Security Mechanisms for Delivering Ubiquitous Services in Next Generation Mobile Networks Haitham Cruickshank University of Surrey workshop on Ubiquitous Services over Heterogeneous Mobile Networks - The Key to True Mobility 15th, September, 2008 @ PIMRC Outline Mobile Communications Research Introduction to Enhanced Node (EN) Architecture framework Security Threats, Security Requirements and Overview of the Solutions Introduction to the Mobility Protocols Authenticated Access Control Scheme
Secured Handover Process Mechanism Conclusions Enhanced Node (EN) Mobile Communications Research Why Enhanced Node (EN)? To address the challenges posed by ubiquitous services, the concept of network support sub-layer, which consists of elements of security, QoS and mobility management (MM) with radio resource management (RRM) hooks, is proposed. The nodes with the support sub-layer are referred to as enhanced nodes (ENs). Functionalities of EN With the help of ENs, integration of security, QoS and MM can be achieved. Integration, in this context, incorporates both horizontal integration between the various service concepts that exist in the disparate networks, and vertical integration, where the support of security, QoS and MM in the various participating networks is a key factor in end-to-end performance Security Related
Enhanced Node (EN) Secured Handover Authenticated Access Mobile Communications Research Handover Signalling Security Entities Security related Enhanced Nodes AAA Servers Access Routers Mobile IP Protocol Based Signalling Mobility Agents Mobile Nodes
Security Related Enhanced Node (EN) Mobile Communications Research The security related ENs are basically normal mobility agents enhanced by specific security functionalities. The security related EN acts as both of the security entity and the mobility agent. - As a security entity, it connects to the AAA servers and the ARs. The authenticated access control and the secured handover services can be provided by the security entity. - As a mobility agent, it connects to the mobile nodes (MN) and the ARs. It deals with the handover signalling and the basic Mobile IP signalling. Architectural Framework Home Network Home Agent AAA server Gateway Mobile Communications Research
QoS Mobility Security Future Internet Network Layer Link Layer Gateway AAA server Enhanced Nodes .. Access Network 1 AAA server Enhanced Nodes .. Access Network 2 R R M
Architectural Framework Mobile Communications Research Two IP-based access networks with the similar infrastructure are presented. More than one EN with the network sub-layer is located within one access network and they communicate with each other via signalling. one AAA server within each network, which is located close to the ENs to help delivering secured services to the MNs. one gateway is located in each access network as an interface with the external IP network. The home network, with home agent (HA) and AAA server, needs to be involved when the information from the home domain is required. Security Threats Mobile Communications Research Eavesdropping - when a Mobile Node (MN) is communicating with a correspondent node (CN), an adversary could eavesdrop to the conversation and learn some useful data such as the MNs address, even when the meaningful data are
encrypted. Masquerading - an adversary could impersonate as a legitimate MN to access the network and to perform handover. Message Modification - an adversary could modify the important signalling messages, such as the binding update (BU), if they are not properly secured. Denial-of-Service (DoS) - an adversary could repeat the QoS-conditionalised BUs in a path to book out all the available resources so that the path will run out of resources for any legitimate requests. Security Requirements Mobile Communications Research Network Access Control - The MN needs to be authorized before it can enter the access network. Authentication - The MN needs to be authenticated for the services it requests, such as the handover.
Protection of the handover signalling - It is required to secure signalling involved in the handover procedures, such as the BUs. So that the adversary can not by any means gain or even modify useful information by listening to the handover conversation. Availability/Prevention of DoS - The MN needs to be authenticated before sending out the QoSconditionalised BU to make sure it is not an adversary trying to reserve the resources. Support efficient handovers - It is necessary that the security mechanisms have minimal negative effect on the registration and handover procedures. Therefore, the integration of security and MM is required. Overview of the solutions Mobile Communications Research Authenticated access control scheme - It provides MN the authorized network access. It prevents unauthorized use of the network resources, such as an adversary accessing the network by masquerading as a legitimate user. -Authentication and registration are completed in one sequential signalling, which integrates security with MM
Secured handover process mechanism - It authenticates the MN before the handover and provides the MN secured handover by securing signalling involved, such as BUs. Mobility Protocols Mobile Communications Research Hierarchical Mobile IPv6 (HMIPv6) CN HA RCoA MAP LCoA1 LCoA2 AR1 MN AR2 Movement Fast handover for Inter-EN domains handover
