A Radio-independent Authentication Protocol(EAP-CRP) for Networks of Cognitive Radios

Masahiro Kuroda', Ritsu Nomura2, and Wade Trappe3

Abstract- Securing future wireless networks will be acritical challenge as the popularity of mobilecommunications implies that wireless networks will be thetarget of abuse. The next generation of wireless networks,as envisioned by recent advances in cognitive radio (CR)technologies, will be autonomic and able to adjust theirconfiguration to changes in the communicationenvironment. Unfortunately, the authenticationframeworks for various radio technologies, such asIEEE802.11 and 802.16, are quite different from oneanother and, in order to support radio reconfiguration, it isnecessary to devise an appropriate authenticationframework for CR systems. In this paper, we propose aradio-independent authentication protocol for CRs that isindependent of the underlying radio protocols and able tosupport EAP transport. The re-keying protocol assumesuser-specific information, such as location information, as akey seed. The keys for authentication and encryption arederived from the historical location registry of a mobileterminal. The keys are frequently updated as mobile users'position varies. After discussing authentication issues forCR networks, radio-independent authentication vialocation information, and application to EAP transport, weevaluate the confidentiality of the key management methodand its integration with EAP, thereby supporting theeffectiveness of our key management method for CRnetworks.

Index Terms- cognitive radio, authentication protocol,location information, wireless security, EAP, key management,DoS attack, carousel

I. INTRODUCTION

Cognitive-radio (CR) networks are being designed tosupport spectrum-efficient networking, where deviceswill dynamically adapt to their operating environments byextending technologies developed for software definedradios (SDR) [1]. High data-rate transfer will besupported by allocating spectral resources that are not

1 M. Kuroda is with National Institute of Information and CommunicationsTechnology, 3-4 Hikarino-oka, Yokosuka, Kanagawa 239-0847 Japan (e-mail:marshgnict.go jp)

2 R. Nomura is with Public-use Systems Dept.1, Kobe Works, MitsubishiElectric Corporation,325 Kamimachiya, Kamakura, Kanagawa 247-8520Japan (e-mail: Nomura.Ritsugak.MitsubishiElectric. co jp)

3W. Trappe is with Wireless Information Network Laboratory (WINLAB),Rutgers University, Piscataway, NJ 08854 (e-mail:trappegwinmain.rutgers. edu)

used. In particular, if a user can utilize spectral resourcesavailable at a specific location (such as bandwidth that isfreed up by primary service providers), while notsacrificing the utility of other users, then he or she shouldbe given access to such spectral resources in order toimprove his or her communication performance.CR networks inherently expect coordination among

the mobile terminals, base stations/access points, andspectrum-management servers to support this vision.Whenever a mobile terminal attempts to reconfigure itselfand adjust to opportunities in the radio environment, thenetwork should first ensure that the terminal is a validparticipant, and if the terminal is new to the CR network,it should be invited to join the existing consortium ofCRnetwork participants by consulting some form of anauthorization service, such as an AAA server [2].Unfortunately, the authentication protocols that areemployed by AAA servers depend on the underlyingradio systems involved, such as 3G, IEEE802.11 and802.16. This complicates the issues since, as every time aterminal changes its radio system or adjusts to a new oneusing SDR/CR technologies, it must follow a differentauthentication procedure with different securityrequirements and often dramatically differentimplementations. Ultimately, this heterogeneity is ahurdle since it degrades the performance of any radioswitchover attempting to take advantage of CR'sautonomic features.

In this paper, we propose an authentication protocolfor CR networks that can be integrated with theExtensible Authentication Protocol (EAP). The protocolallows quick radio switchover in CR networks withoutthe need to consult an AAA server for re-authentication.We begin with an overview of CR technology andauthentication models. We then describe ourradio-independent authentication protocol in theframework of EAP. Finally, we evaluate our protocol inthe context of the EAP method requirements andconclude with discussions on future directions forauthentication protocol design for CR networks.

II. COGNITIVE-RADIO (CR) NETWORK

A CR network on the most basic level is built on theprinciples of cooperative coordination between acoalition of participants. This successful operation by thecoalition requires coordination between a mobile terminal,

1-4244-1268-4/07/$25.00 ©2007 IEEE

Thiisfull textpaper was peer reviewed at the direction ofIEEE Communications Society subject matter expertsfor publication in the IEEE SECON 2007proceedings.70

base stations/access points, and spectrum-managementservers to appropriately manage spectrum usage and toproperly adapt terminals to enable improvedcommunications. To place our proposed authenticationframework in a context, we first provide an overview ofCR networks, discuss requirements that exist within thenetwork, and outline the design objectives for anauthentication system.

