Presentation is loading. Please wait.

Presentation is loading. Please wait.

21-07-0401-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0402-02-0000 Title: Performance analysis of authentication signaling schemes for.

Published byDale Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "21-07-0401-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0402-02-0000 Title: Performance analysis of authentication signaling schemes for."— Presentation transcript:

1 21-07-0401-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0402-02-0000 Title: Performance analysis of authentication signaling schemes for media independent handovers. Date Submitted: November 1, 2007 Presented at IEEE 802.21 session #23 in Atlanta Authors or Source(s): Antonio Izquierdo, Lily Chen, Katrin Hoeper, Nada Golmie Abstract: In this contribution different authentication signaling schemes including full authentication, re-authentication, and indirect pre-authentication are evaluated for media independent handovers. Simulation results are obtained with IEEE 802.16 and IEEE 802.11 handovers.

2 21-07-0401-02-00002 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html> Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 http://standards.ieee.org/board/pat/guide.html IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. This is a contribution by the National Institute of Standards and Technology and is not subject to copyright in the US. The contributors do not have the authority to override the NIST policy in favor of the IEEE 802.21 policy. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6http://standards.ieee.org/board/pat/faq.pdf

3 21-07-0401-02-00003 Outline Goals and motivation Review of authentication signaling schemes Simulation environment Performance metrics Simulation parameters Performance results Security signaling latency Cryptographic processing time Impact of network topology on indirect pre-authentication Transmission delay Handover latency Summary

4 21-07-0401-02-00004 Goals and motivation The main goals of this contribution are to analyze the performance of different authentication signaling mechanisms in the context of heterogeneous handovers Simulation models are developed to evaluate the performance of the following three authentication signaling schemes: Full authentication Indirect pre-authentication Re-authentication Heterogeneous handovers are considered in the context of IEEE 802.16 and IEEE 802.11 networks.

5 21-07-0401-02-00005 Full authentication

6 21-07-0401-02-00006 Indirect pre-authentication

7 21-07-0401-02-00007 Re-authentication

8 21-07-0401-02-00008 Used NS-2 with IEEE 802.16 and 802.21 module extensions (available from http://www.antd.nist.gov/seamlessandsecure.shtml#software_tools ) Developed extensions to model authentication in IEEE 802.11 and IEEE 802.16 networks using EAP: Implemented EAP framework as defined in RFC 3748 including TTLS-MD5 and GPSK methods Developed an IEEE 802.16 authentication module to support full authentication, re-authentication and Handover Process Optimization as defined in IEEE 802.16e Developed an 802.11 authentication module to support full authentication in RSN and re-authentication in the mobility domain Developed support for pre-authentication using the IEEE 802.21 extensions Developed a limited RADIUS implementation for Key and EAP message transfers Simulation environment

9 21-07-0401-02-00009 802.11 Authentication

10 21-07-0401-02-000010 802.11 Authentication

11 21-07-0401-02-000011 802.16 Authentication

12 21-07-0401-02-000012 EAP latency denotes the time elapsed between the sending of the EAP Start message until the receipt of either the EAP SUCCESS / EAP FAILURE message. It is included in the Full authentication signaling latency, but not in the pre-authentication signaling latency. Performance metrics (1)

13 21-07-0401-02-000013 Security signaling latency is defined as the time elapsed between the sending of the first authentication message until the reception of the ACK for the last message: Performance metrics (2) 802.11 802.16

14 21-07-0401-02-000014 Transmission delay is the time it takes a packet to reach its destination. Performance metrics (3)

15 21-07-0401-02-000015 Handover delay represents the time elapsed between when a decision to handover is executed until the traffic is redirected to the new interface. The decision to perform a handover is made when a new link is detected and if the new link is better than the current link or if the current link is disconnected. The cryptographic processing delay is the time spent by the mobile node to perform different cryptographic operations during the authentication. Note that the results obtained represent mean values averaged over 100 simulations. Performance metrics (4)

16 21-07-0401-02-000016 Simulation parameters (1) The traffic flows from a corresponding node in the backbone network to the mobile node 802.11 networks configuration Data rate: 11 Mb/s Coverage area radius: 50 m 802.16 Coverage area radius: 500 m The mobile node does not use MIH triggers The 802.11 interface is preferred over the 802.16 interface.

