Research Article Design and Verification of Secure Mutual

Research ArticleDesign and Verification of Secure Mutual AuthenticationProtocols for Mobile Multihop Relay WiMAX Networks againstRogue BaseRelay Stations

Jie Huang and Chin-Tser Huang

Department of Computer Science and Engineering University of South Carolina Columbia SC 29201 USA

Correspondence should be addressed to Chin-Tser Huang huangctcsescedu

Received 9 March 2016 Accepted 2 June 2016

Academic Editor Jit S Mandeep

Copyright copy 2016 J Huang and C-T Huang This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

Mobile multihop relay (MMR) WiMAX networks have attracted lots of interest in the wireless communication industry recentlybecause of its scalable coverage improved data rates and relatively low cost However security of MMRWiMAX networks is themain challenge to be addressed In this paper we first identify several possible attacks on MMR WiMAX networks in which arogue base station (BS) or relay station (RS) can get authenticated and gain control over the connections and show that the currentstandard does not address this problem well We then propose a set of new authentication protocols for protecting MMRWiMAXnetworks from rogue BS attack rogue RS attack and suppress-replay attack Our protocols can provide centralized authenticationby using a trusted authentication server to support mutual authentication between RS and BS between RS and RS and betweenmobile station (MS) and RSMoreover our protocols can also provide distributed authentication with a license issued by the trustedserver We use a formal tool called Scyther to analyze and verify the security properties of our protocols The results show that ourprotocols can counter rogue BS and RS attacks and suppress-replay attack and are not susceptible to any known attacks

1 Introduction

In the era of the Internet of Things (IoT) when every deviceis connected to the Internet one of the most importanttechnical enablers is the wireless technologies and infrastruc-ture that make connecting different things (devices) possi-ble Among them WiMAX (Worldwide Interoperability forMicrowave Access) plays a very important role as it deliverslower-cost longer-range and high-bandwidthmobile broad-band access for mobile clients and devices to connect to theInternet from anywhere at any time

WiMAX is a broadband wireless access technologydesigned for the advancement of IEEE 80216 standard [1]It is considered to be a replacement for WiFi-based mobilebroadband connection because of its better coverage andfaster speed WiMAX is ideal for high data-rate IP appli-cations such as video conferencing VoIP online gamingand HD video streaming Another wireless broadband tech-nology LTE (Long Term Evolution) [1] can also provide

high-speed data transmission for mobile phones and dataterminals and has been adopted by many cellular serviceproviders In recent years some people think that LTE haswon over WiMAX in the standard war However accordingto the report from Intel Capital [2] WiMAX does notfade away and is still considered a very good option bymany service providers including Egyptian telecom startupOrascom Telecom and Netherlands startup Enertel Holding[2]

In the early days when WiMAX was designed WiMAXfaced the paradox that increasing data rate will reduce relia-bility and increasing minimum reliability service will reducethe coverage area [3] One possible solution is to deploy morebase stations (BSs) closely but the high cost of deployingBSs will give away the original economic competitiveness ofWiMAX Therefore researchers switched to a more viableapproach which is to insert relatively cheaper fixed relaystations into the cellThis kind of networks is calledmultihoprelay networks In June 2009 the IEEE 80216 Relay Task

Hindawi Publishing CorporationJournal of Electrical and Computer EngineeringVolume 2016 Article ID 9859830 12 pageshttpdxdoiorg10115520169859830

2 Journal of Electrical and Computer Engineering

Group (TG) proposed the IEEE 80216j-2009 amendmentwhose main purpose is to expand the previous single-hop80216 standard to include multihop capabilities [4] enablethe operations of multihop communications based on relaystations (RSs) specify the mobile multihop relay (MMR)deployment and define two new types of elements themultihop relay base station (MR-BS) and the relay station(RS) In 2012 80216 Working Group announced the latestversion of the standard IEEE 80216-2012 [5] which incor-porated 80216j along with two other amendments 80216hand 80216m

Security has been an open challenge in WiMAX sinceits commencement because of the open-air nature of wire-less communications To overcome the potential attacks toWiMAX IEEE 80216 standard specifies a security sublayerin the MAC (Media Access Control) layer IEEE 80216-2009 offers an improved authentication and authorizationmechanism compared to its previous versions such as IEEE80216-2004 IEEE 80216-2009 provides better encryptionmethods more secure key management protocol and anEAP-based authentication strategy However in an MMRWiMAX network more security issues are exposed sincemessages have to be transmitted through one or more relaystations which makes it more difficult to ensure the authen-ticity of messages and devices involved in the transmissionTherefore the latest standard IEEE 80216-2012 defines an airinterface between an MR-BS and a RS with the followingadditional security functionalities [5]

(i) Trust within a certain cell that is MR-BS and agroup of RSs in the MR cell maintain a set of trustedrelationships called Security Zone in order to satisfyrequirements of multihop relay system operations

(ii) Centralized security control in MR-BS that is MR-BS is in charge of the generation of the securityassociation materials between RS and MR-BS

(iii) Transparency for mobile station (MS) connected tothe network through one or more RSs that is anyintermediate RS does not try to decrypt the userdata or authenticate the MAC management messageit receives from theMS but simply relays it to the nextnode

(iv) One RS does not have Authorization Key (AK) secu-rity context of any other RS

(v) The intermediate RS authenticates management mes-sages it receives from other RSs using relay-specificshard keys

(vi) Protection of nonauthenticated Pairwise Master Key(PKM) messages by MR-BS and the access RS thatis any nonauthenticated PKM messages which aretransmitted between MS and MR-BS through theaccess RS will be protected by the HMACCMACbased on the shared security associations establishedbetween MR-BS and the access RS

However even with these additional functionalitiesresearchers in [6] found that the security mechanism in IEEE80216j (part of current IEEE 80216-2012 standard) is still not

adequate in that it has vulnerabilities in its weak protectionof some PKM messages and security zone key update and issusceptible to DoS attacks on BS and rogue BS and rogue RSattacks

In our previous conference paper [7] we focused onaddressing the rogue BS and rogue RS attacks in MMRWiMAX networks with centralized authentication schemesand designed a set of protocols to address the aforementionedattacks However a formal verification we conducted laterusing the Scyther tool [8] shows that our previous protocolsallow for a new attack called suppress-replay attack whichexploits the asynchronization of time stamps in BS and RSMoreover our previous work did not provide a distributedauthentication scheme which is considered to be a morefavorable way to conduct authentication nowadays becauseof the multitude of distributed mobile clients and devices

In order to address these new issues found in our previouspaper we propose in this paper a complete authenticationsolution to address the rogue BS and rogue RS attacks inMMR WiMAX networks the suppress-replay attack foundin our previous scheme and a distributed authenticationscheme between RSs We present three different mutualauthentication protocols which utilize a trusted authentica-tion server to support three possible scenarios in which theRS or MS connects to an MMR WiMAX network Our pro-tocols are conformant to the security requirements of IEEE80216-2012 standard We also verify the correctness of ourprotocols by utilizing the former verification tool for securityprotocols called Scyther According to the verification resultour protocols are able to counter against all the attacks wediscussed in our paper