A. Overview ofCR Technology

CR technology offers improved efficiency in the useof bandwidth due to the ability of CRs to learn from andadapt to local and global knowledge of the spectrumenvironment. It is necessary for terminals within the CRnetwork to sense their local environment, track changes,exchange observations with other CRs, and eventually acton this shared knowledge to support adaptation by thecommunication stack within a CR,. In particular, CRsmay adapt their underlying communication technology(e.g. switching from a wide-area technology to a WiFitechnology), and consequently must be able to observeand interact with a variety of existing radio networks. Interms of implementation, this implies that CRs must beable to frequently exchange information betweenthemselves as well as with existing wireless systems.We outline a typical scenario in Fig. 1, taking an

example from IEEE802.22 [3]. There are three kinds ofcomponents involved, User Equipment (UE1-4), BaseStations (BS 1-2), and a Database (DB). During theinitialization phase, all BSs consult the DB forinformation on resources and identify a candidate channelafter sensing and confirming whether the channel isvacant. A BS then establishes operations on theconfirmed channel. When a UE tries to establishcommunication, it needs to scan a predefined channel listor all the channels to find one that is available, connectwith at least one BS, then obtain resource parameters,such as identifying uplink and downlink channels orpower levels.

There are basically two means of retrieving theseparameters, the first is to use a dedicated control channeland the second is to use various in-band informationattached to the data payload or header. Afterinitialization, the BSs and UEs are in a communicationstate, and both periodically report their information onresources to the DB. The recommended-information listincludes the location of the UE, the power level, thetransmission band, the modulation format, and the SNR.After obtaining this information, the DB reconfiguresboth the BSs and UEs. Having access to the DB, each BScan control the UE it is serving, manage its use of thespectrum to avoid interference, and configure morepowerful/efficient modulation and coding. This scenariorequires the UE to select its desired spectrum from

available spectra, and further should not require any newauthentication for access because the same MAC-identityis used.

BS1 , BS2 4/ API

UEI

UE3

UE2

UE4

DB

UE5

UE6Figure 1.Scenario for IEEE802.22 CR and beyond

The industry has already started to target integratingCR functionality into products. There has recently beenan announcement of a joint WiFi/WiMAX radio chip thatwill be embedded into mobile terminals and base stationsto support radio agility. User Equipment (UE5-6) willhave both WiFi and WiMAX MAC/PHYs, with a"convergence layer" on top of the MACs, as show in Fig.2. The spectrum sensor in the terminal would detect thepresence of other radios, and this information would drivethe ability to select a MAC/PHY layer for whicheverradio system would best benefit the terminal byconsulting the DB. The UE is configured to access a radiosystem, e.g. WiFi or WiMAX, and it then needs to followits own authentication procedure. The authenticationdepends on the protocol/credential requirements of eachradio system, with EAP being used as a transportmechanism. The EAP specification details only of packetformats and a basic handshake between entities, but notspecifics for how EAP can be applied to different systems.The most flexible CR configuration, the so-called full-CR,rebuilds the radio system by integrating radio componentsand MAC/PHY modules online, reinitializes to any radiosystem, and validates with an authentication serveraccording to the authentication data/protocolrequirements.

The current IEEE802.22 specification requiresauthentication to the new radio system every time the CRplatform changes to another radio system. As long as aCR device remains within a single radio system, efficientCR switchover is not needed.

B. CR Switchover

This section explains the CR switchover scenario for aCR mobile device operating in a network consisting ofmultiple radio systems, such as WiFi and WiMAX. A

71

basic CR network consists of CR devices, having aspectrum sensing, radio configuration, and spectrummanagement database components, and a spectrummanagement server located in the network, as shown inFig. 2. The CR device, first, senses radios, finds candidateradios, and consults the server to check whether there areany potential conflicts (e.g. hidden terminal problems).The convergence layer, which is located on the CRcomponent, asks an Information server for appropriatenetwork providers in the area and selects one from these.The CR reconfigures MAC/PHY to the one selected andinitiates re-authentication following the protocolspecified for the selected radio system.

this section, and then focus on the issue of authenticationin CR networks.

A. Pre-shared Secret Key Authentication

One of the most well-known starting points fordesigning an authentication framework for CR networksis to look at the existing cellular system. The 3G/GSMcellular system has its own security model based on apre-shared secret key. A secret key is shared between amobile device and the Home Location Register (HLR).The basic WLAN (IEEE802. 11) system also employs ashared-key authentication scheme. The pre-shared secretkey framework requires less traffic in setting up securecommunication between two entities than theserver-centric model described next, but it fails to requirea mobile terminal to check whether the network is theright one to access. Ifthe network expects protection fromman-in-the-middle attacks, mutual authentication andheavy computation on the device is required.

Mobile Terminal Auth(with Au

Operator-specific algorithm E, Ki <

MAC_RAND=HMAC(RAND)

[SRES,Kc] = E(RAND,Ki) [S

MAC SRES=HMAC(SRES)

Figure 2. CR switchover and re-authentication

As the current recommendation stands, theauthentication requirements depend on each radio systemand the protocol is different among radio systems.Re-authentication, therefore, follows a newauthentication procedure from scratch, involvesconsulting a new AAA server in a new subnetwork and,hence is incapable of fast switchover from one radiotechnology to another because of different authenticationcredentials and protocols. We therefore cannot expectquick switchover, even though a CR device may be ableto reconfigure itself quickly.

