Embed Size (px)
Citation preview
8/6/2019 Concatenated Wireless Roaming Security
http://slidepdf.com/reader/full/concatenated-wireless-roaming-security 1/5
Concatenated Wireless Roam ing SecurityAssociation and A uthentication Protocol using
ID-Based Cryptography
Byung-Gil Lee', Membe r , IEEE,Hyun-Gon Kim', Sung-WonSohn' and Kil-Houm Park'
Electronics and Telecommunications Research Institute, Daejeon, Korea'Kyungpook National University, 1370 Sankyuk-dong, Buk-gu,DaeC u, Korea'
Abirran-The hlobile I P application of AA A (I)iameter pmto.col) provides rruthmticntion.aulhori7alion, and accounting .%.%AIwriicrs in a simless rwaminp inlrrnct wrvire. As such. the cur-
rent paper pruposcs the applicalionof identity-based cryptugra-
ph) lo hlebile I P with AA,\ authentication, thcmhy facilitating Ih eintrodurlion of public Le) cryplography lhrouph a l lowing il hlu-
bile IP enl i ly's public he) tu he derivrd lmm an arhilrury idenlit-ticalion value, such as an e-msil clyled HI(Nctnurk Access Iden-l i ly). Ih c Diameter Srcuril) .\sruuiatiun~DSA) rovidt% l PKI.
based universal and ~ ~ " u mhannel. uhichL used for idmlilgtlDJ-
bawdke) delivery hrlneen theA A A scrv rro fIh~ \ . i s i tpdnd homeISP nr lwork. Thrrefure. the ~mpused rlhud comhinrsIhr UIC #of
Ihe D S A with an idmlilytlDi-based cr) QIopphi c srcurit) a w -
ciation I ISAi . Consequently, the pmpased concatenated srcur i t?&\sociation of Ihc I)SA for an inter-ISP tmst chain and an IS,\for \lobile 1P user aulhmlicalion ca n a l lev ia te the pmblem of 11)-
bmed pr i \a l r dirlibution l o r visited network enlilirs and p a l l yreduce Ih e nerd for and relianreon public key certiticatrr hir mil-
bile nodes. Furthermore, the prupused protocol a n lso rslahlirh
il scccurity associalionamonga11 Mobile P related nodes and AA.\
rphted nodes.
I,rch I I'cru,.s - Mobile IP. AAA. IV ha*cd Cr)ptoyraph)
1. IUIKIOI>tI( 'IION
With the emergenceof niohile siImmerce and uhiquitiw nct-
working. the i m p m " e of security has dnmstically increased.
For example. xcure miming from one nctu,ork IO mother vi a
mohilc netuorks i s expected tu become a critical part of the
mobile service oprator's se n ice area[ I ] .
Mobile IP networking IS rapidl) developing 3nd expand-
ing. Rased on currently dcploycd niohile terminals. there arc
hundreds 01 million, of Internet-ennbled terminal\. mdking
roaming uit h Mohile IP a reali ty for huge numbers of users.
With mobility ac the escnlial chanctcri5tic for niohile net-
works. the Mubilc IP standard du t i un for use with the w i r e
les, lntcmet uas de vr lu pd by the Internet Engineering Task
Forcc(lE'l t~l2 l. Mobile 1P enables a mobile host to mobr from
one IP suh-network lo another. uhi le maintaining I n activeconnection u,ith the home II' addres,. Ilowe\er. with Mohile
IPIZ] .and rclatcd iad micro mohility prosicolsl3]. ddincd in
the cumnt ,randards as con,liruting 3 ull) operable protocol
suite. thcrc arc wiI xcur il y prohlem, that need to bc solved
and rnhaiircmenc~ equired for U~rcIcss ie tu or k~ l2 l[ 4~ .or
R G k e 5 I Senior 1:ngmeer at ihr. f.lcarun,cr and TiIcc.,mm,inirai10(,.