The remainder of this paper is organized as follows InSection 2 we give an overview of related works Section 3describes the possible rogue BS and rogue RS attacks onaccess service inMMRnetworks In Section 4 we present ournew schemes for securing the original authentication proto-cols for MMR networks against rogue BS and rogue RS InSection 5 we give a formal analysis and verification of ourprotocols using the Scyther tool Finally we conclude ourpaper and discuss the future work in Section 6

2 Related Work

A number of papers have been published regarding the secu-rity issues of WiMAX networks since IEEE 80216 standardwas developed Xu et al give a detailed analysis on privacyand key management protocols of the standard in [9 10]Several other papers addressed the security issues of one-wayauthentication and rogue base station attack such as [9 11 12]However these publications considered only the single-hopWiMAX when the MMRWiMAX network had not come toexistence

The authentication issue has been studied in severalother types of multihop networks such as wireless meshnetworks [13] cellular networks [14] and sensor networks[15] However the MMRWiMAX network is still very recentand has its own unique characteristics that need to beinvestigated separately

Journal of Electrical and Computer Engineering 3

Distributed and centralized authentication approachesare two major options when it comes to authenticationprotocol design In [16] Yang et al discussed security issuesin WiMAXMMR networks and the pros and cons of the twomajor types of authentication protocol design In [17] Jin et alpropose an improvedmutual authentication scheme inmulti-hopWiMAX networks in which they improve the X509 cer-tificate by using ECC algorithm instead of RSA and modifythe flow of mutual authentication to improve the security inmultihopWiMAX networks In [18 19] Khan et al proposeda modified PKM protocol using distributed authenticationand localized key management scheme In [3] Tie and Yiproposed a multihop ticket based handover authenticationwhich adopted the idea from Kerberos and used a ticket toallow MS RS and BS to mutually authenticate each otherHowever the authors in the aforementioned papers did nottake rogue access node attack into consideration

In order to solve the problems like security zone keyupdate DDoS attack and rogue RS attack in [20] theauthors propose a design of hybrid authentication and keydistribution scheme to support the IEEE 80216j (part ofcurrent IEEE 80216-2012 standard) MMR requirementsAlthough the authors claim that this hybrid design is robustenough to prevent rogue node attack they only consider thecase when a rogue RS tries to join the network at initialphase and they do not take rogue BS attack into accountThe latter case will cause more severe damage to the networksince a rogue BS can take control of the whole area withinits communication range if it successfully joins the networkas a legitimate BS In another paper [21] the authors presenta distributed scheme using decode and forward relays withlocalized authentication which helps to authenticate MS andRS at initial network entry However this scheme still cannotsolve the problem of rogue BS attack In [22] the authorsproposed a self-testing approach to defend against rogue BSattack of intelligent terminal However their work did notfocus on MMR networks and thus cannot address the othersecurity issues in MMR networks we discussed in Section 1In [23] the authors discussed detection of rogue BS attack inWiMAX networks however their discussion did not addressthe security issues existing specifically in MMR networks

3 Rogue BS and Rogue RS Attacks in MMRWiMAX Networks

Rogue stations have been one of the most common threats inwireless networks [23ndash25] In order to design a securewirelessauthentication protocol in MMR networks rogue stationsthreat must be considered and addressed

Denial of Service (DoS) jamming is a type of the attacksthat can involve a rogue station In MMR a rogue station canbe a rogue BS or a rogue RS In a DoS jamming attack byjamming a legitimate BS connectivity between client and alegitimate BS can be interrupted which makes it possible fora rogue BS to stand in and impersonate the legitimate BS withfake credentials trying to convince a joining client or RS toconnect with it so as to cause DoS or even redirect the trafficand hijack the communications

Another form of attack thatmight involve a rogue stationespecially a rogue RS is man-in-the-middle (MITM) attack[25] When a client MS or RS initiates a connection therogue RS will intercept the connection and then completethe connection to the intended legitimate RS and proxy allcommunications to the intended legitimate RS The rogueRS is now in a position to inject data modify messagesand communications or eavesdrop on a session that wouldnormally be difficult to decode such as encrypted sessions

One form of MITM attack involves asynchronization Ifthe clocks of the client and the legitimate station are notsynchronized it is possible for the rogue station to launch asuppress-replay attack [26] In a suppress-replay attack therogue station can intercept messages that carry a timestampcorresponding to a future time due to an unsynchronizedclock and extract from them the component containing thefuture timestamp Then the rogue station can combine theextracted timestamp componentwith valid components fromother messages to create a fake message and replay it laterwhen the timestamp in the fake message becomes currentwith respect to the clock of the legitimate recipient station

An example to demonstrate the suppress-replay attack isgiven as follows Suppose we have a client MS whose clockis 2 minutes ahead of the one in the legitimate station BS Atclient side time 110 pm and time 111 pm (which correspondsto BS time 108 pm and time 109 pm) client MS sendstwo messages message 110 and message 111 to the legitimateBS trying to initiate a connection each message containsits current MS timestamp and component with necessaryauthentication credentials to prove MSrsquos identity we callthis component Authentication Component (AC) here Whenan attacker intercepts these two messages the attacker canextract the AC from message 110 and the 111 pm timestampfrom message 111 and then combine these two parts togetherto create a new message 1111015840 The attacker will then send outthis newly created fake message 1111015840 when the time on thelegitimate station BS becomes 111 pm IEEE 80216-2012 usesPKMv2 to counter possible rogue BS attack by using mutualauthentication However there is an implicit assumption inPKMv2 that BS is always trustworthy thus PKMv2 does notprovide any protection measure to detect and counter theattack from a compromised BS

Moreover the distributed security mode in MMRWiMAX networks also makes rogue RS attack more possibleThis is because the authentication procedure between RSnodes is not performed by a centralized server but is basedon the trust between nodes If one node is compromised itstrust with other nodes is also compromised

Another issue with PKMv2 is that the preassumed trust ofBS cannot prevent suppress-replay attack mentioned aboveTo address all of the aforementioned attacks in MMRcareful protocol design is required in order to achieve secureauthentication in MMR networks

4 Proposed Secure Authentication Protocol

We have introduced the related work on security issuesin MMR WiMAX networks and have shown that current


standards are not sufficient for addressing the rogue BSand rogue RS attacks In this section we present a setof new secure protocols to provide robust authenticationin MMR WiMAX networks Specifically our protocols candefend against rogue BS and RS attack by using a trustedauthentication server to provide dual authentication andsecurity zone key Our protocols support three scenarios ofnetwork access RS connects to anMMRnetwork throughBSRS connects to an MMR network through other RS and MSconnects to an MMR network through RS

41 Assumptions The proposed protocols are based on thefollowing assumptions

(a) Before the initial access authentication process eachRS BS andmobile user (MS) is preregisteredwith theAuthentication Server (AS) by providing their MACaddresses and other necessary credentials Each RSBS and MS shares its own public key (KRSKBSKMS)withAS and each RS BS andMS also gets ASrsquos publickey from AS These keys were obtained during thepreregistration phase