- the MNs new location needs to be temporarily registered with the previous EN (PEN). This can be done by the fast handover registration. - When a MN moves into a new EN (NEN) domain, the MN obtains a new RCoA and sends a BU to the PEN requesting it to forward packets to the MNs new RCoA. - Due to the intelligence, the PEN can be configured to forward packets to the NEN. And the packets finally arrive at the LCoA associated with the AR that is geographically adjacent to AR on the boundary of the PEN domain. Authenticated Access Control Scheme Mobile Communications Research The AAA servers are located in both of the visited network (AAAF) and the home network (AAAH). EN acts as the AAA client, which is connected to the AAAF server. Integrate the security messages with the BUs, including the BUs to EN and to HA, in order to reduce the Round-Trip-Times (RRTs) involved in the registration and authentication processes. Authenticated Access Control Scheme Visited Network
Enhanced Node (AAA client) MN Mobile Communications Research Home Network AAAF (AAA server) AAAH (AAA server) HA CN Security combined BUs Security combined BU Security combined BU BU BA Security combined BA Security combined BA BAs BU
BA Integration of mobility and security MN AR Enhanced Node AAAF AAAH HA (DIAMETER client) (DIAMETER server) (DIAMETER server) Router Advertisement EN-option[EN, Chall.] BU_en option[BU_ha] option[CH/R] BA_en option[BA_ha] AAA Req.: AVP[CH/R] AVP[BU_ha] AAA Resp.: AVP[CH/Rack] AVP[BA_ha]
AAA Req.: AVP[CH/R] AVP[BU_ha] BU_alt BA_alt AAA Resp.: AVP[CH/Rack] AVP[BA_ha] Signalling for the authenticated access control scheme Secured Handover Process Mechanism Mobile Communications Research The mechanism authenticates the MN before the handover takes place, also protects handover by securing the signalling using a handover key (HK) between the two entities involved eg. Mobile Node (MN) and EN. The secured handover process includes two procedures: key generation and securing handover messages. AAAF server also acts as the Handover Key Server
(HKS) Key Generation MN AR Handover Key Request Key generated Mobile Communications Research Enhanced Node (AAA Client) Handover Key request Handover Key response HKS (AAAF Server) AAA request AAA response
Handover Key response Overview of the key generation procedures MN PSK HIK AR Handover Key Request (PRF, CoA, N1, MN-HKS MAC...) Enhanced Node (AAA Client) Handover Key Request (PRF, CoA, N1, MN-HKS MAC...) Decrypt HK Store HK Generate Handover Key Response HK (MN-AR MAC, Validate MAC MN-HKS MAC, N2, PRF...)
Handover Key Response (MN-HKS MAC, N2, PRF, HK...) HKS (AAAF Server) PSK HIK AAA Request (PRF, CoA, N1, MN-HKS MAC...) AAA Response (N2, MN-HKS MAC, HK...) Signalling for the key generation procedures Validate MAC Generate HK Secure the Handover Using the Handover Key Mobile Communications Research Intra-EN Domain Handover
Registration messages are localised within the EN domain, which means in the route of MN-AR-EN. Therefore, when the MN moves between ARs, the BU and BA can be secured using the HK between the MN and the AR pair (or even the MN and the EN pair). Inter-EN Domains Handover HK is used to secure the fast handover signalling, such as Fast Binding Update (FBU). MN Previous EN New EN MN hand overs to a new EN domain UNA / ([FBU], HK) Validate FBU [FBU], HK Exchange Info FBAck The use of Handover Key (HK) in the fast handover Conclusions Mobile Communications Research
The introduction of EN The EN provides compatibility with QoS and mobility management (MM), which integrates security with QoS and MM in a common framework to minimize the negative cross issues. Provide two security solutions for the EN based infrastructure - The authenticated access control scheme aims at authenticating and authorizing the MN when it crosses the networks. - The secured handover process mechanism provides the MN secured micro-mobility and macro-mobility handoffs within one access network. Mobile Communications Research Thank you ! Q&A
Temporary budget ledgers relates to carryover from one fiscal year to the next. Each year at fiscal year end, budgets recorded in the B_INI_CONT and B_CUR_CONT ledgers will roll forward from one fiscal year to the next, while budgets recorded...
Metals vs. Nonmetals. RULE of THUMB. Metals: 3 or fewer outer energy level electrons. Nonmetals: 5 or more outer energy level electrons. Metalloids: Properties of both Metals and Nonmetals. Semiconductors. Periodic Trends. Section 4. Learning Target: Describe element trends on...
Discrete-Time Models Lecture 1 When To Use Discrete-Time Models The size of an insect population in year i; The proportion of individuals in a population carrying a particular gene in the i-th generation; The number of cells in a bacterial...
integrated Oracle technology . bring to NIH staff and vendors. Additional vendors will be invited to participate in NIH's iSupplier pilot to support this. Expand . the Current Footprint. Additional vendors may be invited to participate in NIH's iSupplier pilot,...
Journal of Jungian Scholarly Studies, vol. 10, no. 1, 2015, pp. 1-18. "Visionary and Psychological: Jung's 1925 Seminar and H. Rider Haggard's . She." Jungian Perspectives on Rebirth and Renewal: Phoenix Rising, edited by Liz Brodersen and Michael Glock, Routledge,...
Identify the State Operations Center (SOC) responses to an ERCOT declared EEA 2. Identify the State Operations Center (SOC) responses to an ERCOT black start. ... Mass Care Coordinator. Larry Shine. Volunteer Agency Liaison. Anna Tangredi. Emergency Plans Section Coordinator....
Moon phases occur as a result of the Earth's position relative to the Moon and the Sun. True. False. QUESTION 8. We always see the different sides of the Moon from Earth. True. False. QUESTION 9. During New Moon, the...
Only reaction with 3° substrates useful for Practice with SkillBuilder 8.11 8-* Predicting Major SN Products regiochemistry and stereochemistry 8-* Predicting Elimination Products regiochemistry and stereochemistry 8-* Substrate, Basicity, Nucleophilicity 8-* Pathway and Stereochemistry Substrate Nuc or Base?
Ready to download the document? Go ahead and hit continue!