Mutual Preimage Authentication for Fast Handover in Enterprise Networks

  • Andreas Noack
  • Mark Borrmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6426)

Abstract

Wireless enterprise networks with a central authentication server are very common in companies due to their simple serviceability. Roaming between wireless cells of these enterprise networks usually results in connection interrupts because of long authentication times, which are very negative for near realtime communication like VoIP calls. Fast handover in enterprise networks demands therefore a fast authentication and key exchange protocol.

We propose an extensible authentication protocol (EAP) for this purpose that is explicitely optimized to reduce authentication times, while still providing a high security level. The ”Mutual Preimage Authentication” (MPA) protocol offers a secure authentication of both sides and a secure key agreement with only two cryptographic messages and symmetric cryptography. Even more, the MPA protocol provides non-repudiation for the authentication process.

Our contribution includes a formal security proof under an enhanced Canetti-Krawczyk (eCK) based security model and a practical performance analysis on the basis of a proof-of-concept implementation [4], where we demonstrate the efficiency of our protocol in comparison with common efficient EAP protocols.

Keywords

Wireless networks Enterprise RADIUS Extensible Authentication Protocol Roaming Handover 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Beck, M., Tews, E.: Practical attacks against wep and wpa. Cryptology ePrint Archive, Report 2008/472 (2008), http://eprint.iacr.org/
  2. 2.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  3. 3.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Lecture Notes in Computer Science, pp. 154–170 (1999)Google Scholar
  4. 4.
    Borrmann, M.: Implementierung eines effizienten eap-protokolls. Diplomathesis, Ruhr-University Bochum (2009)Google Scholar
  5. 5.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  6. 6.
    Calhoun, P., Loughney, J., Guttman, E., Zorn, G., Arkko, J.: Diameter base protocol. RFC3588, Network Working Group (2003)Google Scholar
  7. 7.
    LAN/MAN Standards Committee. Ieee standard for local and metropolitan area networks – port-based network access control. IEEE 802.1X, IEEE Computer Society (2004)Google Scholar
  8. 8.
    Cordasco, J., Meyer, U., Wetzel, S.: Implementation and performance evaluation of eap-tls-ks. In: Securecomm and Workshops, pp. 1–12 (2006)Google Scholar
  9. 9.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of rc4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    IEEE 802.11 Working Group. Ieee standard for information technology – part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications/amendment 6: Medium access control (mac) security enhancements. IEEE 802.11i, IEEE Computer Society (2007)Google Scholar
  11. 11.
    Huang, H., Cao, Z.: Authenticated key exchange protocols with enhanced freshness properties. Cryptology ePrint Archive, Report 2009/505 (2009), http://eprint.iacr.org/
  12. 12.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073 (2006), http://eprint.iacr.org/
  13. 13.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  14. 14.
    Malinen, J.: Host ap project (hostapd/wpa_supplicant). Website (2009), http://hostap.epitest.fi/
  15. 15.
    Noack, A.: Sicherheitsanalyse von eap-protokollen. Masterthesis, Ruhr-University Bochum (2007)Google Scholar
  16. 16.
    Opensource. Freeradius project (2009), http://freeradius.org/
  17. 17.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Rigney, C., Willens, S., Rubens, A., Simpson, W.: Remote authentication dial in user service (radius). RFC2865, Network Working Group (2000)Google Scholar
  19. 19.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004), http://eprint.iacr.org/
  20. 20.
    Tews, E.: Attacks on the wep protocol. Cryptology ePrint Archive, Report 2007/471 (2007), http://eprint.iacr.org/
  21. 21.
    Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit wep in less than 60 seconds. Cryptology ePrint Archive, Report 2007/120 (2007), http://eprint.iacr.org/

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Andreas Noack
    • 1
    • 2
  • Mark Borrmann
    • 2
  1. 1.Horst Görtz Institute for IT-SecurityGermany
  2. 2.Ruhr University BochumGermany

Personalised recommendations