(b) AS is trusted by all the nodes in the MMR WiMAXnetwork It is believed by the nodes in this networkthat AS maintains a correct database of all legitimateregistered nodesrsquo MAC addresses each nodersquos corre-sponding public key and other credentials It is easierto ensure the physical security of AS because AS canalways be indoor

42 Notations Before we describe the details of our proto-cols we specify the simplified notation for each element usedin the protocol

MAC119883 XrsquoS MAC address (X can be either RS BS or

MS)Seq119883 a sequence number generated by station X

Nnc119883 a nonce generated by station119883

K119883 Xrsquos secret key shared with AS

K119883 PUB Xrsquos public key stored in Xrsquos certificate

K119883 PRV Xrsquos private key corresponding to the public

key stored in Xrsquos certificatePMK Pairwise Master KeySZK a group key used in the security zone among BSand many RSsAK Authorization KeyMD[119872] message digest of messageMCERT

119883 Xrsquos digital certificate with Xrsquos public key

includedEK119883[119872]M encrypted with Xrsquos shared secret keyEKSZK[119872]M encrypted with security zone key

EK119883 PUB[119872]M encrypted withXrsquos public key stored in

Xrsquos certificate

(1)

(4)

(2)

(3)

Internet

Base station

Relay station

AAA server

Figure 1 RS connects to MMR networks via BS

EK119883 PRV[119872] M encrypted with Xrsquos private key corre-

sponding to the public key stored in Xrsquos certificate

License119883 a signature issued to legitimate BSRSMS

the signature is generated byASusingASrsquos private key

EXPR119883 expiration time for License

119883

Here the format of License119883is EKAS PRV

[MAC119883 CERT

119883

EXPR119883]

43 Scenario 1 RS Connects to the Network through BS Thefirst scenario in which a RS needs to connect to an MMRnetwork via BS is shown in Figure 1

A RS broadcasts the AUTH-REQ message when it wantsto connect to an MMR WiMAX network Normally the BSwhich is the closest to this RS will handle this message andsend it to AS AS will then perform the authentication andsend back an AUTH-REPLY message The detailed messageformat is specified as follows

(1) RSrarr BS

MACRS Seq RS MD[MACRS Seq RS KRS] CERTRS


(2) BSrarr ASMACRS Seq RS MD[MACRS Seq RS KRS] CERTRS MACBS Seq BS MD[MACBS Seq BS MACRS KBS] CERTBS

(3) ASrarr BSEKBSMACAS MACRS Seq BS PMK

License BS SZK MD[PMK SZK KBS] EKRSMACAS MACBS Seq RS PMK

License RS SZK MD[PMK SZK KRS]

(4) BSrarr RSEKRSMACAS MACBS Seq RS PMK

License RS SZK MD[PMK SZK KRS] MD[PMK AK SZK]

As we mentioned before each RS is preregistered withASTherefore AS canmatch theMAC address in the messagewith the corresponding shared secret key in the databaseWhen AS receives message (2) AS can use MAC addresssequence number and the shared secret key to calculatethe corresponding message digest in order to verify theauthenticity of the sender (bothBS andRS) since onlyAS andthe corresponding legitimate node know the shared secretkey After successful authentication of BS and RS AS will usethe shared keys of BS and RS to encrypt the authenticationreply message and send it back to BS and the requestingRS If both BS and RS are legitimate in message (3) AS willgenerate a PMK and a SZK and include them in the replymessage After BS receives and decrypts the AUTH-REPLYmessage from AS it can be sure about the authenticity ofthe requesting RS Thus BS can decide whether to grant RSthe access to the network or not BS also gets PMK fromAS and uses it to generate AK PMK is encrypted with BSrsquosshared key with AS AS also sends the message digest ofPMK in this message to BS which is meant to allow BS toverify the integrity of this PMK it receives In message (3)BS receives its License BS from AS which works as a uniquedigital signature to prove its identity to other nodes beforethe license expires This signature is generated by encryptingthe concatenation of BSrsquos MAC address BSrsquos certificate (egX509 certificate) and the expiration time of this licenseusing ASrsquos private key As what has been described in ourassumptions every legitimate node in this network has theASrsquos public key so when BS gets its license it can use ASrsquospublic key to verify this licensersquos authenticity Similar licensealso appears in message (4) in which it provides legitimateRS with a license to prove its identity to other nodes in thefutureTheusage of signature here inmessages (3) and (4) canprotect the network from malicious node with a fake licensesince it should be computationally infeasible for a party whodoes not possess the private key to generate a valid signature

After successful authentication with BSRS AS assigns asecurity zone key denoted as SZK for nodes in the securityzone to secure future communications between them AtAS for each AUTH-REQ from RS AS will check with BSrsquosMAC address in its receivedmessage to decide which securityzone this requesting RS belongs to After authentication issuccessfully completed a zone key SZK which correspondsto the right BS will be assigned to the RS

In message (4) along with PMK BS also sends themessage digest of AK which it generated from PMK thepurpose is to let RS verify the integrity of the PMK it receivesIf RS can use the PMK it received to generate the sameAK which is consistent with the message digest MD[AK]included in message (4) it can believe that the message is notcompromised and the AK is good to use

We analyze why our protocol can protect the MMRWiMAX network against rogue BS or rogue RS attacks Inthe case of rogue BS attack since BS does not have RSrsquos secretkey shared with AS it cannot decrypt or modify the messagedestined to RS Hence if RS gets the message from AS whichnotifies RS of this illegitimate BS RS will not try to get accessthrough this rogue BS again Therefore the rogue BS will nothave the opportunity to take control of RS in the network

In the case of rogue RS attack when an access RS becomesa rogue one it would not receive the AUTH-REPLY messagewith a license included In the case of message hijacking orman-in-the-middle attack even if an attacker can get themessage which was supposed to be transmitted to the legit-imate BS or RS the attacker still cannot decrypt the messageto get the license since he does not have the secret key KBSor KRS Therefore the attacker cannot obtain a valid licensewithout getting authenticated by AS which it cannot pass

44 Scenario 2 RS Connects to the Network through Other RSThe second scenario in which a RS requests to connect to anMMR network through an edge RS is shown in Figure 2 Inthis scenario the requesting RS wants to set up connectionwith the BS via one or more intermediate RSs Our protocolfor this scenario contains three authentication phases (i) ini-tial verification of edge RS (ii) dual authentication of BS andthe requesting RS by AS and (iii) distributed authenticationwhen requesting RS holds a valid license

In authentication phase (i) when the requesting RSA triesto get access to the network through another RSB (edge RS)RSA needs to verify the authenticity of this intermediate RSBfirst The message format of phase (i) is specified as follows

(1) Requesting RSA rarr Edge RSBMACRS(A) CERTRS(A) Seq RS(A) MD[MACRS(A) Seq RS(A)]

(2) Edge RSB rarr Requesting RSAMACRS(B) CERTRS(B) License RS(B) MD[MACRS(B) Seq RS(A)]

EKRS(B) PRV[EKRS(A) PUB

[Seq RS(A) Nnc RS(B)]]

(3) Requesting RSA rarr Edge RSBEKRS(A) PRV

[EKRS(B) PUB[Nnc RS(B) Nnc RS(A)]]