17 21-07-0401-02-000017 Simulation parameters (2) Key lifetimes are longer than the simulation time, so the mobile node does not need to refresh them or re-authenticate with the current PoA The authentication lifetime is larger than the simulation time The size of the DH authentication keys is 1024 bits The size of the symmetric authentication keys is 128 bits The size of the IDs is 64 bytes

18 21-07-0401-02-000018 Network topology 1

19 21-07-0401-02-000019 In this case full authentication was performed Note that the cryptographic processing (computed as an example on a Palm tungsten) is 17.48 ms which is equivalent to 9.08 % of the EAP time in 802.11 or 7.72 % of the EAP time in 802.16 802.11802.16 Open Authentication1.98 ms0.99 %EAP Authentication226.37 ms96.16 % Association1.62 ms0.81 %TEK Request9.05 ms5.84 % EAP Authentication192.47 ms96.28 % 4-Way Handshake3.84 ms1.92 % Simulation results: Security Signaling Latency using EAP GPSK Authentication time %

20 21-07-0401-02-000020 In this case full authentication was performed Note that the cryptographic processing (computed as an example on a Palm tungsten) is 30884.22 ms which represents 98.49 % of the EAP time in 802.11 or 98.25 % of the EAP process in 802.16 Note that DH Agreement takes 30813 ms measured on the same platform. 802.11802.16 Open Authentication1.98 ms< 0.01 %EAP Authentication31436.18 ms99.97 % Association1.62 ms< 0.01 %TEK Request9.05 ms0.03 % EAP Authentication31350.49 ms99.98 % 4-Way Handshake3.84 ms0.01 % Simulation results: Security Signaling Latency using EAP TTLS-MD5 Authentication time % Authentication time %

21 21-07-0401-02-000021 Comparing different authentication schemes’ latency EAP GPSK 802.16 Full Auth Re-Auth Improv. over Full Auth. Indirect Pre-Auth Improv. over Full Auth. Sign. Laten. 235.42 [0.013] 70.42 [0.001] 70.09% 10.42 [0.171] 95.57% EAP laten. 226.37 [0.001] 61.37 [0.001] 72.89% 422.42 [0.136] -86.61% 802.11 Full AuthRe-Auth Improv. over Full Auth. Indirect Pre-Auth Improv. over Full Auth. Sign. laten. 194.33 [0.672] 46.59 [0.510] 76.03% 3.01 [0.371] 98.45% EAP laten. 192.47 [0.608] 45.07 [0.417] 76.59% 422.42 [0.136] -117.37% These are mean values in milliseconds, with the standard deviation in brackets

22 21-07-0401-02-000022 802.16 Full Auth Re-Auth Improv. over Full Auth. Indirect Pre-Auth Improv. over Full Auth. Sign. laten. 31445.42 [0.001] 70.42 [0.014] 99.78 % 10.42 [0.171] 99.96 % EAP laten. 31436.18 [0.001] 61.37 [0.001] 99.80 % 31892.35 [0.366] - 1.16 % 802.11 Full AuthRe-Auth Improv. over Full Auth. Indirect Pre-Auth Improv. over Full Auth. Sign. laten. 31352.37 [0.751] 46.59 [0.450] 99.85 % 3.01 [0.371] 99.99 % EAP laten. 31350.49 [0.705] 45.07 [0.395] 99.85 % 31802.67 [0.366] - 1.15 % Comparing different authentication schemes’ latency EAP TTLS-MD5 These are mean values in milliseconds, with the standard deviation in brackets

23 21-07-0401-02-000023 Transmission delay (Network topology 1)

24 21-07-0401-02-000024 Transmission delay (Network topology 1)

25 21-07-0401-02-000025 Observations on the security signaling latency Both re-authentication and indirect pre-authentication schemes reduce the security signaling latency by more than 70% EAP latency in indirect pre-authentication increases as a result of the longer path used by the EAP messages This would force the mobile device to make the handover decision sooner than when performing a normal network entry With re-authentication the EAP latency is reduced

26 21-07-0401-02-000026 802.16 Full AuthRe-Auth EAP latency226.3761.37 Cryptographic delay17.481.02 7.72 %1.66% 802.11 Full AuthRe-Auth EAP latency192.4745.07 Cryptographic delay17.481.02 9.08%2.26% Impact of cryptographic processing delay EAP GPSK Note that an indirect pre-authentication requires the same cryptographic operations as a full authentication.