KC\CIICII I!bI.It.IC. U J : ] L n. KOREA. (cniiil R U I ~ c @ ~ i r ic.lr,
example, i t i s well known that the Mobile IP registration and
binding protocol have weaknesses with regard to the protec-
tion of signaling information and authentication of a foreign
network[Zl. One solution i s a public-key-based authentication
scheme between the mobile node and agents. IPSec depends
on a public-key infrastructure that has no t yet been deployed,
plus the key management component of IPSec requires heavy
processing by end devices. In existing research, Jacobs' pro-
posal[4] involves the use of public key cryptography for Mobile
IP.However, this has certain drawbacks mainly due to the heavy
operation at the mobile node[Sl. I n ypical public key cryptog-
raphy, the user's public key i s explici tly encoded in a public
key certificate, which i s essentially a binding between the cer-
tificate holder's identi ty and the claimed public key. Therefore,
the PK I model requires universal tmst in he certificate issuers,
such as the CA(Cer tification Authorities). This also has some
well-known side-effects, such as cross-doamin t rus t and cer-
tificate revocation. However, the main problem is the basic
assumption that all certificates are public and ubiquitous, and
hence readily available to anyone. Yet, this assumption s not
always realistic and small data-sized certification centric, es-pecially in a wireless network where connectivity is sporadic.
In contrast identity-based Cryptography changes the nature of
obtaining public keys by constructing a one-to-one mapping be-
tween identities and public keys. As such, identity-based cryp-
tography great ly reduces the need for and reliance on public
key certificates and certification authorities. Consequently, the
introduction of identity-based cryptographic schemes has many
advantages ranging from easy migration to public key cryptog-
raphy in a wireless link environment. This means that th e sys-
tem(network and mobile device) does not require as much sys-
tem loadas publ ic key-based cryptography in key management.
In CRL(certificate revocation ist , X.509).a fine-grained mech-
anism for receiving and checking th e CRL profile has not yet
been developed. However, the introduction o f identity-based
methods over a wireless link has greatly simplified key man-agement(user's E-mail is public key and NAI) , as such methods
reduce the need for and number of public key certificates. Ac-
cordingly, the main idea of the current study i s the application
of identity-based cryptography to Mobile IP with AAA, plus
to obtain assurances o f verif ication and payment in a foreign
network, the Mobile IP architecture must also support an Au-
thentication, Authorization, and Accounting(AAA) service. In
0-7M3.7757-51031117.03 02033 L E E . 1507
8/6/2019 Concatenated Wireless Roaming Security
http://slidepdf.com/reader/full/concatenated-wireless-roaming-security 2/5
the Diameter protocol as an AAA service, the mobile identi-
fies itself via a network access identifier(NA1) in the form of
user@ homed omain. As such, the authentication mechanism
is not based on a fixed IP address, but rather on a NAl[6][71.
Therefore, the current paper focuses on developing a simplerpublic key cryptography operation for a limited mobile device
using identity-based rather than certificate-based public key
cryptography. In addition, to estiblish a Mobile 1P security as-
sociation using identity-based cryptography between all Mobile
IP entities and all AAA entities, a concatenated security asso-
ciation is proposed that consists of a PKI-based Diameter secu -
rity association(DS A) and identity-based cryptography security
association(1SA). The Diameter Security Association provides
a PKI-based universal and secure channel, which is used for
identity(ID)-based key delivery between the AAA server of the
visited and home ISP network. The remainder of this paper
includes a brief introduction to ID-based cryptography in chap-
ter 2 , then chapter 3 describes the architecture and protocol of
Mobile IP with AAA. Chapter 4 then presents the mobile ap-
plication of identity-based cryptography, a concatenated secu-rity association process based on ID-based cryptography, and
discusses the properties from a security perspective. Finally,
chapter 5 offers some concluding remarks.