(4) Edge RSB rarr Requesting RSAEKRS(B) PRV

[EKRS(A) PUB[Nnc RS(A)]]

In messages (1) and (2) the requesting relay station RSAand the edge relay station RSB exchange their certificate suchthat they know each otherrsquos public key In message (2) basedon our assumption that each registered RS has the ASrsquos publickey the requesting RSA can use it to verify whether the edge


(1)

⟨5⟩

⟨3⟩⟨4⟩

(2)

⟨1⟩

⟨2⟩

⟨6⟩

Message exchange in phase iMessage exchange in phase ii

Internet

(4)

(3)

Base station

Relay station

AAA server

Figure 2 RS connects to MMR networks via an edge RS

RSB is a legitimate relay station by checking that the license iscurrently valid However if the authentication phase (i) stopsat message (2) then it will be susceptible to a replay attackdescribed as follows amalicious relay station RSE listening inthemiddlemakes a copy ofmessage (1) sent by the requestingRSA makes a separate run of this protocol by forwarding thecopy of message (1) to a legitimate edge relay station RSB(ie pretending RSE itself is the requesting RSA) and replaysthe message (2) received from the RSB to RSA When RSAreceives the message it will be convinced that the maliciousRSE is a legitimate edge relay station To address this problemof replay attack we add messages (3) and (4) which is inchallenge-response style In message (3) RSA concatenatesNnc RS(B) (derived fromdecryptingmessage (2)) with a nonceof its choice Nnc RS(A) encrypts it using the public key of RSBand the private key of RSA and sends it to RSB RSB decryptsthe received message (3) and extracts Nnc RS(A) encrypts itusing the public key of RSA and the private key of RSB andsends it to RSA in message (4) When RSA verifies that theNnc RS(A) received in message (4) is the same as the nonceit chooses in message (3) RSA can believe that RSB is reallythe authentic edge relay station rather than a malicious relaystation of a replay attack

After edge RSBrsquos authenticity has been verified in phase(i) the requesting RSA starts phase (ii) in which both BS and

RSA need to be authenticated by AS The message format ofphase (ii) is specified as follows

⟨1⟩ Requesting RSA rarr Edge RSBMACRS(A) Seq RS(A) CERTRS(A) MD[MACRS(A) Seq RS(A) KRS(A)]

⟨2⟩ Edge RSB rarr (possibly other RS in between) rarr BSEKSZKMACRS(A) Seq RS(A) CERTRS(A)

MD[MACRS(A) Seq RS(A) KRS(A)]

⟨3⟩ BSrarr ASMACRS(A) Seq RS(A) CERTRS(A) MD[MACRS(A) Seq RS(A) KRS(A)] MACBS Seq BS MD[MACBS MACRS(A) Seq BS KBS] CERTBS

⟨4⟩ ASrarr BSEKBSMACAS MACRS(A) Seq BS PMK

License BS SZK MD[PMK SZK KBS] EKRS(A)MACAS MACBS Seq RS(A) PMK

License RS(A) SZK MD[PMK SZK KRS(A)]

⟨5⟩ BSrarr Edge RSBEKSZKEKRS(A)MACAS MACBS Seq RS(A) PMK

License RS(A) SZK MD[PMK SZK KRS(A)] MD[PMK AK SZK]

⟨6⟩ Edge RSB rarr Requesting RSAEKRS(A)MACAS MACBS Seq RS(A) PMK


If the authentication between RSA and AS is successfuland RSA is regarded to be legitimate then RSA will beassigned with the security zone key SZK which RSA and RSBcan use to secure future communications between them

Comparing the message format in phase (ii) with themessage format in the first scenario in which RS connectsto the network directly through BS we can see that themajor contents in the messages are very similar except thatthe security zone key SZK is being used here to encryptall the messages that are transmitted in this security zone(messages ⟨2⟩ and ⟨5⟩) This design is in accordance withthe aforementioned security requirement of IEEE 80216-2012 standard which requires that trust is maintained withinthe security zone in order to support multihop relay systemoperations At edge RSB RSB decrypts themessage it receivedwith SZK and then forwards the decrypted messages to therequesting RSA In this case the message is still securedbecause it is still encrypted by AS with RSArsquos public key

If the requesting RSA has been authenticated byASwithina valid period of time before it tries to connect to the currentnetwork RSA can skip phases (i) and (ii) and directly enteran optional phase (iii) in which a more efficient distributedauthentication will be performed The message format isdescribed as follows

(1) Requesting RSA rarr All neighborhood nodesMACRS(A) Seq RS(A) CERTRS(A) License RS(A) MD[MACRS(A) Seq RS(A) CERTRS(A) License RS(A)]


Mobile stationsubscriber

Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server

Figure 3 MS connects to MMR networks via an edge RS

(2) Edge RSB rarr Requesting RSAMACRS(B) CERTRS(B) License RS(B) MACBS EKRSA PUB

[SZK] MD[MACRS(B) Seq RS(A)

CERTRS(B) License RS(B) MACBS SZK]

In phase (iii) RSA first broadcasts to all its neighborhoodnodes message (1) which contains RSArsquos MAC addresssequence number digital certificate its license and themessage digest Once a legitimate edge RSB receives thismessage it can use ASrsquos public key to verify the authenticityof RSA If RSA is verified to be authentic then edge RSB cansendRSAmessage (2)which includesRSBrsquos license certificatesecurity zone key and the MAC address of BS which is incharge of this security zone When RSA gets message (2) andhas the SZK and BSrsquos MAC address it can establish securecommunications with BS to generate and exchange AK andTEK

45 Scenario 3 MS Connects to the Network through RSThe third scenario in which a mobile user (MS) needs toconnect to an MMR network through an edge RS is shownin Figure 3 In this scenario we have two cases to considerthe first one is when MS connects to the network for the firsttime through one ormore RS the second one is whenMS hasbeen authenticated by AS within a valid period of time beforeit tries to connect to the current network For both cases themessage formats are similar to the message formats from the

second scenario when a RS tries to get access to the networkvia other RS

ForMSwhich joins the network for the first time throughan edge RS there are two phases whose message format isspecified as follows

Phase (i) (initial verification of the edge RS)

(1) MSrarr Edge RSMACMS CERTMS Seq MS MD[MACMS Seq MS]

(2) Edge RSrarrMSMACRS CERTRS License RS MD[MACRS Seq MS] EKRS PRV

[EKMS PUB[Seq MS Nnc RS]]

(3) MSrarr Edge RSEKMS PRV[EKRS PUB[Nnc RS Nnc MS]]

(4) Edge RSrarrMSEKRS PRV[EKMS PUB

[Nnc MS]]

Note that the four messages in phase (i) are similar tothe four messages in phase (i) of Scenario 2 presented in theprevious Section 44 because we need to prevent the possiblereplay attack launched by a malicious relay station We willnot repeat the explanation of the replay attack here because ithas been explained in detail in the previous subsection

Phase (ii) (dual authentication of MS and BS)

⟨1⟩ MSrarr Edge RSMACMS Seq MS CERTMS MD[MACMS Seq MS KMS]

