EAP-CRA for WiMAX, WLAN and 4G LTE Interoperability

1.1. Robust security network association

The IEEE 802.11i standard defines two classes of security framework for IEEE 802.11 WLANs: RSN and pre-RSN. A station is called RSN-capable equipment if it is capable of creating RSN associations (RSNA). Otherwise, it is a pre-RSN equipment. The network that only allows RSNA with RSN-capable equipments is called an RSN security framework. The major difference between RSNA and pre-RSNA is the 4-way handshake. If the 4-way handshake is not included in the authentication / association procedures, stations are said to use pre-RSNA. The RSN, in addition to enhancing the security in pre-RSN defines a number of key management procedures for IEEE 802.11 networks. It also enhances the authentication and encryption mechanisms from the pre-RSN. The enhanced features of RSN are as follows:

Authentication Enhancement: IEEE 802.11i utilizes IEEE 802.1X for its authentication and key management services. The IEEE 802.1X incorporates two components namely, (a) IEEE 802.1X Port and (b) Authentication Server (AS) into the IEEE 802.11 architecture. The IEEE 802.1X port represents the association between two peers as shown in Figure 1. There is a one-to-one mapping between IEEE 802.1X Port and association.

Key Management and Establishment: Two ways to support key distribution are introduced in IEEE 802.11i: manual key management and automatic key management. Manual key management requires the administrator to manually configure the key. The automatic key management is available only in RSNA. It relies on IEEE 802.1X to support key management services. More specifically, the 4-way handshake is used to establish each transient key for packet transmission as in Figure 2.

Encryption Enhancement: In order to enhance confidentiality, two advanced cryptographic algorithms are developed: Counter-Mode/CBC-MAC Protocol (CCMP) and Temporal Key Integrity Protocol (TKIP). In RSN, CCMP is mandatory. TKIP is optional and is recommended only to patch any pre-RSN equipment.

During the initial security association between a station (STA) and an access point (AP), the STA selects an authorized Extended Service Set (ESS) by selecting among APs that advertise an appropriate Service Set ID (SSID). The STA then uses IEEE 802.11 Open System authentication followed by association to the chosen AP. Negotiation of security parameters takes place during association. Next, the AP’s Authenticator or the STA’s Supplicant initiates IEEE 802.1X authentication. The Extensible Authentication Protocol (EAP) used by IEEE 802.1X will support mutual authentication, as the STA needs assurance that the AP is a legitimate Access Point.

The last step is the key management. The authentication process creates cryptographic keys shared between the IEEE 802.1X AS and the STA. The AS transfers these keys to the AP, and the AP and STA use one key confirmation handshake, called the 4-Way Handshake, to complete security association establishment. The key confirmation handshake indicates when the link has been secured by the keys and is ready to allow normal data traffic.

In the case of roaming, an STA requesting (re)association followed by IEEE 802.1X or pre-shared key authentication, the STA repeats the same actions as for an initial contact association, but its Supplicant also deletes the PTK when it roams from the old AP. The STA’s Supplicant also deletes the PTKSA when it disassociates / de-authenticates from all basic service set identifiers in the ESS. An STA already associated with the ESS can request its IEEE 802.1X Supplicant to authenticate with a new AP before associating to that new AP. The normal operation of the DS via the old AP provides communication between the STA and the new AP.

3.1. The EAP-CRA protocol

With regard to mutual authentication EAP-CRA uses RADIUS servers as suggested in IEEE 802.1x [17]. RADIUS protocol exhibits better performance compared to other mutual authentication protocols [18]. EAP-CRA offers direct communication between radius servers by pre-arranged agreement or the servers could find each other dynamically. In case the RADIUS servers do not have a pre-arranged agreement then they can use their CA-signed PKI certificates to ascertain trust between servers.