27 21-07-0401-02-000027 802.16 Full AuthRe-Auth EAP latency31436.1861.37 Cryptographic delay30884.221.02 98.24 %1.66 % 802.11 Full AuthRe-Auth EAP latency31350.4945.07 Cryptographic delay30884.221.02 98.51%2.26 % Impact of cryptographic processing time EAP TTLS-MD5 Note that an indirect pre-authentication requires the same cryptographic operations as a full authentication.

28 21-07-0401-02-000028 Observations on the cryptographic processing delay Pre-authentication does not reduce the amount of cryptographic processing delay of a full authentication The cryptographic processing delay may in fact increase due to secure tunnel negotiations Re-authentication reduces the time spent in cryptographic processing since the number of messages exchanged is reduced and cryptographic key material is reused Re-authentication may be alternative to a full authentication when the time to do a full authentication is a cause of concern (other concern considerations include battery life and power consumption)

29 21-07-0401-02-000029 Handover delay 802.16 Full Authentication Re-Authentication Indirect Pre-Authentication GPSK1160.84990.84930.84 TTLS-MD532365.84990.8432365.84 802.11 Full Authentication Re-Authentication Indirect Pre-Authentication GPSK921.93717.84677.87 TTLS-MD532084.81717.8432084.81 These are mean values in milliseconds

30 21-07-0401-02-000030 Observations on the handover delay Re-authentication reduces the total handover delay, independently of the EAP used Indirect pre-authentication reduces the handover delay as long as it is possible to fully run the authentication method before the network entry takes place If the pre-authentication is not completed at the time of the network entry, a new full authentication starts. In this case the situation is the same as in a full authentication

31 21-07-0401-02-000031 Network topology 2

32 21-07-0401-02-000032 802.16 - GPSK Full Auth Indirect Pre- Authentication Improv. over Full Auth. Security Signaling Latency 275.42 [0.013] 10.42 [0.171] 95.57% EAP Latency 266.37 [0.001] 621.32 [0.156] -117.36% 802.11 - GPSK Full Auth Indirect Pre- Authentication Improv. over Full Auth. Security Signaling Latency 234.33 [0.672] 3.01 [0.371] 98.45% EAP Latency 232.47 [0.608] 621.32 [0.156] -157.25% Indirect pre-authentication (Network topology 2) These are mean values in milliseconds, with the standard deviation in brackets

33 21-07-0401-02-000033 802.16 – TTLS-MD5 Full Auth Indirect Pre- Authentication Improv. over Full Auth. Security Signaling Latency 31807.42 [0.127] 10.42 [0.171] 99.97 % EAP Latency 31796.18 [0.126] 32161.83 [0.277] - 1.15 % 802.11 – TTLS-MD5 Full Auth Indirect Pre- Authentication Improv. over Full Auth. Security Signaling Latency 31716.37 [0.241] 3.01 [0.371] 99.99 % EAP Latency 31712.49 [0.237] 32029.67 [0.305] -2.16 % Indirect pre-authentication (Network topology 2) These are mean values in milliseconds, with the standard deviation in brackets

34 21-07-0401-02-000034 Observations on indirect pre-authentication for network topology 2 EAP latency in indirect pre-authentication depends heavily on the network topology considered The impact is greater for fast authentication methods. Topology information must be available beforehand in order to perform the pre-authentication on time

35 21-07-0401-02-000035 Summary Re-authentication and indirect pre-authentication reduce the time required for authentication during a handover Indirect pre-authentication allows for a shorter security signaling latency during the network entry, at the expense of requiring more time in advance for handover preparation Re-authentication reduces the cryptographic processing time and its performance does not depend so much on the network topology considered Either the indirect pre-authentication or re-authentication technique can be used. Deciding which technique to use depends on the scenario considered

36 21-07-0401-02-000036 Backup

37 21-07-0401-02-000037 Cryptographic processing delay assumptions Examples for cryptographic processing time used are real values in milliseconds obtained from a Palm Tungsten T3: * Value under the precision of the device timer These values are dependent on the platform used and therefore should not be used as absolute values. The intention here is to compare between the different cryptographic methods available on a given platform. Size of the encrypted data 16 bytes128 bytes512 bytes AES 128 (encrypt)3.047.3932.61 AES 128 (decrypt)3.117.6733.18 MD50*2.173.04 SHA10*1.3 Key size512 bits768 bits1024 bits DH Agreement4047.8313224.7830813.48

38 21-07-0401-02-000038 EAP: Generalized Pre-Shared Key

39 21-07-0401-02-000039 EAP: TTLS-MD5

Download ppt "21-07-0401-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0402-02-0000 Title: Performance analysis of authentication signaling schemes for."