According to IEEE 80216-2012 standard here relay sta-tions do not try to decrypt the user date or authenticate theMACmanagementmessage they receive frommobile stationsbut simply relay it And RS does not have any key informationassociate with the MS

⟨2⟩ Edge RSrarr (possibly other RS in between) rarr BSEKSZKMACMS Seq MS CERTMS MD[MACMS

Seq MS KMS]

⟨3⟩ BSrarr ASMACMS Seq MS CERTMS MD[MACMS Seq MS KMS] MACBS Seq BS MD[MACBS MACMS Seq BS KBS] CERTBS

⟨4⟩ ASrarr BSEKBSMACAS MACMS Seq BS PMK

License BS SZK MD[PMK SZK KBS] EKMSMACAS MACBS Seq MS PMK

License MS SZK MD[PMK SZK KMS]

⟨5⟩ BSrarr (possibly other RS in between) rarr Edge RSEKSZKEKMSMACAS MACBS Seq MS PMK

License MS SZK MD[PMK SZK KMS] MD[PMK AK SZK]


⟨6⟩ Edge RSrarr MSEKMSMACAS MACBS Seq MS PMK


In message ⟨6⟩ after MS gets PMK and generates relatedAKandTEKMS can verify itsAKwith theAK in the receivedmessage to check their consistency TEKwill be used to securefuture communications between BS and MS

For MS which has been authenticated by AS within avalid period of time before it tries to connect to the currentnetwork a distributed authentication will be performed Themessage format is specified as follows

(1) MSrarr All neighborhood nodesMACMS Seq MS CERTMS License MS MD[MACMS Seq MS CERTMS License MS]

(2) Edge RSrarr MSMACRS CERTRS License RS MACBS EKMS PUB[SZK] MD[MACRS Seq MS CERTRS

License RS MACBS SZK]

MS broadcasts message (1) to all its neighborhood nodesMessage (1) contains MSrsquos MAC address sequence numberdigital certificate its license and the message digest Once alegitimate edge RS receives this message it can use the ASrsquospublic key to verify the authenticity ofMS If MS is verified tobe authentic then edge RS can send MS message (2) whichincludes RSrsquos license certificate security zone key betweenRS and MS and the MAC address of BS which is in chargeof this security zone When MS gets message (2) and hasthe SZK and BSrsquos MAC address with SZK it can establish asecure communication with BS before it has TEK to encryptits messages

5 Formal Analysis of Proposed Protocols

Next we present the formal analysis and verification ofthe proposed protocols using a tool called Scyther [8]Scyther is an automated tool for verification falsificationand analysis of security protocols [8] Its effectiveness andcorrectness have been proved and its operational semanticscan be found in [27] for interested readers Scyther canverify protocols with unbounded number of sessions androles if computational resources allow [8] It is also currentlythe only existing tool capable of verifying synchronization[27] Synchronization is an important property in mutualauthentication protocols It indicates that all the messages aretransmitted exactly in the order as described by the protocolwhich can be used to detect suppress-replay attacks [8]Hence we include it as one of the properties we need to verifyin our proposed protocols and we choose Scyther since it isthe only tool which can do such verification [8] To have themost accurate verification results we choose the latest stableversion Scyther v113 released in 2014

51 Model Description In our model we describe the behav-ior of the protocol entities in terms of their roles that is an

initiator or a responder (receiver) or both For example forprotocol 1 we have three agents RS BS and AS All of themplay two roles message initiator and message responder InScyther a run is a unique execution of a role that is performedby an agent that is each agent executes its runs to implementthe protocol and preserve the secrecy of the credentials (egkeys licenses and sequence number) it claims to achieveEach agent has several variable definitions for the credentialsused in the messages this agent will send or receive whenplaying different roles Each agent also has a sequence ofevents that entails what messages this agent will send orreceive along with its claims In Scyther a claim is definedas claim (A c P) which means that agent A expects goal c tohold with parameter P If an attack exists then the claim theagent wants to achieve will not hold Such a claim is called afalsified claim [8]

A claim has the locality property so once agents get themessages they will be able to view the state of the systemfrom a local perspective Therefore the protocol needs tomake sure that the agent is able to have the knowledgeof some properties of global state of the system from thelocal perspective for example the agent is able to knowthat something is beyond the intruderrsquos knowledge or thata specific agent is active However for the same protocol theclaim on the same secret credential based on different agentsmight not always hold that is it is possible that for agent Aas themessage initiator and agent B as themessage responderclaim (A c P) holds while claim (B c P) does not hold [8]

In order to verify a security protocol using Scyther weneed to specify an attacker and a set of agents executingseveral runs Scyther will trace all possible attacks that theattacker might launch and determine whether a securityclaim the agent holds is true or attacks exist In the verificationof our proposed protocols we focus on two security prop-erties secrecy of keys and authentication To verify these twoproperties we use two types of claims in our model secrecyclaim and authentication claim [8]

(i) Secrecy Claim A secrecy claim is defined as claim (ASecret P) It is a statement that the credentials 119875 included inthis claim byAwill not be obtained or spoofed by the attackerSecrecy means that the information in question is not to theknowledge of an attacker even if it is transmitted over anuntrusted network

When agents are communicating data (public or secretcredentials) with untrusted agents the transmitted data isalso open to the attacker Although transmitted data is publicin the air now this does not imply that our protocol is brokenRather what we need is a secrecy claim saying that if anagent only speaks with trusted agents then the data beingtransmitted or shared is kept in secret [8]

(ii) Authentication Claim In Scyther authentication focuseson the verification that when a role in a protocol is executedwe can guarantee that in the current network there existsat least one entity that is communicating with this roleHowever only knowing that some entity is communicatingwith the role is not enough to guarantee the correctness androbustness of an authentication protocol we want to use


Scyther to verify and show a stronger guarantee that whenthe protocol is being executed the intended entity is awareof the communication and the messages exchanged betweenthe entity and the role follow the protocol description

An authentication claim is defined as claim (A Nisynch)It means agent A sends and receives messages in the orderwhich is exactly the same as what has been described in theprotocol [8]

52 Security Properties to Be Verified We aim to verify thatour proposed protocols have the following three securityproperties information confidentiality no theft of service pos-sible [28] and message sequence synchronization Successfulverification of these three properties can prove the robustnessof our proposed protocols against the possible rogue RS androgue BS attack described in Section 3 In our verification weinclude an additional restriction that only claims concerningsessions between trusted agents are evaluated

To illustrate our claims in the verification we define atermKeyFields Each datamessage exchanged between agentsis composed of a set of key elements for instance pmk akand szk KeyFields is denoted as the set of elementsThe threeproperties are explained in detail as follows

521 Information Confidentiality This property is satisfiedif the access nodes that is RS and MS can make sure thatall exchanged keys are kept in secret This property requiresthat each individual element 120572 in 119870119890119910119865119894119890119897119889119904 should be keptin secret

The general formalization of the information confiden-tiality property is given below

forall120572 isin 119870119890119910119865119894119890119897119889119904 119888119897119886119894119898 (MSRS 119878119890119888119903119890119905 120572) holds

