Fast authentication and trust-based access control in heterogeneous wireless networks

The development of wireless technologies grants a user equipped with a portable wireless device the possibility to access services any time and anywhere. Different network access technologies have been designed for different purposes. Today's digital universe is heterogeneous in various meanings of the word. Multiple IP-based services are offered for users who subscribe to multiple service providers, and have multiple roles and identities. These users are equipped with multi-interface, handheld devices with different capabilities and thus they are able to access a wide range of services over multiple access networks managed by multiple authorities. The limited scope of each access technology forces a user to gain connectivity through a verity of network technologies. For the same reasons, different technologies coexist in the same geographical areas. There is a great need for new paradigms and approaches to manage this heterogeneous universe and to deliver to users services adapted to their current terminals and access modes. In this thesis, we study the current situation and trends in wireless technologies development. We discuss the problems related to security mechanisms specific to each technology, and in particular the possibilities for integration and interworking. Security solutions always have trust models beneath them. In the modern, dynamic, wireless world there is a strong need for trust establishment procedures. Security mechanisms to be implemented under ubiquitous mobility scenarios should be flexible and independent of operator, infrastructure and the underlying wireless technology. The key challenges to ubiquitous, secure mobility have been identified and the advantages and shortcomings of existing solutions have been analyzed. We first study the possibility of authentication latency decreasing in a scenario where the network access authentication is decoupled from the service access authentication. An authorized user is granted network and service access as a result of a single authentication process that combines 802.1X and PANA operations. Then we introduce the Fast re-Authentication Protocol (FAP) for inter-domain roaming, which aims to reduce the authentication delay for a mobile user in a visited administrative domain. The approach eliminates the need for communication between the target and the user's home networks for credentials verification. We develop the Fast re-Authentication Protocol by suggesting a ticket distribution scheme for inter-domain roaming. This method decreases the number of tickets sent and consequently the overhead and delay of the ticket acquisition phase of the protocol. Numerical results obtained from experiments on a test-bed and a series of simulations show that the proposed scheme enhances inter-domain handover parameters such as authentication latency and signalling cost. To improve the access control to network resources we propose the adjustable trust model. The purpose of this work is to provide the network with the opportunity to react to user behaviour. The network is able to observe the activity of each user and to calculate corresponding trust. Clients having low trust due to illicit behaviour are not allowed to access the network. Users are motivated to gain higher trust because trusted users have access to a larger set of services with higher quality of service. Validation of the proposed trust-based access control method has been done via simulations. Finally, we discuss how the proposed solutions can be implemented in a single framework.

[1]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[2]  Jean-Marie Bonnin,et al.  Fast pre-authentication based on proactive key distribution for 802.11 infrastructure networks , 2005, WMuNeP '05.

[3]  Gail-Joon Ahn,et al.  Towards realizing a formal RBAC model in real systems , 2007, SACMAT '07.

[4]  J. Quisquater,et al.  Fast Roaming Authentication in Wireless LANs , 2006 .

[5]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[6]  Fabio Martinelli,et al.  Fine-grained and History-based Access Control with Trust Management for Autonomic Grid Services , 2006, International Conference on Autonomic and Autonomous Systems (ICAS'06).

[7]  Subir Das,et al.  Kerberized handover keying: a media-independent handover key management architecture , 2007, MobiArch '07.

[8]  Reinaldo Penno,et al.  Protocol for Carrying Authentication for Network Access (PANA) Requirements , 2005, RFC.

[9]  Michel Riguidel,et al.  Optimized ticket distribution scheme for fast re-authentication protocol (fap) , 2007, Q2SWinet '07.

[10]  Calton Pu,et al.  Resilient trust management for Web service integration , 2005, IEEE International Conference on Web Services (ICWS'05).

[11]  Nicholas R. Jennings,et al.  An integrated trust and reputation model for open multi-agent systems , 2006, Autonomous Agents and Multi-Agent Systems.

[12]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[13]  Sabrina De Capitani di Vimercati,et al.  Managing Multiple and Dependable Identities , 2003, IEEE Internet Comput..

