other and establish a shared key for secure communication. An unauthorized snooper cannot even discover the iden- tity of the communicating parties. Mobile computers are thus provided a highly secure wireless environment. We describe an eficient practical implementation of the scheme and prove its correctness.

1 Introduction

Recent years have witnessed the rapid develop- ment of mobile computing devices, PDAs, palmtops, and portable computers. A crucial technology t,hat has enabled this development is wireless networking. In the very near future, wireless LANs connecting a variety of static workstations and mobile portables are expected to be commonplace. Much research ef- fort has recently been directed towards providing a seamless environment of wired and wireless networks. This task is complicated by the fact that wired and wireless media have very different characteristics. One major factor is that wireless is inherently less secure than wire. Most traditional applications do not prc+ vide user level security schemes based on the fact that physical network wiring provides some level of secu- rity. For a seamless wireless a.nd wired networking environment that still provides the same measure of security but does not require rewriting old applica- tions, wireless needs to be made at least as secure as wire. This paper describes an eficient and practical scheme to secure the wireless media. The scheme de- scribed here is being implement.ed as a part of the sin-

B

le channel LCMACA wireless media access protocol 31 at UC Berkeley. In this paper, we propose a security scheme which authenticates both communicating end stations of a wireless channel and then provides a sha.red key using

which these two stations can communicate securely. We prove the correctness of the scheme using the Burrows-Abadi-Needham Logic of Authentication [5]. The rest of the paper is organized as follows. Sec- tion 2 describes the development environment and the goals of our security scheme. Section 3 describes the generic scheme and proves its correctness. Section 4 proposes successive performance motivated improve- ments to the scheme and arrives at a practical security scheme. Section 5 describes an implementation of the scheme. Section 6 concludes the paper.

2 Background

2.1 Development Environment

We are developing a mobile computing envi- ronment consisting of indoor wireless nanocells, sup- ported by a wired backbone network. The computers in our environment are static workstations or mobile notebooks. Each static computer has a wired network interface, and each mobile computer has a wireless network interface. Some special static computers - base stations - have both wired and wireless network interfaces, and serve to provide network connectivity to mobile computers. A mobile computer can achieve network connectivity only by communicating with a base station; mobile computers are prohibited from communicating with each other. The geographical re- gion over which a base station provides connectivity is called its cell. The wireless medium in our environ- ment is a single channel near-field radio with a band- width of 256kbps and range of about 30 feet. Each mobile computer has a home computer on the wired backbone network. A home computer is trusted fully about any information pertaining to its mobile computer. In our environment, home computers and base stations are considered to be trusted special ma- chines. The wireless network- ing protocol stack is TCP/Mobile-IP/LCMACA. One relevant point about wireless MAC layer addressing is that the MAC layer device address used for a mobile computer is dynamically assigned randomly by a base station when the mobile computer first enters its cell [4]. The base station maps the dynamic MAC address to the internet address for every mobile computer in its cell. Thus merely seeing the MAC device address in a packet gives no information about the identity of the sender or receiver.

We have tried to make as few assumptions as possi-

ble about the development environment in our security

scheme. The important assumption is the trustworthi-

ness of base stations and home computers.

Figure 1 shows the development environment.

2.2 Goals

Wireless is inherently less secure than wire. It is a

broadcast medium and eavesdropping is virtually un-

detectable. It is possible to snoop or even jam many

wireless media. While our solution does not preclude

an intruder from jamming a medium, it does prevent

him from snooping (since the range of the wireless sig-

nal in our environment is small, the deleterious effect

of jamming is restricted). Our security scheme has

four goals.

Both the mobile computer and base station must

be able to authenticate each other.

Once authenticated, the mobile computer and

base station should be able t,o communicate se-

curely.

It should not be possible for an unauthorized user

to detect the location of a mobile computer.

The authenticat,ion scheme should be efficient.

Goals 1, 2, and 4 are obvious. Goa. 3 is motivated

by the fact that there a.re a lot, of location-dependent

applications emerging, and some of them may require

location privacy. We achieve this goal by a combi-

nation of the dynamic a.ddressing scheme 4 and the

security scheme. Unfortunately, MACAW 112 requires

that the header of a MAC packet should be visible to

every computer within range. Thus the entire packet

cannot be encrypted. However, dynamic addressing

ensures that the MAC address of a. mobile computer

does not compromise its ident.ity. Our security scheme

encrypts the payload of the MAC layer packet (includ-

ing the network addresses of t,he sender and receiver)

by means of a shared key. Thus even if an unautho-

rized computer snoops a MAC packet, it still cannot

detect the identity of the sender or receiver.