This formalization can be expanded into the following sixclaims

Claim 1 claim (MS 119878119890119888119903119890119905 pmk) holdsClaim 2 claim (MS 119878119890119888119903119890119905 ak) holdsClaim 3 claim (MS 119878119890119888119903119890119905 szk) holdsClaim 4 claim (RS 119878119890119888119903119890119905 pmk) holdsClaim 5 claim (RS 119878119890119888119903119890119905 ak) holdsClaim 6 claim (RS 119878119890119888119903119890119905 szk) holds

522 NoTheft of Service Possible This property is satisfied if(i) AS can be ensured that neither an unauthorized BS nor anunauthorized RS can be able to impersonate a legitimate oneand get access to the network and (ii) BS has the guaranteethat an unauthenticated RS cannot gain access to the servicesprovided nor could it impersonate a legitimate user Aservice should always be bound to an authenticated userThis property is similar to the information confidentialityproperty but involves different agents of the protocol Itsformal definition is given as follows

forall120572 isin 119870119890119910119865119894119890119897119889119904 119888119897119886119894119898 (ASBS 119878119890119888119903119890119905 120572) holds

This formalization is expanded into claims 7ndash13

Table 1

Key element DescriptionPMK Pairwise Master KeyAK Authorization Key

SZK A group key used in the security zoneamong BS and many RSs

k(R A) KRS RSrsquos secret key shared with ASk(B A) KBS BSrsquos secret key shared with AS

Claim 7 claim (AS 119878119890119888119903119890119905 pmk) holdsClaim 8 claim (AS 119878119890119888119903119890119905 szk) holdsClaim 9 claim (AS 119878119890119888119903119890119905 k(RA)) holdsClaim 10 claim (AS 119878119890119888119903119890119905 k(BA)) holdsClaim 11 claim (BS 119878119890119888119903119890119905 pmk) holdsClaim 12 claim (BS 119878119890119888119903119890119905 ak) holdsClaim 13 claim (BS 119878119890119888119903119890119905 szk) holds

523 Message Sequence Synchronization This property issatisfied if all of RS BS and AS can be ensured that thecorresponding send and receive messages are executed inthe order exactly the same as what has been specified in theprotocol Its formal definition is given as follows

Claim 14 claim (RS 119873119894119904119910119899119888ℎ) holdsClaim 15 claim (BS 119873119894119904119910119899119888ℎ) holdsClaim 16 claim (AS 119873119894119904119910119899119888ℎ) holdsClaim 17 claim (MS 119873119894119904119910119899119888ℎ) holds

53 Formal Verifications Table 1 shows themessage elementsthat are used in our formal model

Recall that according to our protocol description inSection 4 several keys will be transmitted Hence we needto verify our protocols to see whether they can satisfy oursecrecy claim and authentication claim

Below are the specific verification results from ScytherThere are three parts in each of the following figures ofverification results The first part is ldquoClaimrdquo which containsseveral columns indicating which element 120572 in KeyFieldsshould be kept in secret in a specific node For example ldquoR1Secret pmkrdquo represents key pmk in node R1 should be keptsecret The second part is ldquoStatusrdquo which indicates the statusof verification with a variety of possible attacks ldquoOkrdquo meansthe specific claim holds (ie passes the verification) ldquoFailedrdquomeans possible attack(s) exists in this claim indicating thatthe design of the authorization protocol might have somepotential flaws The third part is ldquoCommentsrdquo this partprovides more specific information regarding the status Theexpected results of our protocols are that all claims shouldhold that is we expect to see all status as ldquoOkrdquo and no attacksare found

531 Protocol 1 RSConnects to theNetwork throughBS Fromthe verification results in Figure 4 we can see that all of our


Figure 4 Verification result for Protocol 1

Figure 5 Verification result for Protocol 2-Phase 1 initial authenti-cation

properties from Claim 4 to Claim 13 in Section 52 regardingkey elements hold and no possible attacks are detected Thisproves that our goals of information confidentiality and notheft of service possible are satisfied Therefore all the keyinformation can be transmitted and exchanged safely

532 Protocol 2 RS Connects to the Network through OtherRS(s)

(i) VerificationResults for Phase 1 From the verification resultsin Figure 5 we can see that Claim 14 holds and no possibleattacks are detected This proves that our goal of messagesequence synchronization is satisfied and the requesting RScan successfully authenticate a legitimate edge RS

(ii) Verification Results for Phase 2 The verification results forphase 2 are shown in Figure 6 from which we can see that allof our claims fromClaim 4 to Claim 13 regarding key elementare held and no possible attacks are detectedThis proves thatour goals of information confidentiality and no theft of servicepossible are satisfiedTherefore all the key information can betransmitted and exchanged safely

(iii) Verification Results for Phase 3 The verification resultsfor phase 3 are shown in Figure 7 from which we can seethat Claim 6 regarding the confidentiality of SZK holds and

Figure 6 Verification result for Protocol 2-Phase 2 mutual authen-tication

Figure 7 Verification result for Protocol 2-Phase 3 distributedauthentication

no possible attacks are detected This proves that our goals ofinformation confidentiality and no theft of service possibleare satisfied

533 Protocol 3 MS Connects to the Network through RS(s)

(i) Verification Results for Phase 1 The verification resultsfor phase 1 are shown in Figure 8 from which we can seethat Claims 17 and 14 hold and no possible attacks aredetected This proves that our goal of message sequencesynchronization is satisfied and the MS can successfullyauthenticate a legitimate edge RS

(ii) Verification Results for Phase 2 From Figure 9 we can seethat all of our claims from Claim 1 to Claim 13 regardingkey element are held and no possible attacks are detectedThis proves that our goals of information confidentiality andno theft of service possible are satisfied Therefore all the keyinformation can be transmitted and exchanged safely

(iii) Verification Results for Phase 3The verification results forphase 3 are shown in Figure 10 from which we can see thatClaims 6 and 3 regarding the confidentiality of SZK hold andno possible attacks are detected This proves that our goals of



Figure 9 Verification result for Protocol 3-Phase 2 initial authen-tication

information confidentiality and no theft of service possible aresatisfied

As seen in the above formal analysis our claims forthe secrecy and uniqueness of the exchanged key elementsthe no theft of service possible and message sequencesynchronization are satisfied in all of the three protocols

6 Concluding Remarks

In this paper we present a set of new secure authenticationprotocols to address the attack of rogue BSRS attack in theMMRWiMAX networks First relay station and mobile userauthentication provide access control Second in order toprotect the MMR network from rogue BS attack an authen-tication server is used to conduct mutual authentication forboth BS and RSMS in the network In this way a roguestation can be detected at early stage and its harm to thisnetwork can be minimized Third a security zone key isgenerated and securely delivered to an authenticated BS byAS BS can then distribute this SZK to legitimate RS withinthe network in this way the communications within thenetwork can be secured using SZK Fourth in order to reducethe overhead introduced by mutual authentications betweennodes a license and a distributed authentication are usedas a pass ticket for nodes which have been authenticatedwithin a valid period of time Such a node with a valid licensecan get access to the network without having to go through


the complete mutual authentication in AS and a node witha valid license is trustworthy to give away SZK or provideauthenticationmessage forwardingThismethod is useful forreducing the overhead especially when fast handoff happensfrequently To verify the security properties of our protocolswe apply the Scyther tool to conduct a formal verificationTheverification does not find any attackwith our protocols whichproves that our protocols satisfy three desirable security goalsnamely information confidentiality no theft of service possibleandmessage sequence synchronization