III. AUTUENTICATION MODEL

Service continuation is important for mobile users,and will be even more critical in CR networks where theinherent heterogeneity makes it difficult for terminals tointer-operate. The terminal for a network of CR devicesmust not only reconfigure itself to employ different radiotechnologies, but it must also seamlessly maintainauthentication (and if necessary, re-authenticate) as thedevice moves from one radio network to another. Weexamine several existing authentication frameworks in

tentication Serverithentication Center)RAND, SRES, Ki>

RES,Kc] = E(RAND,Ki)

\AC_SRES=MACH(SRES)

Use Re

128-bit Random Challenge: RANDSession Encryption Key: KcMessage Authentication Code: MAC_SRES

Figure 3. EAP-SIM authentication

EAP-SIM [4], outlined in Fig. 3, is a pre-shared secret(contained on the SIM) authentication scheme that usesthe EAP framework to achieve a SIM-basedchallenge/response authentication between a mobileterminal and an AAA server.

B. Server-centric Authentication

The IEEE802.1 li model, on the other hand, does notassume there are any pre-shared keys. The server-centricmodel manages all authentication keys on a centralauthentication server. IEEE802. IX accommodatesvarious types of authentication via operation ofEAP witha central AAA server. EAP-TLS is a TLS based extensionof the EAP that requires a PKI-based certificate for both amobile terminal and network. The server-centric modelprovides authentication that is independent of a mobileterminal. It has, however, drawbacks in terms of theamount of network traffic involved, as well as the heavycomputational requirements placed on mobile devices.CR-network traffic causes latency in the communications

72

'4/

setup. PKI-based authentication requires heavy CPUusage on both the mobile device and network.

IEEE802. 16 also deploys a server-centricauthentication mechanism. The authentication protocolconsists of a three-message exchange and uses a publickey Cert(SS), which is described in the following [5].This authentication scheme lacks the means for a BS toauthenticate an SS and is weak to forgery attacks. Mutualauthentication is required to protect from attacks, butachieving such protection is expensive due to the use of apublic key Cert(BS) on a mobile terminal.

Message 1:SS->BS: Cert (Manufacturer(SS))Message 2:SS->BS: Cert (SS)ICapabilitylSAIDMessage3:BS->SS: RSA-Encrypt(PubKey(SS),AK) ILifetimeI SeqNo SAIDList

C. EAP and its Keying Extension

Extensible Authentication Protocol (EAP) started as aPPP extension and prevailed in many different scenarios,especially in wireless network environments, where IP isnot necessary over the access links. EAP is a powerfulauthentication framework that supports multiple andfuture authentication mechanisms, such as EAP-SIM,EAP-TSL, and EAP-TTLS.

EAP methods generate a Master Session Key (MSK)and the key is used by EAP lower layers. The transport ofthe EAP MSK between the EAP server and initialauthenticator require re-execution of EAP authenticationin handover/ switchover to a different radio system, eventhough the same EAP/AAA server will deal with theauthentication.

There has been discussion to use an Extended MasterSession Key (EMSK), which is generated at the sametime anMSK is created, as the root of a cryptographic keyhierarchy and, then, the keys in the hierarchy can be usedfor various purposes, such as a handover/switchoverauthentication. The key hierarchy based on an EMSK isacceptable for handover /switchover, as long as the keysgenerated from the EMSK are cryptographicallyseparated from the MSK [6].

An EMSK-based key hierarchy may better supporthandover between EAP authenticators than an approachbased solely on MSK, because of the use of light-weightkey generation, which does not require a long-termcredential a credential the peer and the server resort towhen doing a full EAP authentication by public-keycryptography. This method, however, needs to get are-authentication root key (rMSK) from the EAP/AAAserver and cannot reduce the protocol overheadassociated with accessing the server, which is locateddeep within the network.

Long Term Credential

MSK

TSK

EMSK

rRK USRK1 ... USRK.

MSK: Master Session Key I

EMSK: Extended Master Session Key rIK rMSKI ... rMSKnUSRK: User Specific Root KeyTSK: Transient Session Key TSKI *.. TSKnrRK: Re-authentication Root KeyrIK: Re-authentication Integrity Key

Figure.4 EMSK hierarchy for re-authentication

When the authenticator acts as an endpoint ofthe EAPconversation rather than a pass-through, EAP methodsare implemented on the authenticator as well as the peer.If the EAP method negotiated between the EAP peer andthe authenticator supports mutual authentication and keyderivation, MSK and EMSK are derived on the EAP peerand authenticator and exported by the EAP method. Inthis case it is still possible to support roaming betweenproviders using certificate-based authentication.