11. OVERVIEW OF IDENTITY(ID)-BASEDR Y P T O G R A P H Y
Le t E be an elliptic curve defined by yz = x 3 + 1over F,
where F, is a finite field with the prime order p , p = 2mod3,
and p = 6q - 1 for some prime q > 3. Le t GI be an order q
cyclic subgroup o f EIF, an d Gz be a subgroup of F;z where
F> is the multiplicative gm up of F,.(see [ I I], [I31 for more
mathematical details). The modified Weil pairing 8 is a map
from GI x GI to Gz satisfying the following properties(see
[ I l l , [ I31 formorede ta i ls ) :
I ) Bilinear : For all P,Q E GI and all a , b E Z
B(aP,bQ ) = 8(P,Q)Ob.. . .,
2) Non-degenerate :b(P,P) E G2 is a generator of Gz.
It should be noted that the original Weil pairing does not sat-. .
isfy the non-degenerate propelty. First, the ID-based encryption
scheme proposed by Boneh and Franklin[l I] is introduced.
Setup:T he algorithm proceeds as follows:
I ) Choose a generator P of GI, pick a random s E
Z; and set Ppub= sP .2) Choose a hash function H:FPz - O, 1)" fo r
some n and a hash function G: { O , 1)' - I.3) Chooseahashfunc t ionH1: {O,l}"x{O, 1}" --t
F,, and a hash function G I: O, l}" --t (0, l}",
4) The message space is M = {0,1}". The
master-key is s E 2,. The syste m parameters
are params= < p, n, , Ppub,H ,H1,G , G1>.
ExtrackGiv en an identity ID set Q I D= G( fD ) nd set the
EncryptT o encrypt hf E {0,l}n under the public key based
1 ) Convert ID into a p i n t &IO using the hash
2) Choose U E {0,1}" at random and set T =
private key d rD = S Q I D here s is the master key.
on th e m d o the following:
function G.
HI(u,W.
3) Compute the ciphertext
C=< T P , u C B H ( ~ ; D ) , M C B G ~ ( U )
wheregID=
~ ? ( Q I D , P ~ ~ ~ )F p * .D e c r y p k L e t C =< U, V, W > he a ciphertext encrypted
using the oublic key ID. Reiect the ciphertext if U is.not in G I . To decrypt C do the following:
1) C o m p u t e u = V @ H ( d ( d r ~ , U ) ) .
2) Comnute M = M/ FR 6, u l~ - I ,
3) Set T = H l ( u ,A4 ) and reject the ciphertext if
U # r P , otherwise do the following.
4) Ouput A4 as the corresponding message.
Next, the ID-based signature scheme proposed by Cha and
Cheon[ 121 is introduced.
Setup:Follow the same process as with ID-based encryption,
yet using the hash function H z : O, 1)' x G Ii,
instead of H , H I an d GI . As such, in the ID-based
cryptography based on elliptic curves, the required
system parameters are
p=-ams =< p,n, , p u b , H ,HI,Hz, , G >
Extra ckFo llow the same orocess as in the above scheme
Sign : To sign a given message m E {0,1}* under the pri-
I ) Choose T E Z, at random and compute Q I D=
vate key d I D do the following:
G ( I D ) .
Sien: To sien a given message m E {O . l } * under the on --- L . I
vale key d I D do the following:
I ) Choose T E Z, at random and compute Q I D=
G ( I D ) .
2) Output a signature corresponding to m
0 = ( T Q I D , ( T + I ~ I D )
where h = H ~ ( . ~ , T Q I D ) .
V e r i f y h t U = (U, ) be the given signature for message m.
To verify do the following:
I ) Compute h = H z ( m , U ) .2) Output accept if 6(P,V) = B(P',b, U + ~ Q I D ) .
reject otherwise.