In the future work we will perform a numerical analysison the authentication performance of our protocols in termsof key processing time response time and total overhead ofprovisioning the dual authentication the security zone keyand the license

Competing Interests

The authors declare that they have no competing interests

References

[1] 3GPPorg ldquoLTE (Long Term Evolution)rdquo httpwww3gpporgtechnologieskeywords-acronyms98-lte

[2] Kyle ldquoIntel Capital WiMAX Is Not Deadrdquo httpwwwnibletzcominternationalintel-capital-wimax-is-not-dead

[3] L Tie and Y Yi ldquoExtended security analysis of multi-hop ticketbased handover authentication protocol in the 80216j networkrdquoin Proceedings of the 8th International Conference on WirelessCommunications Networking and Mobile Computing (WiCOMrsquo12) pp 1ndash10 Shanghai China September 2012

[4] S W Peters and RW Heath ldquoThe future of WiMAX multihoprelaying with IEEE 80216jrdquo IEEE Communications Magazinevol 47 no 1 pp 104ndash111 2009

[5] IEEE Standard for Air Interface for BroadbandWireless AccessSystems ldquoIEEE Std 80216-2012 (Revision of IEEE Std 80216-2009)rdquo pp 1ndash2542 August 17 2012

[6] X Dai andX Xie ldquoAnalysis and research of securitymechanismin IEEE 80216jrdquo in Proceedings of the International Conferenceon Anti-Counterfeiting Security and Identification (ASID rsquo10)pp 33ndash36 IEEE Chengdu China July 2010

[7] J Huang and C-T Huang ldquoSecure mutual authenticationprotocols for mobile multi-hop relayWiMAX networks againstRogue baserelay stationsrdquo in Proceedings of the IEEE Interna-tional Conference on Communications (ICC rsquo11) pp 1ndash5 IEEEKyoto Japan June 2011

[8] C Cremers ldquoThe scyther tool verification falsification andanalysis of security protocolsrdquo in Computer Aided Verification


20th International Conference CAV 2008 Princeton NJ USAJuly 7ndash14 2008 Proceedings vol 5123 of Lecture Notes in Com-puter Science pp 414ndash418 Springer Berlin Germany 2008

[9] S XuMMatthews andC-THuang ldquoSecurity issues in privacyand key management protocols of IEEE 80216rdquo in Proceedingsof the 44thACMSoutheast Regional pp 113ndash118Melbourne FlaUSA March 2006

[10] S Xu and C-T Huang ldquoAttacks on PKM protocols of IEEE80216 and its later versionsrdquo in Proceedings of the 3rd Interna-tional Symposium on Wireless Communication Systems (ISWCSrsquo06) pp 185ndash189 IEEE Valencia Spain September 2006

[11] D Johnston and J Walker ldquoOverview of IEEE 80216 securityrdquoIEEE Security and Privacy vol 2 no 3 pp 40ndash48 2004

[12] F Yang H Zhou L Zhang and J Feng ldquoAn improvedsecurity scheme in WMAN based on IEEE standard 80216rdquoin Proceedings of the International Conference on WirelessCommunications Networking and Mobile Computing pp 1191ndash1194 September 2005

[13] K Khan and M Akbar ldquoAuthentication in multi-hop wirelessmesh networksrdquo Transactions on Science Engineering and Tech-nology vol 16 pp 178ndash183 2006

[14] M E Mahmoud and X Shen ldquoAnonymous and authenticatedrouting in multi-hop cellular networksrdquo in Proceedings of theIEEE International Conference on Communications (ICC rsquo09)pp 1ndash6 IEEE Dresden Germany June 2009

[15] S Zhu S Setia S Jajodia and P Ning ldquoAn interleaved hop-by-hop authentication scheme for filtering of injected false datain sensor networksrdquo in Proceedings of the IEEE Symposium onSecurity and Privacy pp 259ndash271 May 2004

[16] Y Fan and Q Yali ldquoTwo different schemes of authenticationin IEEE 80216j multi-hop relay networkrdquo in Proceedings ofthe 8th International Conference on Wireless CommunicationsNetworking and Mobile Computing (WiCOM rsquo12) pp 1ndash4Shanghai China September 2012

[17] H X Jin L Tu G Yang and Y Yang ldquoAn improvedmutual authentication scheme in multi-hop WiMax networkrdquoin Proceedings of the International Conference on Computerand Electrical Engineering (ICCEE rsquo08) pp 296ndash299 PhuketThailand December 2008

[18] A S Khan N Fisal Z A Bakar et al ldquoSecure authenticationand key management protocols for mobile multihop WiMAXnetworksrdquo Indian Journal of Science and Technology vol 7 no3 pp 282ndash295 2014

[19] A S Khan H Lenando and J Abdullah ldquoLightweight messageauthentication protocol for mobile multihop relay networksrdquoInternational Review on Computers and Software vol 9 no 10pp 1720ndash1730 2014

[20] Y LeeHK LeeG Y LeeH J Kim andCK Jeong ldquoDesign ofhybrid authentication scheme and key distribution for mobilemulti-hop relay in IEEE 80216jrdquo in Proceedings of the EuroAmerican Conference on Telematics And Information SystemsNew Opportunities to Increase Digital Citizenship (EATIS rsquo09)Prague Czech Republic June 2009

[21] A S Khan N Fisal S Kamilah and M Abbas ldquoEfficientdistributed authentication key scheme for multi-hop relay inIEEE 80216j networkrdquo International Journal of EngineeringScience and Technology vol 2 pp 2192ndash2199 2010

[22] D Zhu N Pang and Z Fan ldquoA self-testing approach defendingagainst rogue base station hijacking of intelligent terminalrdquo inProceedings of the International Conference on Applied Scienceand Engineering Innovation Zhengzhou China May 2015

[23] M Barbeau and J-M Robert ldquoRogue-base station detection inWiMax80216 wireless access networksrdquo Annals of Telecommu-nications vol 61 no 11-12 pp 1300ndash1313 2006

[24] T Shon and W Choi ldquoAn analysis of mobile WiMAX securityvulnerabilities and solutionsrdquo in Proceedings of the 1st Inter-national Conference on Network-Based Information SystemsRegensburg Germany September 2007

[25] M Maxim and D Pollino WiMAX Security RSA PressMcGraw-HillOsborne Berkeley Calif USA 2002

[26] M Khosrowpour ldquoManaging information technologyresources in organizations in the next millenniumrdquo inProceedings of the Information Resources ManagementAssociation International Conferances May 1999

[27] C J Cremers S Mauw and E P de Vink ldquoInjective synchroni-sation an extension of the authentication hierarchyrdquoTheoreticalComputer Science vol 367 no 1-2 pp 139ndash161 2006

[28] E Kaasenbrood WiMAX Securitymdasha formal and informalanalysis [MS thesis] Eindhoven University of TechnologyDepartment of Mathematics and Computer Science Gronin-gen The Netherlands 2006