EAP Peer Authenticator 1 Authenticator 2 AuthenticationServer

MSK, EMSK,rRK

rIK

EAP over XX over YYY

Channel Established

EAP Request Identity

EAP Re-authentication Response AAA (EAP)

([PNonce, Peer ID] rIK)

EAP Re-authentication InformationrMSK _ ([ASNonce] rIK) ([A

Secure Association Protocol (TSK Generation)

l' 'l1

MSK, EMSK,rRK

pv rIK, rMSK

AAA (EAP)

kSNonce] rIK, rMSK)

Chane Established

Figure 5. EAP efficient re-authentication (EAP-ER)

D. Issues in CRswitchover usingEAPAuthentication

EAP authentication using EMSK reduces the cost to\receive a certificate by not having to consult an AAAserver during handover and it can reduce extracomputation because of non certificate-basedauthentication. However, it still needs to consult the AAAserver at the beginning when different authenticationmechanism is used, even though the same EAPframework is used. This means that we can not removethe initial authentication when a radio system is changedto another. There are discussions on pre-authenticating to

73

_00. [L

new radio communication before handover to reduce theoverhead of the authentication.CR networks, however, can not always predict the

next radio system to use, which is different fromhandovers along with the movement of a mobile terminal,because switchover is not only triggered by themovement of terminals, but also by the decision toconsult a spectrum management server which managesthe spectrum efficiency in the area. Future CR networksmay therefore concurrently support parallelcommunications using different radio systems. Theauthentication of CR networks should not depend on thecurrent approach to handle heterogeneous radioenvironments.

IV. RADIO-INDEPENDENT AUTHENTICATION PROTOCOL

When considering the basis for establishing atechnology-independent authentication scheme forcognitive radios, it becomes rapidly apparent that oneshould exploit information that is universal to all of theradio technologies that a CR platform may use. That is, tohave the most extensible approach, we should useinformation that will be available regardless of what radiotechnology a CR platform decides to switch to. In ourviewpoint, one candidate for this source of information isthe location trail, or location history, of a mobile terminalrelative to the CR network. In particular, movementinformation is readily available as it is constantlycollected and shared to both a mobile terminal and the CRnetwork to facilitate other CR network functionalities,such as the operation of spectrum etiquette policies andhandover between BSs and/or APs within the network.

The protocol that we specify, EAP-CRP, uses locationinformation as the basis for extracting secrecy, and canreduce the costs of AAA consultation using a long-termcredential during switchover. Further, our protocolsupport mutual authentication, and protect againstman-in-the-middle attacks. The basis of our scheme is thenotion of a location-carousel, which is a data structurethat represents the trail of a mobile terminal, as well as thenotion of synchronization between location-carousels atthe mobile device and the corresponding network node[7][8]. We review the notion of the carousel and itssynchronization. We describe the formation of a sharedsecret and its application to the EAP framework. We, then,discuss EAP requirements for our carousel rotatingprotocol.

A. Carousel and its Synchronization

A carousel is a data structure that is a circular list ofcells, with each cell capable of containing locationinformation regarding a terminal's location trail. A visualrepresentation of a carousel (shared between two entities)

is presented in Figure 6, where the "top" cell representsthe entry point onto the carousel. When new locationinformation is entered into the carousel, it is placed intothe entry point cell, and then the carousel is rotated by arandom amount of cells. If ever there is old locationinformation stored in the entry point, this is overwrittenby new information.

Both a mobile terminal and the network will share acarousel corresponding to the mobile's location history.We use this carousel to establish a shared authenticationkey between the two entities, and therefore both entitiesuse a function to generate authentication keys from thecarousels. The key-generation function produces thesame key independently of each carousel, as keys arecreated when new location information is placed in thecarousel following terminal movement. Typically, aone-way hash function is used as the key generationfunction.

Entry Point(Top Cell)

Entity A Entity BFigure 6. Carousel rotation

Prior to establishing shared keys, it is necessary for thecarousels to be synchronized. Here, synchronizationrefers to arranging both carousels so that they have theircells are in the same order. Clearly, as the mobile'scarousel rotates, and location information is written to theentry cell, the two carousels become unsynchronized, andtherefore resynchronization is necessary.Resynchronization is a process by which the secondentity rotates its carousel to the same configuration as thefirst entity's. During resynchronization, the first entitygenerates an authentication key from the carousel andsends a challenge to the second. The second entitygenerates a key by rotating the carousel, attempts todecode the challenge, and continues to rotate untildecoding is successful. Upon successful decoding, thesecond entity responds to the first entity. We note thatkeys derived from synchronized carousels will supportmutual authentication.

B. EAP-CRP Protocol

We describe the EAP-based Carousel RotatingProtocol (EAP-CRP) which uses the shared keyingproperties of the carousel for mutual authentication, and

74

allows re-authentication without consulting an AAAserver.