111. MOBILE IP WITH A A A STRUCTURE
Until now, identity-based cryptography has not been dis-
cussed much as a new emerging application area. Yet, a novel
identity-based &SA was recently proposed by Boneh that
combines the attractive features of identity-based cryptography
and mediated RSA. This identity-based scheme is still in an
early developmental stage, plus the inherent feature of a mo-
bile environment is still a closed network as regards security
for the next few years. In relation to identity-based cryptog-
raphy. several papers have conducted a comparison of security
and performance. However, the current paper focuseson
theintroduction of identity-based cryptography in a Mobile IP en-
vironment, as well as the possibility of Mobile IP with AAA,
as an authentication protocol. Within the context of mobility, amobile node belonging to the home domain often needs to use
resources provided by a foreign domain. The AAA infrastruc-
ture verifies the user's credentials and prov ides a servic e policy
to the serving network for which the user is authorized. The
AAA infrastructure may also provide reconciliation of charges
1508
8/6/2019 Concatenated Wireless Roaming Security
http://slidepdf.com/reader/full/concatenated-wireless-roaming-security 3/5
I sAl
4
j~4
Fig. I. Mobile IP with AA A Tnisl Chain Model
between the serving and home domains. As an AAA protocol,
the Diameter protocol attempts to expand on RADIU S'S[ 141
known shortcomings and is being developed by the IETF AA A
Wo rking Group[2][6][71[151 1171. Di ame ter's Mob ile IP ap -
plication allows an AAA server to authenticate, authorize. and
collect accounting information for a Mobile I P service rendered
to a mobile node. Figure 1 illustrates the trust model for Mo-
bile IP with AAA. In the Mobile IP registration process, the
foreign(serving) authentication server(AAAF) requests proof
from the external home authentication server(AAAH) that the
external mobile node has acceptable credentials. The AAA in-
frastructure verifies the user's credentials and provides a ser-
vice policy to the serving network for which the user is au-
thorized. The A A A infrastructure may also provide reconcil-
iation of charges between the serving and home dom ains. As
anAAA protocol, the Diameter protocol attempts to expand on
RADIUS's[l4] known shortcomings and is being developed by
the IETF AAA Wor king Group[21[61[71[151[ 161[191.
Diameter's Mobile IP application allows an AAA server to
authenticate, authorize, and collect accounting information for
a Mobile IP service rendered to a mobile node. Figure I illus-
trates the trust model for Mobile IP with AAA.
In the Mobile IP registration process, the foreign(serving)authentication server(AAAF) requests proof from the external
home authentication server(AAAH) that the external mobile
node has acceptable credentials. Figure 2 illustrates the Mobile
IP registration and A AA protocol message flow161, 171, [151.
The authentication message from the mobile node to the
AAA server includes a Network Access Identifier(NA1). The
NAI has the following format : user@realm. The RRQmessage
also includes an MN-AAA authentication extension to make
the FA forward the request to the AAA. The MN performs the
MAC operations using the MN-AAA key K M N - A A A .f the
mobile node is successfully authenticated by the home a uthen-
tication server, the home authentication server decides the life-
time for the new authentication key and sen ds the result.
IV. CONCATENATEDI R E L E S S O A M I N G E C U R I T Y
ID-BASEDC R Y P T O G R A P H Y
ASSOCIATIONN D A U T H E N T I C A T I O NROTOCOL U S I N G
A. Concatenated Wireless Roaming Security Association
The current paper proposes a concatenated wireless roaming
security association for Mobile IP w ith AAA authentication us-
ing ID-based cryptography, thereby reducing the key manage-
ment problem compared to certificate-based public key cryp-
*d"..................
*DR . * D R . m a -* M R .
Rag
SA1( Cert. based PKI)
0ig. 3. modified Mobi le IP wilh AA A Tmsl Chain Model
tography(see Section II ) in user authentication. Plus, the pro-
posed protocol can use PKl(public key infrastructure)-basedCryptographic Message Syntax (CMS) for inter-ISP security
schemes. CMS is also used to carry X.509 ertificates. Figure
3 presents the concatenated security association, while Table I
lists the DSA requirements for CMS. As a result. a certificate-
based PK I trusted model is applied to the AAAF, AAAB, and
AAAH servers, while identity-based cryptography is applied to
all the other Mobile IF' nodes. Establishing the DSA involves
the initiator issuing a Diameter Security Association Request
(DSAR) message, then a Diameter Security Association Am
swer (DSAA) is issued in response. Table I presents the rec-
ommended DSAFUDSAA supporting types of AAA entities ac-
cording to IETF specifications.