The following sect,ions describe t,he realization of

goals 1, 2, and 4.

3 Generic Security Scheme

Our security scheme aut,henticates the mobile

computer and the base station and then generates a

shared key which the mobile and the base use to com-

municate. The authentication scheme described here

is safe against intrusions or replay. Da.ta replay is not a

consideration here since replayed data. will be rejected

at a higher layer (typically, TCP).

For the purposes of this paper, we assume tha.t it is

possible to communicate securely using a. shared key

encryption. Various popular schemes, such as DES,

IDEA, FEAL-32, etc. achieve this security.

As noted in Section 2, we a.ssume that a home com-

puter is trusted fully with rega.rd 1.0 its mobile com-

puter. One of the variations of the generic security

scheme (which we implement) assumes that base sta-

tions are trustworthy. This assilmption is generally

valid since base stations are special computers and

system administered.

We describe the scheme in 4 stages. In this sec-

tion, we describe the generic scheme and prove its

correctness. In Section 4, we make two performance

motivated improvements and prove the correctness of

these improved schemes. We then describe an imple-

mentation in the context of the LCMACA protocol in

Section 5.

3.1 Definitions

We use the following definitions for the rest of

the paper.

(x, y, z) authentication denotes the scheme by

which two computers x and y authenticate each other

via z and then arrive at a shared key.

m denotes a mobile computer.

b and bl denote a base st,ation.

h denotes the home computer of m.

Kxy denotes a shared key between two computers x

and y.

Kx and Kx” denote the public key and private key

respectively of a computer x.

{p}K denotes a message p encrypted with key K.

Ix,y,KI denotes that the computers x and y share a

key K.

N, N’, and N” denote a nonce.

Following the Logic of Aulhentic.ation [5], we use the

following notations.

x believes p : Computer x thinks that statement

p is true.

x sees p: Computer x receives a statement p.

x controls p: Computer x should be trusted in

the matter of statement p.

fresh(p): p is a fresh statement, i.e, p has not been

sent before.

We use the following deductions.

1. x sees {p}Kxy and x believes 1 x, y, Kxy 1

and x beheves fresh(p) implies x believes y

believes p.

2. x believes y believes p and x believes y con-

trols p implies x believes p.

3.2 Generic Scheme

The generic scheme involves an indirect handshake

between the mobile and its home. All messages are

routed through the base station. In our scheme, m

generates the shared key Kmb for m and b. h au-

thenticates m to b, and b to m.

Initially, m sends a message to h encrypted in

Kmh. This message contains a nonce, a newly gener-

ated shared key Kmb, and a message for b encrypted

in Kmb (the message from 111 to h is routed through

b - m identifies h. to b). h sees the encrypted message,

and forwards to b a. messa.ge encrypted in Kbh. This

[obile Computer[obile Computer Base StationBase Station Home ComputeHome Compute

Time Axis 4Time Axis’

Figure 2: Message Sequence in the Generic Scheme

At the end of the message excha.nge, m and b have

both obtained the shared key Kmb using which they

can communicate securelv. A more detailed derivation

of the proof is presented”in the Appendix.

4 Practical Security Schelne

The security scheme as described above is cor-

rect but not always efficient. In particular, it assumes

that a shared key has already been oht,ained for b and

h. In general, this is not a reasona.ble assumption. In

absence of a previously obtained Kbh, a Kerberos-

like interaction has to be undertaken to establish the

shared key first, which makes this scheme inefficient

(in our development environment, only a few comput-

ers are designated as homes. Thus the assumption

that Kbh is already esta.blished becomes valid over

time).

We make two cha.nges t,o the generic security

scheme to improve its efficiency, as described below.

4.1 Authentication upon handoff

A mobile computer may first enter a cell by one

of three ways - it may be powered-on in a cell, it. may

enter a cell through handoff from another cell, or it

may enter a cell from an unserviced (no base station

support) region. The last caqe reduces to one of the

two previous cases, depending on whether t.he mobile

computer remembers its previous base station or not.

We expect that the common case in mobile envi-

ronments will be handoff across cells. We modify our

authentication scheme to optimize this case.

Base stations in our development environment are

statically configured (reconfigura.tion of base stat,ions

is rare). Thus a base station knows its neighbors,

where two base stations are neighbors if their cells

overlap. Typically, the neighborhood set of a base

station is small. We assume that a base station has a

previously acquired shared key with each of its neigh-

bors. As noted before, base st,ations are special com-

puters that are system administered, and are therefore

trusted.