EAP Peer Authenticator 1 Authenticator 2MN AUI AU2

Old Carousel

1) Location Conversion

We first describe the location information that isstored in a carousel. Both a mobile terminal and thenetwork send location information and a random value (anonce) to a hash function. Cells in the carousel storehashed-value L calculated by the function in the protocol,i.e. L=HASH(Loc, R), where Loc is location informationand R is a public random value. This function is useful forprotecting against the issues described below.

1. This protects from carousel disclosure by globaleavesdroppers who can access all transmittedmessages and all location information because thevalue L is calculated using both the location of themobile terminal and R.

2. This effectively distinguishes between two mobileterminals owned by a user because their L's aredifferent, as these devices have different R. This isalso useful for authenticating immobile devices.

3. This protects user privacy because the content of acarousel only has digest values. Therefore, no onecan calculate location information from the value inthe carousel.

2) Initial Carousel Setup

We assume that the initial carousel setup between amobile terminal and the network is done offline via arobust and secure method. For example, subscriberauthentication is typically done using physical methods,such as physical mail, or a picture-ID. The initial secureinformation between the terminal and network is sharedin conventional ways, such as using a closed network at aretail shop or using SSL. Another approach would be touse the signal-strength profile ofthe radio communicationchannels [9] for generating the initial secure information.

3) EAP-CRP Protocol

The EAP-CRP protocol assumes two authenticators(AUI and AU2) and a location registry (LR) in CRnetworks and a secure communication path is establishedbetween the nodes. LR then manages the carousel of amobile terminal either by holding its data or by thelocation pointer to an authenticator having the data.

New Carousel

. (1) IdentityREQ(2) AuthREQ

(5) RotateREQ(6) RotateREP

(7) AuthREP

Synchronize

Location RegistryLR

Old Carousel(3)InqREQ

Search and Find Carousel Location

(4)InREP

Old carousel

New Carousel (8) Notify

Channel Established

Figure 7. EAP-CRP authentication protocol

The protocol between a mobile terminal MN and thenetwork N is as follows:

EAP-CRP Authentication1) N-+ MN: IdentityREQ()2) MN- N: AuthREQ(IDmN)3) N - LR: InqREQ(IDmN)4) LR - N: InqREP(IDmN, CRmN)5) N -MN: RotateREQ({Rill MACi}KN)6) MN - N: RotateREP(t{Ri R21 MAC2}KM,)7) N - MN: AuthREP({R2jjMAC2}K, )8) N - LR: Notify(IDmN, location)

EAP-CRP Re-authentication9) N - NM: IdentityREQ()10) MN - N: ReAuthREQ({R311IDAul}rIK)11) N - N: EAP-ReAuthREQ({R3}rIK)12) N - N: EAP-ReAuthREP({R3j R4}rIK,rMSK)13) N -MN: ReAuthREP(JR3jJR4jrIK)14) N - LR: Notify(IDmN, location)

During switchover, MN re-authenticates with a newauthenticator AU2. The carousel in the currentauthenticator AUI should be securely transferred to AU2as shown in Fig. 8. Once the communication channelbetween MN and AU2 is established, the carousellocation in AU2 is registered to LR. When MN hands orswitches over to a different radio system, the network sidelooks for the carousel by sending LR an inquiry andobtains this either from the previous authenticator or LR.The terminal then re-authenticates with the newauthenticator AU2.CR networks need quick re-authentication when

switchover happens. We accomplish this in our schemeby employing EAP authentication using EMSKextensively without needing to consult an AAA server.

75

EAP Peer Authenticator 1 Authenticator 2 Location RegiMN AUI AU2 LR

X Carousel

Channel Established

(9) Identity REQ

(10) ReAu thREQFgr 1) EAP-ReAuthREQ

( 12) EAP-ReAuthREP(13) ReAuthREP Caoue

Synchronize (14) Notify

Chantel Estahilished

Figure 8. EAP-CRP re-authentication protocol

4) EAP-CRP Authentication

The details on EAP-CRP are as follows:

I N -> MN: IdentityREQ(;IdentityREQ() is sent from an Authenticator (AUI)to a mobile terminal (MN).

2. M N -> N: AuthREQ(IDmN);MN responds to the identity request with its identityinformation (ID). It, then, triggers mutualauthentication between MN and network usingcarousels.

3. N -> L: InqREQ(IDmN);AUI asks for the carousel of MN with ID to thelocation registry (LR). LR gets it from otherauthenticators, if it does not have the carousel.

4. L -* N: InqREP(IDmN,CRmN);LR responds to AUI with the carousel.

5. N -* MN: RotateREQ({R1 II MACi}K);AUI generates an authentication key KN from thecarousel and sends a challenge to MN. Ri is arandom value and MACi is a message authenticationcode derived from it.- Undergoes a random carousel rotation.- Derives an authentication key KN from the

carousel.- Encrypts R1 II MACi by KN-

6. MN -* N: RotateREP({Ri 11 R2 ||MAC2} KM');MN decodes the cipher message by an authenticationkey generated by the carousel. If the decode fails,MN rotates the carousel once and decodes themessage until it succeed. MN, then, replies back toAUI with the corresponding cipher messageencoded by the authentication key which issuccessfully decoded. MAC2 is a messageauthentication code derived from R2.- Undergoes one-step carousel rotation.- Derives an authentication key from the carousel.- Decrypts the received cipher message by the

key.

sty - When the authentication by MAC2 succeeds,MN obtains Ri from the message and storesL=HASH(location, Ri) into the carousel entry.