All AAA servers that participate in the EAP-CRA must have some pre-arranged agreement for secure communication. Assuming that all AAA Servers that participate in the EAP-CRA are in possession of their CA-signed PKI certificates, the CRA protocol uses the CA-signed PKI certificates to communicate between the FOREIGN and the HOME AAA servers. However, other options for secure communications such as a virtual private network (VPN) or SSL can also be used. In the protocol details shown in Figure 4, CRA uses the already available CA-signed PKI certificates of the FOREIGN and the HOME AAA servers for secure communication. Message 3 is encrypted using the private key of the FOREIGN AAA server (EKPFHostName,EKUHEMSKname,SeqNo.) and message 4 is encrypted using the public key of the FOREIGN AAA server (EKUFDSRK). However, in Figure 4, we have left the issue of secure communication between the FOREIGN and the HOME AAA server open, to confirm that other options are possible.

According to the EAP-CRA protocol, in response to the EAP-CRA Request Identity message (message 1 in Figure 4), the supplicant sends an EAP Response message with its Identity (EMSKname and Sequence number) encrypted with the public key of the HOME AAA server (message 2 in Figure 4) along with the unencrypted host name of the HOME AAA server. EMSKname is used to identify the corresponding EMSK and Sequence Number for Replay protection by the Home AAA server. The authenticator, having received the encrypted Identity will pass it to the FOREIGN AAA server as it is. The FOREIGN AAA server uses the fully qualified Host Name provided in EAP-CRA Response message to determine the Home AAA server. The FOREIGN AAA server will append its Domain name to the received message (EAP-CRA Response) and pass it to the HOME AAA server using the secure method described above (message 3).

The HOME AAA server will then have to do a double decryption to find the identity of the HOME wireless device. If the wireless device is positively identified, the HOME AAA server calculates DSRK (Domain Specific Re-authentication key). DRSK is calculated using Domain Name as an optional data in the key derivation specified in [15]. HOME AAA server will then send the DSRK to the FOREIGN AAA server after encrypting the message using the public key of the FOREIGN AAA server (message 4). This process is illustrated in Figure 5. The FOREIGN AAA server can use its private key to decrypt the received message to discover the DSRK and generate rMSK (Re-authentication Master Session Key). rMSK is calculated using a sequence number as an optional data specified in [14]. The rMSK can then be transferred to the authenticator with the RADIUS Access Accept message (message 5 in Figure 4). Finally the authenticator sends the EAP success message to the wireless device indicating the completion of the CRA authentication and the beginning of the key distribution phase.

Two sequence numbers, one with HOME AAA server and one with FOREIGN AAA server is maintained for replay protection of EAP-CRA messages. The sequence number maintained by the supplicant and HOME AAA server is initialized to zero on the generation of EMSK. The server sets the expected sequence number to the received sequence number plus one on every successful Re-authentication request i.e. on generation of DSRK. Similarly the supplicant and the FOREIGN AAA server maintain a sequence number with the generation of rMSK until the supplicant is in the FOREIGN AAA server’s domain.

On receiving the EAP success message, the peer generates rMSK independently leading to the key distribution phase. The key distribution phase will be similar to that of the RSNA where the supplicant and the authenticator will use the MSK to derive TSK. Once the Temporary Session keys (TSK) are derived normal data communication can commence. In the next section we discuss the server side communication of the CRA authentication mechanism.

3.2. Extentions to RADIUS

EAP-CRA uses RADIUS as the transportation protocol between the Home and Foreign servers. However the RADIUS protocol is a client-server protocol. The RADIUS server, when forwarding the authentication packet to another RADIUS server, designates the sender as client. Hence, the foreign server’s only responsibility is to fulfill the role of a proxy server and to forward the RADIUS packets to the Home server. EAP-CRA takes advantage of RADIUS communication and encapsulates the EAP-CRA messages inside the RADIUS packets. There are two viable approaches to designing the security methods that were discussed in the previous section.

The first approach is to implement the security features inside the attribute field of the RADIUS packet (Table 1). The attribute field of each RADIUS Packet includes at least three fields that enable the RADIUS packet to carry EAP messages or other information for Dial in user. The attribute field can be used to encapsulate EAP-CRA messages inside the RADIUS packet. Extensions to RADIUS protocol so far proposed have been for the purpose of modifying or creating new attributes such as EAP or apple extensions for RADIUS, each of which has particular attributes.