Let m move from the cell of bl to the cell of b. m

and b need to authent,icate each other and establish a

shared key. In the generic scheme, m sent a message

to h. In our new scheme, m sends a message to bl.

bl authenticates m to b and b to m. Note that m

and bl have already authenticated each other, and

by assumption, bl is trusted. Thus bl acts as the

Controlling Authority in this authentication.

The sequences of messages according to the ideal-

ized protocol is

1. m + b: bl, {N, Im, b, Kmbl, {N, Im, b,

KmbI}Kmb }Kmbl

  1. b + bl: {N, Im, b, Kmbl, {N, Im, b, KmbI}Kmb }Kmbl

3. bl + b: P’, I?, b, Knlbl, N, Im,

ykbX.I.b}Kmb, {N, Im, b, Kmb 1 )Kmbl

  1. b + m: (^) {N”, Im, Kmbl}Kmbl }Kmb

b, Kmbl, {N’, lm, b,

Figure 3 shows the message sequence.

[obile Computer New Base Station Old Base Statia

Time Axis;

Figure 3: Message Exchange on Handoff

The protocol is correct by exactly the same argu- ments as in Section 3. Thus at the end of the au-

thentication handshake, m and hl authenticate each

other and arrive at a shared key Kmbl. We expect

this handshake to be very efficient since (i) Kbbl al-

ready exists, and (ii) b a.nd bl are neighbors and so

the communication cost is minimal.

on to messages 2 and 3 of the (m, b, h) authentica-

tion respectively). The total authentication involves

6 messages, an overhead of 2 messages. The proof of this scheme follows from applying the proof in Section 3 twice. Figure 4 shows the message sequence.

4.2 Authentication upon Power-On 5 Implementation^ of^ the^ Security

The remaining issue is the authentication when a mobile computer is powered-on in a cell.

scheme

When m is first powered-on in the cell of b, it sends

a message to h as before. If b and h already share a

key, we apply the generic scheme. Otherwise, b and

h first need to authenticate each other via a central

authority c.

Note that the (b, h, c) authentication problem

reduces exactly to the (m, b, h) authentication

problem, with b taking on the role of 1x1, h taking on

the role of b, and c taking on the role of 11. We can

apply the generic scheme to the (b, 11, c) authentica-

tion problem since it is valid to assume that Kbc and

Khc are pre-obtained. c authenticates h and b, and

establishes a shared key Kbh between them. Once

Kbh is established, the (m, b, 11) authentication

problem is solved as in the generic scheme.

We describe an implementation of the security scheme in the context of the LCMACA protocol. We are implementing the LCMACA wireless media access protocol as a part of our mobile computing environ- ment at UC Berkeley. LCMACA achieves the 4 secu- rity goals described in Section 2. Goals 1 and 2 are proved for the scheme described in Sect#ion 3. Goal 3 is achieved by using dynamic addressing as described in Section 2. Goal 4 is achieved by the improvements described in Section 4.

From Section 3, (m, b, h) authentication re-

quires 4 messages, and (b, h, c) authentication re-

quires 4 messages. However, the b - h and h - b

messages in the (b, 11, c) authentication are pig-

gybacked on to the b - h and h -+ b messages of

the (m, b, h) authentication (i.e, messages 1 and

4 of the (b, h, c) authentication are piggybacked

This section discusses 2 environment specific issues

  • security for multicast packets and authentication of proxy homes - and 2 implementation specific issues - generation of nonces and realization of the idealized security protocol - in the LCMACA protocol.

5.1 Security for Multicast packets

Only base stations are allowed to multicast data. Mobile computers are not allowed to communicate with each other directly. Enabling multicast is thus

simple. After a base station b authenticates a mobile

computer m, b provides m with its public key Kb. b

multicasts packets by encrypting them with its private

The sequence of messages as described above achieves the effect of the sequence of statements de- scribed in Section 3. At the end of the sequence of messages, b and m arrive at the shared key Kmb. We mention that the sequence of messages required to arrive at the shared keys is 4. This is because a mo- bile computer (at the media access layer) cannot com- municate directly with the home and needs to gateway through the base station.

6 Conclusion

In the very near future, wireless LANs are expected to be commonplace. However, providing a seamless environment of wireless and wired networks is not a trivial networking problem. Wireless is inherently less secure than wire since it is possible to snoop wireless media virtually undetectably. In this paper, we pro- pose an efficient and practical security scheme that se- cures the wireless medium. This scheme authenticates both the base station and the mobile computer to each other, and establishes a shared key between them. We prove the correctness of the scheme using the Logic of Authentication. We describe an implementation of this scheme in the context of the LCMACA wireless media access protocol. In proposing this scheme, we have made few and realistic assumptions. Thus we hope that our security scheme will be applicable across a wide variety of wireless media and environments.