- Derives an authentication key KM, from thecarousel

- Encrypt Ri II R2 || MAC2 by KM,.7. N -> MN: AuthREP({R2 11 MAC2} KN'};

AUI decodes the received cipher message byinserting MN's new location information in thecarousel. It then replies back to MN forauthentication success. Mutual authenticationsucceeds by this message exchange.- Stores L=HASH(location, Ri) in the carousel

entry.- Derives an authentication key KN' from the

carousel and decrypts the received ciphermessage with key KN'.

- Encrypt R2 MAC2 by KN'8. N -> L: Notify(IDmN, location);

AUI notifies the carousel location ofMN to LR.

MN and AUI succeed in mutual authentication and eachside generates its master keys, such as MSK and EMSK,from the carousel and uses the keys for communicationacross the secure channel.

5) EAP-CRP Re-authentication

The details for EAP-CRP re-authentication, whichfollows the EAP-ER protocol explained in the formersection, are as follows:

9. N -> MN: IdentityREQ(;IdentityREQ( is sent from an Authenticator (AU2)to MN.

10. MN -> N: ReAuthREQ({R311 IDAuI}rIK);MN triggers re-authentication to AU2 using amessage containing the name ofthe re-authenticationintegrity key rIK which is created when the firstmutual authentication was established between MNand AUI. The rIK key is used for integrityprotection.

11. N -> N: EAP-ReAuthREQ({R3}rIK);AU2 follows the authentication protocol with AUI.AU2 sends a challenge to AUI.

12. N -> N: EAP-ReAuthREP({R31 R4}rIK,rMSK);AUI receives a re-authentication challenge andresponds with rMSK.

13. N -> MN: ReAuthREP({R3I R4}rIK);AU2 returns rIK to MN and a secure connection isestablished between MN and AU2 using rMSK.

14. N -> L: Notify(IDmN, location);AUI notifies the carousel location ofMN to LR.

76

V. EAP-CRP SECURITY REQUIREMENTS EVALUATION

EAP-CRP is a light-weight mutual authenticationprotocol that we have proposed for CR networks. Thissection discusses EAP-CRP from the viewpoint ofstandard EAP requirements.

A. EAP Method Requirements

EAP authentication methods must satisfy a set ofminimal requirements that are suitable for wireless LANauthentication [10]. We discuss these requirements (listedbelow) for EAP-CRP.

1.2.3.4.5.6.7.

Generation of symmetric keying materialKey strengthMutual authentication supportShared state equivalenceResistance to dictionary attacksProtection against man-in-the-middle attacksProtected ciphersuite negotiation

CRP is a protocol for sharing carousels as a securesecret between a mobile device and the network. Keyingmaterials, such as MSK and EMSK, are derived from thecarousel by using well-established key-generationalgorithms.

The EAP key is expected to have 128-bits of effectivestrength and its derivation needs to export an MSK andEMSK of at least 64 octets. Our implementation of thecarousel model typically employs 160-bit cells with 35cells for carousel uncertainty, as described in our priorwork [8]. The location information (e.g. the MAC addressof the associated BS may be used as a location descriptor)and a random number are used to generate informationstored on the carousel by applying the Secure HashAlgorithm 1 (SHAI). The total carousel size exceeds 560bytes and the keys are generated by appropriatelyapplying SHAI (or another hash function). This satisfiesthe requirement for key strength.

Mutual authentication is fundamental to the model,because both a terminal and its network have the samecarousel and there is no need for them to authenticateeach other. As long as both sides have the same carousel,once a mobile terminal authenticates with the network,both sides authenticate each other at no extra cost.Man-in-the-middle-attacks are prevented due to the factthat the protocol supports mutual authentication.The resistance of our scheme to dictionary attacks is

discussed in the following section and follows from aproperty we call Carousel Uncertainty.

B. Carousel Uncertainty in Dictionary Attacks

We have already discussed the confidentiality of themethod of carousel-based key management [8]. This

section discusses carousel uncertainty for resistanceagainst dictionary attacks. The security of CRP is basedon the difficulty an adversary is faced with whenattempting to reproduce an equivalent carousel.We first assumed that every cell in the carousel would

be filled with random bits that were unknown to theadversary. The mobile user's location information isinserted in the carousel at regular intervals. We assumethat the adversary can monitor a user's motion and, thus,that the adversary can monitor information which isinserted into the carousel (e.g. L=HASH(Loc,R)).However, the security of our approach lies in the fact thatan adversary does not know where information is insertedin the carousel.