Type 79 is for EAP messages and 92-191 are Unused. If the value is string or text type then the length can be from 1 to 253 octets. Therefore the type value can be between 92 to 191 octets for the EAP method. The type of the value will be string and as with other EAP methods data is encapsulated inside the RADIUS packet. The foreign server can encapsulate the encrypted message inside the RADIUS packet, so that the home server must first decrypt the message and then respond by a proper RADIUS message to the foreign server.

The second approach is to use a dependent VPN over a SSL connection between the two servers prior to RADIUS communication. The RADIUS packets can then be sent in a secure channel. However, EAP-CRA does not use this method because it entails extra network administration. It also creates a connection delay prior to the EAP-CRA message transmission. Also, the use of PKI actually provides a more secure channel by which the EAP-CRA message can be sent and received.

3.3. Experiments

For our experiments we setup three different scenarios to compare the time taken to authenticate a user. Edu-roaming, EAP-CRA and direct authentication with a single RADIUS authentication server were considered. RADIUS servers were installed on Windows 2003 Server standard edition and all platforms had 2 GB RAM and 2GHz dual core CPU.

Microsoft Internet Authentication Service (IAS) with Microsoft EAP-PEAP was used in these experiments. IAS is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2003. As a RADIUS server, IAS performs centralized connection authentication, authorization and accounting for many types of network access including wireless and VPN connections. As a proxy, the IAS forwards authentication and accounting messages to other RADIUS servers.

To start with fair baselines both EAP-CRA and Edu-roaming were implemented in LAN but in different IP subnets. Moreover to magnify the delay of authentication for Edu-roaming another setup on Internet was also implemented. The first topology is the Edu-roaming model. Since this is a proprietary model it was implemented on five Microsoft IAS that was installed on the Java virtual box. Because the Edu-roaming has federation level RADIUS servers and one root RADIUS server, we implemented five RADIUS servers in all. Two of the RADIUS servers were for the home and the foreign networks, two as the federation level RADIUS servers and the last one as the Root authentication server. Figure 6 shows the topology for Edu-roaming that was implemented by us.

The second scenario was an implementation of Edu-roaming and EAP-CRA servers on the Internet. Five servers were installed at various remote sites in Brisbane Australia. In all scenarios, the time difference between the first RADIUS request message and the last RADIUS accept message was used for comparing the time taken for authentication. Tables 4 and 5 lists the average times obtained on the LAN and Internet implementations over forty different trials.

According to Table 1 there is a 111 milliseconds time difference in the authentication times between Edu-roaming and the EAP-CRA. As explained earlier the EAP-CRA directly communicates with the foreign RADIUS server. Moreover, the difference in authentication times between the CRA approach and direct authentication with the RADIUS server is 29 milliseconds. Table 5 shows the authentication times over the Internet. Here, the RADIUS servers are located at different locations and are connected over the Internet. In this case there is a significant difference in authentication times between Edu-roaming and EAP-CRA approaches. The Edu-roaming approach is almost three times slower than the EAP-CRA approach in this case.

3.4. Discussion

Figure 7 confirms the potential of the EAP-CRA approach compared to the other methods. The main advantage of the EAP-CRA authentication mechanism is the use of only two messages to authenticate a wireless device in a FOREIGN network. Although the time taken between the FOREIGN AAA server and the HOME AAA server may vary depending on the traffic and/or capacity of the wired network, the use of only two messages in a FOREIGN network makes CRA authentication mechanism very much reliable compared to other available techniques. Further, even if the foreign network uses a less secure authentication mechanism, it still will not affect the EAP-CRA supplicants since their PMKs are supplied by the HOME AAA servers not-withstanding the limitations of the foreign network.

Another significant advantage of the EAP-CRA is its reliance on the HOME security credentials to secure its clients in the foreign network. Hence, it can be assured that the EAP-CRA clients will have the same security guarantee as in their home network in the foreign network. Further, in the case of EAP-TLS authentication with CA-signed PKI certificates, clients will need only a single set of certificates signed by the CA accepted by the HOME AAA server. There will be no need for clients to carry a number of different certificates to authenticate with different networks. Hence, in this context, the EAP-CRA facilitates EAP-TLS authentication and makes it more practical and viable.