[14]  Michel Riguidel,et al.  Wireless Network Architecture to Support Mobile Users , 2006, WINSYS.

[15]  Dave Katz,et al.  Administrative Domains and Routing Domains: A model for routing in the Internet , 1989, RFC.

[16]  Nathan Griffiths,et al.  Task delegation using experience-based multi-dimensional trust , 2005, AAMAS '05.

[17]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[18]  Charles E. Perkins,et al.  Mobility support in IPv6 , 1996, MobiCom '96.

[19]  Charles E. Perkins,et al.  Context Transfer Protocol (CXTP) , 2005, RFC.

[20]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs , 2005, RFC.

[21]  Jari Arkko,et al.  The Network Access Identifier , 2005, RFC.

[22]  Mohan Parthasarathy,et al.  Protocol for Carrying Authentication and Network Access (PANA) Threat Analysis and Security Requirements , 2005, RFC.

[23]  J. David Irwin,et al.  Localized authentication for wireless LAN inter-networking roaming , 2004, 2004 IEEE Wireless Communications and Networking Conference (IEEE Cat. No.04TH8733).

[24]  Jukka Manner,et al.  Mobility Related Terminology , 2004, RFC.

[25]  Kumbesan Sandrasegaran,et al.  Identity management in vertical handovers for UMTS-WLAN networks , 2005, International Conference on Mobile Business (ICMB'05).

[26]  Dan Forsberg,et al.  Protocol for Carrying Authentication for Network Access (PANA) , 2008, RFC.

[27]  Vijay Varadharajan,et al.  A Trust based Access Control Framework for P2P File-Sharing Systems , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[28]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[29]  Jean-Marie Bonnin,et al.  Authentication Optimization for Seamless Handovers , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[30]  Markus Jakobsson,et al.  Reputation-based Wi-Fi deployment protocols and security analysis , 2004, WMASH '04.

[31]  Elisa Bertino,et al.  Trust Negotiation in Identity Management , 2007, IEEE Security & Privacy.

[32]  Luís M. B. Cabral,et al.  The Dynamics of Seller Reputation: Evidence from Ebay , 2006 .

[33]  Ivan Martinovic Measurement and Analysis of Handover Latencies in IEEE 802.11i Secured Networks , 2007 .

[34]  Claude Castelluccia,et al.  Hierarchical Mobile IPv6 Mobility Management (HMIPv6) , 2005, RFC.

[35]  Jari Arkko,et al.  Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) , 2006, RFC.

[36]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[37]  M. Riguidel SECURE USER’S MOBILITY:THE CURRENT SITUATION , 2007 .

[38]  Lea Viljanen,et al.  Towards an Ontology of Trust , 2005, TrustBus.

[39]  寺岡 文男,et al.  Protocol for carrying Authentication for Network Access (PANA) を利用したネットワークアクセス認証システムの実装と検証 , 2007 .

[40]  Thomas Beth,et al.  Valuation of Trust in Open Networks , 1994, ESORICS.

[41]  Yanghee Choi,et al.  FAST INTER-AP HANDOFF USING PREDICTIVE AUTHENTICATION SCHEME IN A PUBLIC WIRELESS LAN , 2002 .

[42]  David Ingram,et al.  Risk Models for Trust-Based Access Control(TBAC) , 2005, iTrust.

[43]  Anand R. Prasad,et al.  Fast Authentication for Inter-domain Handover , 2004, ICT.

[44]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[45]  Madjid Nakhjiri Use of EAP-AKA, IETF Hokey and AAA Mechanisms to Provide Access and Handover Security and 3G-802.16M Interworking , 2007, 2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications.

[46]  Andries P. Hekstra,et al.  Perceptual evaluation of speech quality (PESQ)-a new method for speech quality assessment of telephone networks and codecs , 2001, 2001 IEEE International Conference on Acoustics, Speech, and Signal Processing. Proceedings (Cat. No.01CH37221).

[47]  Rajeev Koodli,et al.  Fast Handovers for Mobile IPv6 , 2001, RFC.

[48]  Jongpil Yoon,et al.  Trust management with delegation in grouped peer-to-peer communities , 2006, SACMAT '06.