TABLE IREQ U~REMENTF DS A FO R C M S
Diameter Server
Proxy Agent
Diameter Client Should
Relay Agent
1509
8/6/2019 Concatenated Wireless Roaming Security
http://slidepdf.com/reader/full/concatenated-wireless-roaming-security 4/5
Notation
ID
S I oa a a h @
HA's NAI
NM's NAI
Message
Meaning
Identity(e-mail style) i.e. NAI
Private Key correspondin g to IDA A A H s N AI
<< M >> SID
{ ' W ID
First, the DSA for CM S is established by two ISP s through
AAA servers, when a mobile node moves to a foreign network
and wants to receive service from a DSA established foreign
network for a period of time. Se cond, a private key correspond-
ing to the ID of the foreign agent is generated in the AAAH
server and delivered throug h the DS A. Consequently, the pro-posed security association based on identity-based cryptogra-
phy is established among all Mobile IP nodes and the AAAH
server. Thereafter, secure communic ations among the Mobile
IP nodes and the AAAH server can be achieved using the estab-
lished ISA(1dentity-based cryptography Security Association)
without the DSA.
The proposed concatenate d security association procedure is
as follows:
-Signature of M using SJD
Encryption of A4 with ID
It is assumed that the section of AAAF -AAA B-AA AF has
a CMS- based public key structure.
The ID of the Foreign Agent is encrypted and sent to
AAAH through AAAF-AAAH.
AAAH generate at private key for the Foreign A gent, en-
crypts it. and sends it securely to the Foreign Agent.
All Mobile IPnodes and AAAH server establish a security
association using identity based cryptography.
B. Mobile IP Authentication Protocol using ID-Based Cryp-
In contrast, in [4], Jacobs and Belganl propose an Mobile IP
protocol based on certificate-based public key cryptography. In
their scheme, all the node s participating in the protocol have a
certificate. The protocol proposed in151 is also certificate-based
public key cryptography, y et, in this case, the MN d oes not us e
certificate-based public key cryptography operations, thereby
avoiding the drawback of Jacobs and Belgard's protocol.
Table 11 presents the essential notations. Before describing
the proposed protocol, certain requirem ents are needed:. ll nodes involved in Mobile IF with AAA can calculate
ID-based cryptography operations.
AAAH is an ID-based cryptography system. The refore it
is a Private Key Generator(PKG ) for mobile nodes and has
a master key.
In the current scenario, the ID is the NAI(see Section 111).
HA has a private key correspo nding to its NAI.
MN possesses a private key correspond ing to its NAI.. s the same domain network, FA and AAA F have a secure
channel.
w m p b
The procedure of proposed protocol is consist of two steps.
First step is creation of ISA between all Mobile IF' nodes. FA
also need identity based private key for Mobile IP secu rity ser-
vice. Next step is authentication and registration procedure.
The signature and encryption techniques can be applied simul-taneously to provide all the specified procedure . Th e proposed
authentication scenario is described in figure 4, and the pro-
posed protocol proceeds as follows:
( I ) M N :
- calculate signature << M I >> S using private
key Sm where MI is RRQ message.
(2) FA :
- send IDS of MN and FA using secure channel of the
PKI based AAAF-AAA H .
(3) A A A H :
- create and send private key of FA using secure chan-
nel of the PKI based AAAF-AAA H.
- establish dynamic security association AAAH-FA,
MN-FA and FA-HA respectively using identity based
cryptography
(4) FA :
- verify << M I >> Smnawith mn@.
- calculate sig nature and encryption(optiona1)
- FA authenticate using the mo bile node's N AI and re-
lays MN's message to AAAH through AAAF and
AAAB for authentication of neighbor network.
( 5 ) FA+AAAH :
(6) A A A H :
- verify << M I >> S using MN's NAI mn@ and
- generate needed Mobile I P session keys.