Although there are many other techniques proposed for distributed authentication, the advantages of the EAP-CRA technique is its simplicity, robustness and versatility. Unlike many other systems that require additional components such as a token management system or federation of RADIUS servers, the EAP-CRA system depends only on the existing infrastructure, hence, assuring simplicity. The use of existing CA-signed PKI certificates without necessitating other authentication mechanisms such as tokens or smart cards enables the EAP-CRA system to be confined. Further, EAP-CRA system is not limited to WLAN or WiMAX, it can be effectively used with any wireless network, harnessing the unique security features of that particular wireless network. Furthermore, the authentication mechanism (EAP-TLS, EAP-TTLS, EAP-PEAP etc.) used by the wireless network does not influence the EAP-CRA system because it does use any form of mappings between these protocols and the EAP-CRA protocol.

The above discussions illustrate the significance of the CRA approach and emphasize the need for a fast authentication mechanism as opposed to a hierarchical mechanism like the Edu-roam. Although Microsoft IAS provides a similar infrastructure to that of EAP-CRA, it is restricted to Microsoft EAP-PEAP authentications. In contrast EAP-CRA does not rely on any particular authentication protocol. It is designed to reap the maximum leverage of the authentication mechanism that is best for the particular home environment. Hence, when a hand-held device roams in a foreign network it will have the same security guarantee as in the home network.

EAP-CRA is differentiated by other EAP methods in the aspects of communication scope by covering both the foreign and the home authentication servers. Other EAP methods such as EAP-TLS or EAP-TTLS do not consider server to server communication. EAP-CRA provides authentication and communication privacy between the foreign and the home authentication servers based on public key infrastructure. The home and foreign servers have got the public certificates of each other. EAP-CRA encrypts the authentication message twice and then sends it to the other foreign server ensuring privacy and authenticity of the message. Any message from home server will first be signed by the home server’s private key and then by the foreign servers public key. Same process happens if the foreign server sends a message to the home server. The signature of a server by the private key authenticates the server to the other server and the public key encryption ensures privacy of the transmitted message. To implement the transmitting of the messages between two authentication servers EAP-CRA suggests using of RADIUS protocol by creating a new attribute field which encapsulates the EAP-CRA message. The EAP-CRA message is the double encrypted message which will be located in the value filed of the RADIUS attribute.

On the negative aspect, the effectiveness of EAP-ERP will depend on the mutual trust established between the participating AAA servers. If the AAA servers do not have any form of prior agreement, it will be up to the discretion of a FOREIGN AAA server whether to accept or deny an EAP-CRA request.

4.1. Full EAP-CRA authentication

Initial assumption of the CRA protocol is that each mobile Node is primarily associated with a Network, which in this context is referred to as the Home network. The security of the Home network and the authentication mechanism used must be robust. It is assumed that an EAP method such as EAP-TLS, EAP-PEAP or EAP-TTLS is used in the Home network. Therefore the values for MSKName, MSK, EMSK and the Time To Live (TTL) for these keys are available for the Peer. Since some of the EAP methods utilize CA-signed PKI certificates to authenticate and secure the communication CRA extends it to add more flexibility to certificate based authentication. We have chosen WLAN as the medium to illustrate the components and messaging of EAP-CRA. Firstly, both the peer and the Foreign Access Point (FAP) discover their capabilities and decide on a suitable protocol to authenticate each other. If both parties are capable of EAP-CRA then the FAP will compose an EAP request message to solicit the identity of the Peer. It should be mentioned that the key for hashing function is generated from the EMSK.

In an unknown network, the peer will first check if the TTL of MSK is still valid. Expired MSK will lead to a failed authentication and will prompt a full authentication. The peer will be responsible to do a full authentication with its Home Network to obtain a fresh MSK. On the other hand, if the MSK is valid, the peer generates a random sequence number and encrypts the EMSKname of home network and the sequence number with the public Key of its HAS. The composed EAP-Response message will be sent to the FAP, which contains the encrypted message, Message Authentication Code, the realm of the home network and the random identity of the peer (message b in List 1).