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



Group (TG) proposed the IEEE 80216j-2009 amendmentwhose main purpose is to expand the previous single-hop80216 standard to include multihop capabilities [4] enablethe operations of multihop communications based on relaystations (RSs) specify the mobile multihop relay (MMR)deployment and define two new types of elements themultihop relay base station (MR-BS) and the relay station(RS) In 2012 80216 Working Group announced the latestversion of the standard IEEE 80216-2012 [5] which incor-porated 80216j along with two other amendments 80216hand 80216m

Security has been an open challenge in WiMAX sinceits commencement because of the open-air nature of wire-less communications To overcome the potential attacks toWiMAX IEEE 80216 standard specifies a security sublayerin the MAC (Media Access Control) layer IEEE 80216-2009 offers an improved authentication and authorizationmechanism compared to its previous versions such as IEEE80216-2004 IEEE 80216-2009 provides better encryptionmethods more secure key management protocol and anEAP-based authentication strategy However in an MMRWiMAX network more security issues are exposed sincemessages have to be transmitted through one or more relaystations which makes it more difficult to ensure the authen-ticity of messages and devices involved in the transmissionTherefore the latest standard IEEE 80216-2012 defines an airinterface between an MR-BS and a RS with the followingadditional security functionalities [5]

(i) Trust within a certain cell that is MR-BS and agroup of RSs in the MR cell maintain a set of trustedrelationships called Security Zone in order to satisfyrequirements of multihop relay system operations

(ii) Centralized security control in MR-BS that is MR-BS is in charge of the generation of the securityassociation materials between RS and MR-BS

(iii) Transparency for mobile station (MS) connected tothe network through one or more RSs that is anyintermediate RS does not try to decrypt the userdata or authenticate the MAC management messageit receives from theMS but simply relays it to the nextnode

(iv) One RS does not have Authorization Key (AK) secu-rity context of any other RS

(v) The intermediate RS authenticates management mes-sages it receives from other RSs using relay-specificshard keys

(vi) Protection of nonauthenticated Pairwise Master Key(PKM) messages by MR-BS and the access RS thatis any nonauthenticated PKM messages which aretransmitted between MS and MR-BS through theaccess RS will be protected by the HMACCMACbased on the shared security associations establishedbetween MR-BS and the access RS

However even with these additional functionalitiesresearchers in [6] found that the security mechanism in IEEE80216j (part of current IEEE 80216-2012 standard) is still not

adequate in that it has vulnerabilities in its weak protectionof some PKM messages and security zone key update and issusceptible to DoS attacks on BS and rogue BS and rogue RSattacks

In our previous conference paper [7] we focused onaddressing the rogue BS and rogue RS attacks in MMRWiMAX networks with centralized authentication schemesand designed a set of protocols to address the aforementionedattacks However a formal verification we conducted laterusing the Scyther tool [8] shows that our previous protocolsallow for a new attack called suppress-replay attack whichexploits the asynchronization of time stamps in BS and RSMoreover our previous work did not provide a distributedauthentication scheme which is considered to be a morefavorable way to conduct authentication nowadays becauseof the multitude of distributed mobile clients and devices

In order to address these new issues found in our previouspaper we propose in this paper a complete authenticationsolution to address the rogue BS and rogue RS attacks inMMR WiMAX networks the suppress-replay attack foundin our previous scheme and a distributed authenticationscheme between RSs We present three different mutualauthentication protocols which utilize a trusted authentica-tion server to support three possible scenarios in which theRS or MS connects to an MMR WiMAX network Our pro-tocols are conformant to the security requirements of IEEE80216-2012 standard We also verify the correctness of ourprotocols by utilizing the former verification tool for securityprotocols called Scyther According to the verification resultour protocols are able to counter against all the attacks wediscussed in our paper

The remainder of this paper is organized as follows InSection 2 we give an overview of related works Section 3describes the possible rogue BS and rogue RS attacks onaccess service inMMRnetworks In Section 4 we present ournew schemes for securing the original authentication proto-cols for MMR networks against rogue BS and rogue RS InSection 5 we give a formal analysis and verification of ourprotocols using the Scyther tool Finally we conclude ourpaper and discuss the future work in Section 6

2 Related Work

A number of papers have been published regarding the secu-rity issues of WiMAX networks since IEEE 80216 standardwas developed Xu et al give a detailed analysis on privacyand key management protocols of the standard in [9 10]Several other papers addressed the security issues of one-wayauthentication and rogue base station attack such as [9 11 12]However these publications considered only the single-hopWiMAX when the MMRWiMAX network had not come toexistence

The authentication issue has been studied in severalother types of multihop networks such as wireless meshnetworks [13] cellular networks [14] and sensor networks[15] However the MMRWiMAX network is still very recentand has its own unique characteristics that need to beinvestigated separately






























Xrsquos certificate

(1)

(4)

(2)

(3)

Internet

Base station

Relay station

AAA server







119883


[MAC119883 CERT

119883

EXPR119883]



(1) RSrarr BS


























(1)

⟨5⟩

⟨3⟩⟨4⟩

(2)

⟨1⟩

⟨2⟩

⟨6⟩


Internet

(4)

(3)

Base station

Relay station

AAA server






















Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server















[Nnc MS]]






Seq MS KMS]






































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






































Xrsquos certificate

(1)

(4)

(2)

(3)

Internet

Base station

Relay station

AAA server







119883


[MAC119883 CERT

119883

EXPR119883]



(1) RSrarr BS


























(1)

⟨5⟩

⟨3⟩⟨4⟩

(2)

⟨1⟩

⟨2⟩

⟨6⟩


Internet

(4)

(3)

Base station

Relay station

AAA server






















Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server















[Nnc MS]]






Seq MS KMS]






































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

























Xrsquos certificate

(1)

(4)

(2)

(3)

Internet

Base station

Relay station

AAA server







119883


[MAC119883 CERT

119883

EXPR119883]



(1) RSrarr BS


























(1)

⟨5⟩

⟨3⟩⟨4⟩

(2)

⟨1⟩

⟨2⟩

⟨6⟩


Internet

(4)

(3)

Base station

Relay station

AAA server






















Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server















[Nnc MS]]






Seq MS KMS]






































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

































(1)

⟨5⟩

⟨3⟩⟨4⟩

(2)

⟨1⟩

⟨2⟩

⟨6⟩


Internet

(4)

(3)

Base station

Relay station

AAA server






















Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server















[Nnc MS]]






Seq MS KMS]






































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










(1)

⟨5⟩

⟨3⟩⟨4⟩

(2)

⟨1⟩

⟨2⟩

⟨6⟩


Internet

(4)

(3)

Base station

Relay station

AAA server






















Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server















[Nnc MS]]






Seq MS KMS]






































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











Internet

⟨1⟩

⟨6⟩

⟨2⟩⟨5⟩

⟨3⟩

⟨4⟩

(2)(1)(3)

(4)


Base station

Relay station

AAA server















[Nnc MS]]






Seq MS KMS]






































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation








































Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






















Table 1




































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


































Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



















Competing Interests


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Documents

Research Article Design and Verification of Secure Mutual