[49]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[50]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[51]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[52]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[53]  Heejo Lee,et al.  A Flexible Trust-Based Access Control Mechanism for Security and Privacy Enhancement in Ubiquitous Systems , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[54]  James B. D. Joshi,et al.  An Integrated Framework for Trust-Based Access Control for Open Systems , 2006, 2006 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[55]  Mudhakar Srivatsa,et al.  TrustGuard: countering vulnerabilities in reputation management for decentralized overlay networks , 2005, WWW '05.

[56]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[57]  Charles E. Perkins,et al.  IP Mobility Support for IPv4 , 2002, RFC.

[58]  Héctor L. Velayos,et al.  Techniques to Reduce IEEE 802 . 11 b MAC Layer Handover Time , 2003 .

[59]  Michel Riguidel,et al.  Distributed Trust Infrastructure and Trust-Security Articulation: Application to Heterogeneous Networks , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[60]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[61]  Ramachandran Ramjee,et al.  IP Micro-Mobility Support Using HAWAII , 1999 .

[62]  Houda Labiod,et al.  Pre-authenticated signaling in wireless LANs using 802.1X access control , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[63]  Anand R. Prasad,et al.  Fast authentication methods for handovers between IEEE 802.11 wireless LANs , 2004, WMASH '04.

[64]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[65]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[66]  Stephen Marsh Trust and Reliance in Multi-Agent Systems: A Preliminary Report , 2007 .

[67]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[68]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[69]  Audun Jøsang,et al.  Trust Requirements in Identity Management , 2005, ACSW.

[70]  Charles E. Perkins,et al.  IP Mobility Support , 1996, RFC.

[71]  Audun Jøsang,et al.  AIS Electronic Library (AISeL) , 2017 .

[72]  Yoshihiro Ohba EAP Pre-authentication Problem Statement , 2007 .

[73]  William A. Arbaugh,et al.  An empirical analysis of the IEEE 802.11 MAC layer handoff process , 2003, CCRV.

[74]  Hong Fan,et al.  An Access Control Model for Ubiquitous Computing Application , 2005, 2005 2nd Asia Pacific Conference on Mobile Technology, Applications and Systems.

[75]  M.Komarova,et al.  SECURE USER’S MOBILITY:THE CURRENT SITUATION , 2007 .

[76]  Artur Hecker,et al.  Fast Re-Authentication Protocol for Inter-Domain Roaming , 2007, 2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications.

[77]  William A. Arbaugh,et al.  Proactive key distribution using neighbor graphs , 2004, IEEE Wireless Communications.

[78]  Thomas Beth,et al.  Trust relationships in secure systems-a distributed authentication perspective , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[79]  Thomas Narten,et al.  IPv6 Stateless Address Autoconfiguration , 1996, RFC.

[80]  Randy H. Katz,et al.  Secure Authentication System for Public WLAN Roaming , 2003, WMASH '03.

[81]  Gert Willems,et al.  Performance Evaluation of Layer 3 Low Latency Handoff Mechanisms , 2004, Mob. Networks Appl..

[82]  Voon Chin Phua,et al.  Wireless lan medium access control (mac) and physical layer (phy) specifications , 1999 .

[83]  Henry Haverinen,et al.  Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM) , 2006, RFC.

[84]  Markus Jakobsson,et al.  Reputation-based Wi-Fi deployment , 2005, MOCO.

[85]  Todor Cooklev,et al.  Air Interface for Fixed Broadband Wireless Access Systems , 2004 .

[86]  S.G. Polito,et al.  Authentication and Authorization Method in Multi-domain, Multi-provider Networks , 2007, 2007 Next Generation Internet Networks.

[87]  Diego Gambetta Can We Trust Trust , 2000 .

[88]  Leon Reznik,et al.  Notice of Violation of IEEE Publication PrinciplesWhich models should be applied to measure computer security and information assurance? , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[89]  Jon-Olov Vatn An experimental study of IEEE 802 . 11 b handover performance and its effect on voice traffic , 2003 .