List 1: Messages Exchanged During CRA Full Authentication

1. FAP→MN:EAPreq[ID]Inline Formula

2. MN→FAP:EAPres[Hostname, Realmh,EMSKname, Seq#UKh,MAC] Inline Formula

3. FAP→FAS: ACCreq[Hostname,Realmh,EMSKname, Seq#UKh, MAC] Inline Formula

4. FAS→HAS: ACCreq[Realmf,HostnamePKf,EMSKname, Seq#UKh] Inline Formula

5. HAS→FAS: ACCres[HostnamePKh, MSKCRA, EMSKCRAUKf,EAPsuccess, Seq#] Inline Formula

6. FAS→FAP: ACCres[MSKCRA, Realmf,ReID,Seq#,MAC] Inline Formula

7. FAP→MN: EAPreq[Realmf,ReID,Seq#,MAC] Inline Formula

8. MN→FAS:EAPres[ACK,Seq#,MAC] Inline Formula

9. FAS→MN:EAPsuc Inline Formula

FAP will encapsulate this EAP-Response message inside a RADIUS Packet and forward it to the foreign authentication server. The FAS will also utilize RADIUS for server-to-server communication. However before sending the received message, the FAP will add its domain name and encrypt the MSKname with its Private Key (message d in List 1). This enables the HAS to authenticate the FAS. Upon receiving the message from a foreign network, HAS is able to check if the FAS is authorized based on the domain name of the FAS. The HAS can authenticate the FAS by verifying the contents of the signed message. Peer authentication will be managed by matching the MSKname with MSK, EMSK, Validation of key timer and the number of re-authentication of the peer. If the MSK is valid the HAS can combine the foreign domain name, sequence number and the previous EMSK to generate new CRA-MSK and CRA-EMSK.

After updating the timer and counter values of the MSKname the HAS creates a RADIUS message which holds Access Accept, encrypted values of CRA-MSK and CRA-EMSK with FAS’s Public Key, MAC and privately signed message of domain name – MSKname (message e in List 1).

FAS first checks the signed MSKname to validate the HAS, then stores the MSKname and CRA keys. In addition to these it calculates a new timer, counter and random re-authentication ID for local re-authentication in case the peer stays for longer time in the foreign network. These values are CRA_timer, CRA_counter, and CRA_RND. The value of the CRA_timer must be less than the validity time of the initial MSK. Next, the FAS sends CRA_counter, re_id, EMSKname signed with HAS’s private key, Foreign realm and CRA-MSK inside a RADIUS packet to FAP (message f in List 1). The CRA-MSK will be utilized for future communication to provide privacy. The rest of the message is sent to the peer (message g in List 1). The peer will be able to authenticate its home server by verifying the signature and can generate CRA-MSK and CRA-EMSK. It then creates a EAP-Response as an acknowledgment with MSKname. The FAS can then compose a EAP-Success message and send it back to the peer.

On receiving the EAP success message, the peer generates rMSK independently leading to the key distribution phase. The key distribution phase will be similar to that of the RSNA where the supplicant and the authenticator will use the MSK to derive the Temporal Session Key (TSK). Once the TSKs are derived normal data communication can commence.

4.2. EAP-CRA re-authentication

In the previous section we described a roaming-enabled authentication mechanism for users who wish to get connected to a new network, using the security credentials that they use in their home network. Although we anticipate relatively faster CRA authentication, in situations where the user continues to work on a foreign network the need for re-authentication is anticipated.

This section will explain the re-authentication process that can occur due to handover within the same network, i.e. when a user moves from one access point to another. The Enhanced CRA full authentication generates CRA-MSK and CRA-EMSK for a secure communication. Possession of these keys by the supplicant and the FAS can quicken the process of re-authentication. The FAS, after the successful authentication of a supplicant distributes the re-authentication identity and the CRA_Counter to the peer. The counter determines the number of re-authentications which can be acceptable.