Similar presentations

21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
21-05-0419-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-05-0419-00-0000 Title:Performance Measurements for Link Going Down Trigger Date Submitted:

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title:Performance Measurements for Link Going Down Trigger Date Submitted:
21-07-xxxx-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-xxxx-00-0000 Title: Secure Handover with QoS Support Date Submitted: November, 14,

21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: Secure Handover with QoS Support Date Submitted: November, 14,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-06-0602-00-0000 Title: PoA Capabilities of IE with IPv6 Prefix Availability Date Submitted: May 2006 Authors.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: PoA Capabilities of IE with IPv6 Prefix Availability Date Submitted: May 2006 Authors.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-11-0053-00-0000 Title: IETF Liaison Report Date Submitted: March 17, 2011 Presented at IEEE 802.21 session.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: March 17, 2011 Presented at IEEE session.
21-06-0533-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-06-0533-00-0000 Title: Utilizing terminal identifier to recognize the reserved resources.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Utilizing terminal identifier to recognize the reserved resources.
21-12-0058- MuGM IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: Title: Group management mechanisms Date Submitted: November, 2012 Authors or Source(s): Daniel.

MuGM IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Group management mechanisms Date Submitted: November, 2012 Authors or Source(s): Daniel.
21-09-0059-00-0sec1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0059-00-0sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.

sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
21-07-0301-01-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,

IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-13-xxxx-00-MuGM Title: Outline of 21-13-0002-01-MuGM Date Submitted: January, 15th, 2013 Presented at IEEE.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx-00-MuGM Title: Outline of MuGM Date Submitted: January, 15th, 2013 Presented at IEEE.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-13-xxxx-00-MuGM Title: Demo Scenario Date Submitted: May, 16th, 2013 Presented at IEEE 802.21 session in.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx-00-MuGM Title: Demo Scenario Date Submitted: May, 16th, 2013 Presented at IEEE session in.
21-12-0058- MuGM IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: Title: Use of certificates as a base security level for securing PoS/MN multicast communication.

MuGM IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Use of certificates as a base security level for securing PoS/MN multicast communication.
21-07-0182-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0182-00-0000 Title: Transport Protocol and State Machine Date Submitted: May, 14,

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Transport Protocol and State Machine Date Submitted: May, 14,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: Use Cases, Security Study Group Date Submitted: Nov 13 th, 2007 Presented at: IEEE 802.21 Security SG Authors.

IEEE MEDIA INDEPENDENT HANDOVER Title: Use Cases, Security Study Group Date Submitted: Nov 13 th, 2007 Presented at: IEEE Security SG Authors.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-11-0022-00-0sec Title: Message Flow Date Submitted: March 1, 2011 Authors or Source(s): Fernando Bernal-Hidalgo,

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Message Flow Date Submitted: March 1, 2011 Authors or Source(s): Fernando Bernal-Hidalgo,
21-07-0387-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0387-00-0000 Title: MIH Handover Initiation Strategy Consistency Date Submitted: November,

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH Handover Initiation Strategy Consistency Date Submitted: November,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-13-00xx-ECDSA Title: Discussion on introducing ECDSA to 802.21d for group management Date Submitted: July.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-ECDSA Title: Discussion on introducing ECDSA to d for group management Date Submitted: July.
21-06-0xxx-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0xxx-00-0000 Title: IETF Liaison Report Date Submitted: November 16, 2006 Presented.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: IETF Liaison Report Date Submitted: November 16, 2006 Presented.
21-05-0813-01-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0813-01-0000-LB1a-handover-big-picture.ppt Title: LB 1a, Handover example flow with.

IEEE MEDIA INDEPENDENT HANDOVER DCN: LB1a-handover-big-picture.ppt Title: LB 1a, Handover example flow with.

Similar presentations

Ads by Google