- AAAH transmits HAR message toHA.
- calculate signature i c Mz >> Sh.e using private
authenticate MN .
(7) AAAH-HA :
(8 ) H A :
key Shoo where Mz isRRP message.
(9) HA-AAAH :
- HA transmits M z ,<< M Z >> Shoe to AAAH.
- calculate << A43 >> Sa..ha using private key
Saooho here M3 is AM A message containing
(IO) AAAH :
M z , << Mz >> Sh.0.
- calculate encryption(optiona1)
- AAAH sends AMA message containing Mz,<<
(11) AAAH-FA :
Mz >> Shoe,<< M3 >> &e&O to FA through
AAAB and AAAF.
(12) FA :
(13) FA-MN :
(14) M N :
- verify << M3 >> SooohO ith a h @ .
- FA relays M2, < M Z>> shoo o MN .
- verify << Mz >> S with ha@ and authenticate
HA .
1510
8/6/2019 Concatenated Wireless Roaming Security
http://slidepdf.com/reader/full/concatenated-wireless-roaming-security 5/5
work to an end-to-end mobile communication environment be-
tween two mobile users. Reducing the computational load and
the issue of key revocation are both areas for future studies.
V. C O N C L U S I O N
The current paper introduced a Mobile IP authentication pro-
tocol using ID-based cryptography, thereby providing certain
advantages with regard to key management and security. Fur-
thermore, an identity-based security association is connected to
a PKI-based CMS ecurity association. An additional scenario
that applies ID-based cryptography to all global nodes based on
the I h 6 protocol could also he included to improve the pro-
posed protocol.
REFERENCESFig. 4. Mobile 1P Registralion and AAA Protocd [I ] L. Becchetti and P, Mahanen and L. Munor "Enhancing IP service Pmvi-
sian over HelemgeneousWireless Networks." in IEEE CommunicationsMagazine. pp. 74-81. August 2002.
121 "IETF IP Routing far WirelesdM obile Hosts (mobileip) Working G ~ O U QCharter:' in h r t p ~ l l w w w . i e t f . o r ~ t m ~ . ~ ~ ~ ~ ~ m ~ b i l e i p - l
[JI C. S. Hang. K . W. im. D . Y Lee and D. S. Yun "An Efficient Fardl
tweentolerance Protocol with Backup Foreign Agents in a Hierarchical localRegistration Mo bile 1P:in ETRl J a w " . Vol. 24. No. I, Feb. 2002.
based cryptography. There are two main techniques used in this 141 s. Jacobs. s . Belgard "Mobile IP public Key Based Authen-
scheme: Digital signatures provide authentication, integrity, tication. lntemet Drah." <drah-jacobs-mabileip-pki-auth-03.1~1< inhttp:llwww.ietf.org.. july 2001
fidentiality (using asymmetric techniques to encrypt a content and New SecureMinim al Pu blic-Key Based Aulhenlicalion.'in I-SPAN '99. lune 1999.
techniques can be used simultaneously to provide all the spec- working croupntemet Draft: <drafl-ietf-aaa-diameter-I7.rrt> in
http:llwww.ietf.org.
sible this can171 P. R. Calhoun. I. A r f i o . C . E. Perkins "IETF AAA Work ing
Group lntemel Drah: <d~h-ielf-aaa-diameter-mobileip-13.ta> inprotect against a Dos attack, replay attack, redirect attack, andsession steeling attack. The proposed protocol h a the follow. I81 A. Sh amir "lden tily-ba se cryptosystems and rigan lure schemes. in Proc.
of Cryplo '84. LNCS. vol. 196. pp. 47-53. Spring er-Ve rlag 1985.ing properties from a security perspective: [9] U. Feige. A. Fiat and A. Shamir"2ero-knowlrdge p m f s of identity." in. ince ID-based cryptography is applied to Mobile IP au - J. Cryptology. vol. I. pp. 77-94 1988.
thentication, the proposed protocol does not need the M N - [IO] A. Fiat and A. Shamir "HOWo pmve yourselk Praclical solutions to
identification and siganture problems:' in Pme. Cryp lo '86. pp. 186-194AAA key of the original Mobile IP with the AAA proto- 1986.
col. Therefore, the AAAH key management overhead is I1 1 D . Boneh and M. Franklin"ldenli1y Based Encryption rom he Weil Pair-
removed.