The process of re-authentication will be initiated by the authenticator with EAP-Request for supplicant ID. In response the supplicant will check the time since last logon to verify the validity of CRA-MSK. In case the key is expired then a valid peer will fall back to request a full EAP-CRA authentication. On the other hand the supplicant sends its re-authentication ID and realm inside Kname-NAI, a random sequence number with a hashed value of the message. The key for the hash can be generated from the CRA-EMSK and sequence number. Here, the need for the sequence number arises to provide immunity against replay attacks. The authenticator will then forward the EAP-Response encapsulated as a RADIUS packet to the FAS (message c in List 2).

List 2: Messages Exchanged During CRA Re-Authentication

1. FAP→MN:EAPreq[ID] Inline Formula

2. MN→FAP: EAPres[KeyNameNAI,Seq#,MAC] Inline Formula

3. FAP→FAS:ACCreq[KeyNameNAI,Seq#,MAC] Inline Formula

4. FAS→FAP:ACCres[MSKCRA,ReID,EAPsucces] Inline Formula

5. FAP→MN: EAPreq[ReID,Seq#,MAC] Inline Formula

6. MN→FAS:EAPres[ACK,Seq#,MAC] Inline Formula

7. FAS→MN:EAPsuc Inline Formula

Upon receiving the message the FAS checks the Kname-NAI with its stored authentication information. If there is a match, the server generates the hash value to verify the validity of the message and update the CRA_counter and CRA_timer values. The FAS will then send MSK, MAC, SEQ number to the authenticator. The authenticator retains the MSK and sends the rest to the peer. In the final step, the peer sends an EAP-Response as an acknowledgment. At this point the client is able to calculate the keying material, however to start secure communication the peer waits until it received the EAP-success from the authenticator.

Two sequence numbers, one with HAS and other with FAS are maintained for replay protection of EAP-CRA messages. The sequence number maintained by the supplicant and HAS is initialized to zero on generation of EMSK. The server sets the expected sequence number to the received sequence number plus one on every successful Re-authentication request, i.e. on generation of DSRK. Similarly, the supplicant and the FAS maintain a sequence number with the generation of rMSK while the supplicant is in the FAS’s domain.

4.3. Analysis

To substantiate the effectiveness our protocol we first examine the key security features of Enhanced CRA and then compare the cost involved in communication and computing between Enhanced EAP-CRA and its close competitor EAP-ERP.

4.4. Cost consideration

In this section we compare the cost of communication and computation between Enhanced EAP-CRA and EAP-ERP. It should be noted that EAP-ERP performs a full authentication with the home server every time it enters a foreign network. For this purpose we use EAP-TLS as the home authentication method.

EAP-CRA exchanges eight messages between the supplicant and the servers during full authentication. It also utilizes seven messages during the re-authentication process. In the case of ERP, a minimum of sixteen messages are exchanged between the supplicant and the servers. This is made up of seven messages that are specific to ERP and at least nine messages from EAP-TLS, since we consider EAP-TLS as the home authentication method. For simplicity we are considering the size of the messages during these exchanges. Table 3 lists the number of messages used in each authentication methods.

When entering a foreign network, a station that uses EAP-ERP performs a full authentication with its home server. This process will be very time consuming due to the fact that all message exchanges should take place over the internet. This is a significant weakness of EAP-ERP compared to EAP-CRA for two reasons; 1) the number of messages and 2) the size of the messages. With regards to re-authentication, ERP re-authentication should take place much quicker as it uses only five messages. However, the actual time differences must be determined after the real setup of both protocols.

To evaluate the computational cost of the protocols we investigate the number of Hashing, Encryption and Decryption operations performed. Table 6 presents these values for EAP-CRA and EAP-ERP. In case of EAP-CRA full authentication there are four hashing operations and eight encryption operations. Initial EAP-ERP does not involve any encryption or decryption but it should be noticed that there will be at least 16 message exchanged while there are just 8 messages for full EAP-CRA authentication. Moreover the encryption involved in the process will ensure the security of the supplicant while it is roaming to a foreign network. In case of Re-authentication, cost of both protocols will be very similar as they both will perform four hash operations.

From the above comparisons we can say that EAP-ERP has high communication costs and Enhanced EAP-CRA has high computing costs. Therefore, we are expecting reasonable performance for Enhanced EAP-CRA due to the fact that communication overheads are normally more costly compared to the computational overheads.