Let us now discuss the probability of an adversaryconstructing the same carousel as that shared by the userand network after a few rounds of monitoring the user'smovements. Recall that we assumed an initial carouselwas established by a secure bootstrap process. Due to theuncertainty of the initial random bits, the adversarycannot construct the same carousel unless every cell ofthe carousel is overwritten by location informationTherefore we have to consider a case where the adversaryis trying to build the carousel after m ( >= n ) rounds ofmovement (where n is the length of the carousel).We define Carousel Uncertainty as the number of

assignments of location information entered into thecarousel such that all n cells in the carousel would beoverwritten by location information after m rounds ofmovement. Carousel uncertainty, which is denoted as

CUn7, is the complement of the set, PS, which describesthe cases where at least one cell of the carousel wouldkeep its initial random bits. Lastly, we define US to be theset of every potential case of assigned information. TheUS contains nm means of assignment. We may considerPS to also be the union of the sets, PSi, where PSi is the setof assignments such that only i cells maintain the initialbits. Obviously, i is less than n.

Therefore, we can define the followings:n-lCUn = nm n CUnm

The in the expression means the combination of i

cells that retain the initial random bits. Clearly,CU2 = 2 -2.

The probability, PRM , that all n cells in the carousel willbe overwritten by location information within m roundsof movement is defined as:

PRm _ n

n

77

C. Evaluation ofCarousel Uncertainty

We evaluate the number of cells required to maintain aprescribed level of confidentiality in the carousel.

"I)o)

ctE:zV

IE+57IE+54

lE+51IE+48

IE+45

I E+42-

lE+39IE+36IE+33

lE+30

I E+27-I E+24-

lE+21-lE+18

lE+15

lE+12

X n=20n=30

-*n=34n=35

n=40

-2 128

25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 mRound

Figure 9. Carousel Uncertainty

Our target confidentiality level is 2128 because " 128" iscurrently recognized as the length of a sufficiently strongkey for the current generation of symmetric ciphers.Using our derivations outlined earlier, we have assessedthat a carousel that contains at least 35 cells is sufficientto provide our target level of security, as shown in Fig 9.

0.8

06

0.4

02

40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190Round

Figure 10. Probability where carousel is filled withlocation information

Fig. 10 plots the probability that all cells of a carouselare filled with location information after m rounds of usermovements. This means that an adversary needs to movealong with a mobile user more than 190 (>>n) rounds tohave the same location information in the carousel in thecase n = 35. We can conclude that it is difficult for anadversary to duplicate a carousel both when m is small (m<35) and also when m is larger than n (m>n=35). Theresults in Figs.9 and 10 indicate the strength of thecarousel.

Lastly, we note that our analysis is based on anadversary model where the adversary knows the mobileterminal's precise location history. In practice, however,this assumption is not practical, and we note that thestrength of our scheme would in fact be enhanced whenwe combine the natural carousel uncertainty with anyuncertainty that an adversary might have regarding amobile's location history (i.e. less powerful adversarialmodels would improve the strength of our scheme).

VI. RELATED WORK

Our work is most closely related to authenticationmechanisms for wireless systems. The 3G cellularsecurity model is based on a pre-shared secret key andallows handover between base stations with no additionalauthentication required in the network. A USIM card isconfigured for a specific subscriber identity and it isinserted into a mobile terminal. The terminal moves froma base station to another station, and a secret keygenerated from the identity is shared between the mobiledevice and the Home Location Register (HLR) [11].IEEE802. 11 also defines a shared key basedauthentication WEP, but it is known to have securityflaws [12].

The IEEE802. li model [13], on the other hand, doesnot assume any pre-shared key. The model manages allauthentication keys on a central authentication server. Amobile terminal establishes a secure network associationwith an AP using IEEE802.1X [14] and EAP forauthentication and key distribution. IEEE802. IX canaccommodate various types of authentications with EAPin a central AAA server. EAP-TLS is a TLS-basedextension ofEAP that requires a PKI-based certificate forboth a mobile terminal and the network [15]. Althoughthe model provides authentication that is independent ofterminals, it has drawbacks associated with the levelnetwork traffic involved in consulting the server, requiresheavy computation in battery-based terminals, and alsointroduces significant latency in the communicationsetup.

Recently, there has been discussion regardingsecurity-context transfer between APs [16] inhomogeneous radio environments and light-weightre-authentication in heterogeneous radio handovers.However the former is difficult to extend toheterogeneous environments, such as will exist in thetypical CR network, because a secure conduit is requiredto establish to transfer such contexts. The latternecessitates consultation with an AAA server forhandover and rapid changes in radio systems cannot beadequately addressed.

For CR systems, a framework for enforcing the properoperation of spectrum etiquettes was recently proposed

78

[18]. This framework involved on-board trustedcomputing modules that monitor the commands issuedfrom the spectrum etiquette process to ensure regulatorycompliance. Additional, external methods were presentedfor penalizing CR devices that did not follow properregulations. This work requires the existence ofauthentication methods, which is the focus of our paper.