The proposed protOCOl does not have the additional re- I121 I. C. Cha and I. H. Cheon "An Idenlily-Baaed Signature fmm
quirement of a public key infrastructure(PI3) compared Gap DifioHellman Groups:' in Cvpto logy ePrint Archive.http:lIeprint .iacr~~~rgn002/018/wZ .
to the schemes in 141, [SI. I131 A . Menezes "Ellip tic C urve Public Key Cryplosystemr." in Kluwer Aca-. ince the MN also authenticates the HA, mutual authenti- demic Publishers 1993.1141 C. Rigney et al. "Remote Authenlieation Dial In User Service (RA-
DIUS)," in IETF RF C 2138, Apr. 1997.1151 P R. caihaun. . a m . P pan. H. Amtar -im AAA work ing
Group Internet:' Draft.<drafl-ielf-aaa-diameter-fram~~*.Ol.txl> Di-amcler Framew ork Documen1.h hnp:llwww.ietf.org.
1161 P R. Calhoun. S. Farrell, W. Bulley "lm A A Working Gmup Inter-ne1 Drah." <drah- ie l f -aaa-diamcter -cms-see-04 . fx t<~ CM S Se-
C. Security Propen ies
The proposed scheme provides a security association be.Mob i le Ip nodes and AAA nodes using
and data origin authentication, while encryption provides con-
encryption key, which is then used for hulk encryption). Both
[5] sufattio.. Y.hmMobile IP~ ~ ~ ~ iro1acalr:A ~~~~~i~~ttack
161p, R, Calhoun, T, Johansson. G . Zom. AAA
ified security services. Since enclyption an d signature are pos-
on a specified security associationhnp:iiwww.ietf,org.
ings." in PmC. of Crypt0 ZWI. LNCS Vol. 2139. pp. 213-229. Springer-Verlag ZWI.
cation is achieved.
The AA AH can safely transmit the MN-HA key and MN-
FA key tu the M N, as the HA ncrypts the MN-HA key
and MN-FA key using the M N s NAI.. ince the FA also authenticates or encrypts both the MN s~~. .~
message and the AAAH's message, the proposed protocol
is basically secure against a replay attack.
As the proposed protocol can be implemented by algo-rithms based on elliptic curves, the performance is
improved.The current proposal is concentrated on the roaming security
the
speed of authentication takes time due to pairing computation.
Yet, since the proposed protocol is based on public key crypto-
systems, it is difficult to compare its computational operation.
An end-to-end security protocol can also be designed by ex-
C W ' Application. in hWlwww.ielf .org.
December 1999.
[ I71 M. Christopher "'AAA PmtocoIs. Aulhentication. Authorization. andAccounting for the Intemet:' in IEEE lntemel Computing November-
[I 1 T.Hil ler e l al."Cdma2WO wireless Data RequirementsforAAA:' in RF C
3141.June 2001.[I91 S. Glass. T. Hiller. S. Jacobs. C. Perkins "IETF Mobile IP WorkingGmup.: Mobile IP Authenticstion. Authorization. and Accounting Re-quirements," i n RF C 2977
I201 R. Caceres and L.lftde."lmp rovin g Ihe Performance of Reliable Trans-pon P~O~OCOIS in Mobile Computing Environments:' in IEEE JSAC. "01.
13. no. 5 .85C~57 une 1995.
muncaons, 2ooo,
and al though it Offers enhanced security
I211 C. E.Peckins."Mobile IPjoin sFoK eswithAAA."inlEEEPersonalCom-
tending the authentication protocol between a user and a net-
1511