References

PI

PI

[

141

[

El

[

A. Aziz and W. Dillie. Privacy and Authenti- cation in Wireless Local Area Networks. IEEE Personal Communications, First Quarter, 1994.

V. Bharghavan, A. Deniers, S. Shenker, and L. Zhang. MACAW: A Media Access Protocol for Wireless LANs. Proceedings of ACM SIGCOMM,

V. Bharghavan. LCMACA - A Limited Con- tention Protocol for Wireless LANs: Design Doc- ument. In Preparation.

V. Bharghavan. Dynamic Addressing in Wireless LANs. Submitted to IEEE Personal Communica- tions.

M. Burrows, M. Abadi, and R. Needham. A Logic of Authentication. ACM 7kansactions on Com- puter Systems, Vol. 8, No. 1, February 1990.

J. Ioannidis, D. Duchamp, and G.Q. Maguire. IP- based Protocols for Mobile Internetworking. Pro- ceedings of ACM SIGCOMM, 1991.

S.P Miller, C. Neumann, J.I. Schiller, and J.H. Saltzer. Kerbcros authentication and authoriza- tion system. Project Ath.ena Tech.nical Plan MIT, July 1987.

Appendix

The proof of correctness of the security scheme is derived on the basis of the logic of authentication [5]. We use the following basic rules:

  1. Components Rules x sees pl, p2,... pn implies x sees pl and x sees p2... and x sees pn

If a computer sees a message consisting of multiple components, then it also sees each of the components.

  1. x believes fresh(p) and x sees p, q implies x believes fresh( p, q)

If a computer sees a message consisting of multiple components and it believes that at least one compo- nent is fresh, then it believes that the whole message is fresh.

  1. Message Meaning Rule for Shared h’eys x believes Ix., y, KJ and x sees {p}K implies x believes y said p

Since x believes that K is a shared key known only to x and y, and x sees a message encrypted in K, x believes y sent the message.

  1. Nonce Verification Rule x believes y said p and x believes fresh(p) im- plies x believes y believes p

Since x believes y said p, and x believes that p is

fresh, x believes y believes p.

From [2], [3] and [4],

  1. x sees {p, q}K and x believes Ix, y, KI and x believes fresh(p) implies x believes y believes p,

At the start of the exchange, we assume the follow- ing:

m believes m, b, Kmb m believes m, h, Kmh (^) I

h believes m controls Im, b, KI b believes h controls Im, b, KI m, b, and h believe fresh(N), fresh(N’), fresh(N”)

A. After message 2

  1. h sees {N, 1

m, b, KW,

Kmbl}Kmb Kmh and h believes Jm, h, Kmhl and h believes fresh(N) implies

W, Im, b,

h believes m believes N, Im, b, Kbml, {N, lm, b, Kmbl}Kmb (from 5)

  1. h believes m believes I

m, b, Kmb and h believes m controls m, b, Kmb (^) I implies

h believes (m, b, Kmbl (from 4)

B. After message 9

  1. b sees {N’, Im, b, KmbjmK)mb:’!I^ {N’,

Kmb, {N

KmbI}Kmh}Kbh and

Im,^ b:

b believes lb, h, Kbhl and b believes fresh(N’) implies

b believes h believes N’, Im, b, Kmbl, {NY I

m, b, Kmbl}Kmb, {N’, Im, b, Kmb }Kmh b believes h believes Im, b, Kmbl

(from

  1. b b

b

  1. b

::

b 5

believes h believes Im, b, Kmb and believes h controls Im, b, Kmb (^) I implies

believes Im, b, KmbI (from 4)

sees {N, Im, b, KmbI}Kmb and believes Im, b, Kmbl and believes fresh(N) implies

believes m believes (m, b, Kmbl (from

C. After message 4

1. m sees {N”, Im, b, Kmbl, W, lm, b,

Kmbl}Kmh}Kmb and m believes Im, b, Kmbl and m believes fresh( N”) implies

m believes b believes N”, Jm, b, Kmb), {N’, !m, b, KxybI}Kmh ; belleves b beheves Im, b, Kmbl (from

  1. m sees {N’, Im, b, KmbI}Kmh and m believes Im, h, KmhI and m believes fresh( N’) implies

m believes h believes Im, b, KmbI

(from

Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear,. and notice is given that copying is by permission of the Assocration of Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. CCS ‘94 1 l/94 Fairfax Va., USA 0 1994 ACM O-89791 -732-4/94/0011..$3.