In the industry, Unlicensed Mobile Alliance (UMA)[19] defines a network controller and provides a secureGSM/GPRS transport signaling and user plane trafficover IP using EAP-SIM or EAP-AKA. This technologyfocuses on the integration of WiFi and other radiotechnologies into the current cellular systems.

VII. CONCLUSION AND FUTURE WORK

We proposed a radio-independent authenticationprotocol (EAP-CRP) for CRs that is independent of theunderlying radio protocols and is able to support EAPtransport. The key management protocol assumesuser-specific information as an initial bootstrap, andsubsequent keys for authentication and encryption arederived from the historical location registry of a mobileterminal that is stored in a new data structure called acarousel. We then evaluated the confidentiality of our keymanagement method and its integration with EAP. Oursecurity analysis shows that EAP-CRP satisfies thegeneral requirements for EAP methods.

In future, we will investigate user-specific and genericinformation scheme which can accommodate otherinformation, such as location prediction information.

REFERENCES

[1] H. Harada, "Software defined radio prototype towardcognitive radio communication systems", IEEEDySPAN, pp. 539-547, Nov. 2005.

[2] C. Laat, G. Gross, L. Gommans, J. Vollbrecht and D.Spence, "Generic AAA Architecture", IETF,RFC2904, Aug. 2000.

[3] C. Cordeiro, K. Challapali, D. Birru, and Sai ShankarN, "IEEE 802.22: The First Worldwide WirelessStandard Based on Cognitive Radios", IEEEDySPAN, pp.328--337, Nov. 2005.

[4] H. Haverinen and J. Salowey, "ExtensibleAuthentication Protocol Method for Global Systemfor Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM), IETF, RFC4186, Jan.2006.

[5] D. Johnston and J.Walker, "Overview of IEEE802.16Security", IEEE Security & Privacy, pp 40-48,May/Jun. 2004.

[6] http://www.cs.columbia.edu/-smb/hoakey/[7] M. Kuroda and R. Nomura, "Radio-independent

Mobile Authentication Protocol for Ubiquitous

Network", Vol.3, pp.1703-1707, WPMC'05, Sep.2005.

[8] R. Nomura, M. Kuroda, and D. Inoue,"Location-based Key Management for UbiquitousWireless Network", Vol.1, pp.51-55, WPMC'05, Sep.2005.

[9] T. Aono, S. Tawara, T. Ohira, B. Komiyama, A.Kitaura, H. Mori, and H. Sasaoka, "Secret CommonKey Generation Method Exploiting the Fluctuation ofCommunication Channels Using an Espar Antenna",Proc. of the 2004 IEICE General Conference.

[10] D. Stanley, J. Walker, and B. Aboba, "EAP MethodRequirements for Wireless LANs",draft-walker-ieee8o2-req-04.txt, Aug. 2004.

[11] "3G Security; Security Architecture (Release 5)",3GPP TS 33.102 V5.5, Sep. 2004.

[12] W. Arbaugh, N. Shankar, Y.C.J. Wan and K. Zhang,"Your 802.11 Wireless Network has No Clothes,"IEEE Wireless Communications, vol. 9, issue 6, pp.44-51. 2002.

[13] LAN MAN Standards Committee of the IEEEComputer Society, "Wireless LAN Medium AccessControl (MAC) and Physical Layer (PHY)Specifications, Amendment6: Medium AccessControl (MAC) Security Enhancements", IEEE Std802.1 i, Jul. 2004.

[14] LAN MAN Standards Committee of the IEEEComputer Society, "IEEE Standard for Local andMetropolitan Area Networks - Port-Based NetworkAccess Control," IEEE Standard 802.1X, 2001.

[15]B. Aboba, and D. Simon, "PPP EAP TLSAuthentication Protocol", IETF, RFC2716, Oct.1999.

[16] S. Bangolae, C. Bell and E. Qi, "Performance studyof fast BSS transition using IEEE 802.11r", ACMIWCMC'06, pp 737-742, Jul. 2006.

[17] I. F. Akyildiz, J. S.M. Ho and Y. Lin,"Movement-Based Location Update and SelectivePaging for PCS Networks", IEEE PersonalCommunication Magazine, vol.8, no.5, pp.18-23, Oct.2001.

[18]W. Xu, P. Kamat and W. Trappe, "TRIESTE: ATrusted Radio Infrastructure for Enforcing SpecTrumEtiquettes", IEEE Workshop on NetworkingTechnologies for Software Defined Radio (SDR)Networks, 2006.

[19] w.mtcnl[20] L.Song, D. Kotz, R. Jain and X. He, "Evaluating

location predictors with extensive Wi-Fi mobilitydata", IEEE INFOCOM, vol.2, ppl4l4-1424, Mar.2004.

79