A Secure Handover Protocol Design in Wireless

Networks with Formal Verification

Sun-Hee Lim1, Ki-Seok Bang2, Okyeon Yi3, and Jongin Lim1

1
Center for Information Security Technologies(CIST), Korea University, Seoul, Korea
{capsunny, jilim}@korea.ac.kr
2
College of Information and Electronic, Hallym University, ChunCheon, Korea
mysaver@hallym.ac.kr
3
Department of Mathematics, Kookmin University, Seoul, Korea
oyyi@kookmin.ac.kr

Abstract. This paper analyses security mechanisms in wireless networks, and

designs for secure and efficient protocol for a handover reusing the key
materials generated before the handover phase. In order to be sure that our
handover protocol does not have any security flaws, we formally validated it
using automatic protocol analyzer AVIPSA.

Keywords: wireless, handover, security, authentication, AVISPA.

1 Introduction
Future mobile communication systems will encompass heterogeneous and
homogeneous access such as WLAN, WiBro and UMTS. Many users will appreciate
the availability of desired service anywhere, anytime, and with reasonable cost.
Security is one of the major technical challenges of handover in the wireless
network. To enable the convergence of different wireless technologies, link layer
security for wireless network access is also dispensable. However, each wireless
network may deploy its own security mechanisms that are incompatible with others.
Apart from that, seamless mobility sets time constraint on handovers.
We study the link layer security mechanisms in wireless networks and derive the
similar security mechanisms such as the authentication and a common key derivation.
And we propose a secure handover protocol for seamless reusing the common
security contexts. Finally the proposed handover protocol is verified with an
automated security analyzer AVISPA.
This paper is composed as follows: In Section 2, an analysis on security
mechanisms in the wireless networks such as WLAN, WiBro and UMTS is given.
Section 3 defines the architecture and security establishments for secure handover and
designs the secure handover protocol and verifies the protocol using formal
validation. The paper is concluded in Section 4.

2 Security Mechanisms in Wireless Networks

This section describes key features and authentication procedures used in the WLAN
(IEEE 802.11i), the WiBro (IEEE 802.16e) and the UMTS (based on 3GPP).

F. Boavida et al. (Eds.): WWIC 2007, LNCS 4517, pp. 67–78, 2007.
© Springer-Verlag Berlin Heidelberg 2007
68 S.-H. Lim et al.

2.1 WLAN

The initial WLAN security mechanism in the IEEE 802.11 standard has design flaws.
Newly, IEEE 802.11i[1] is standardized to improve enhanced security of the WLAN.
The Robust Security Network Association (RSNA) defines a number of security
features which are enhanced authentication mechanisms including use of IEEE 802.1x
[3], data encapsulation mechanisms like CCMP and TKIP, and Cryptographic key
establishment, in addition to wired equivalent privacy (WEP) and IEEE 802.11
authentication.
1)Authentication. The authentication procedure comprises two phases, establishing
the IEEE 802.11 association and IEEE 802.1x EAP authentication as shown in the left
side of Fig 1. During the first IEEE 802.11 Association phase, a STA is associated
with an AP and discovers the AP’s security policy. The Authentication phase uses an
EAP method that supports mutual authentication of the AS and the STA. The EAP[4]
is an authentication framework which supports multiple authentication methods such
as AKA, TLS, TTLS, etc. EAP authentication frames pass between the STA
(Supplicant) and the AS via the AP (Authenticator) and STA’s Uncontrolled Ports.
The IEEE 802.1x Controlled Port is blocked from passing general data traffic until an
authentication procedure completes successfully over the IEEE 802.1x Uncontrolled
Port. Upon successful completion of the 4-Way Handshake, the STA and AP
authenticate each other and the STA and AP’s IEEE 802.1x Controlled Ports are
unblocked to permit general data traffic.

Fig. 1. IEEE 802.11i Authentication and Key Derivation

2)Key Derivation. IEEE 802.11i supports the hierarchical key architecture as the
right side of Fig 1. The STA and AS generate a Master Key (MK) and derive a
Pairwise Master Key (PMK) from the MK. The AS sends the PMK to the STA’s AP
over the trust channel so that the STA and AP share PMK after they complete
authentication procedures. Upon successful completion of the 4-way handshake
between the STA and the AP, a Pairwise Transient Key (PTK) is derived from the
 A Secure Handover Protocol Design in Wireless Networks with Formal Verification 69

PMK. The PTK is partitioned into a KCK, KEK, and TK. The Temporal Key (TK) is
used to protect unicast communication between the STA and AP. The KEK and KCK
are used by the EAPoL-Key frames to provide confidentiality and authenticity.

2.2 WiBro

The Wireless Broadband (WiBro) security architecture is based on IEEE 802.16e

Privacy layer[2]. The WiBro security has two basic protocols such as an encryption
protocol and a privacy key management protocol (PKM). The PKM authentication
protocol comprises the following two phases.
• MS Authorization and Authorization Key (AK) exchange
• Traffic Encryption Key (TEK) exchange

1) Authentication
a) PKMv1: RSA protocol is mandatory in PKMv1. However, PKMv1 has several
security weak points. That need for mutual authentication protocol, key management,
explicit definition and strong data confidentiality shall be considered.

MS BS
PKM-REQ[Auth. Information :
MS manufacturer s X.509 certificate]
MS/BS
Authorization PKM-REQ[PKMv2 RSA-Request <1>]
and
AK exchange Pre-PAK generation
PKM-RSP[PKMv2 RSA-Reply <2>]

PKM-REQ[PKMv2 RSA-Acknowledge]

PAK from Pre-PAK PAK from Pre-PAK

AK from PAK AK from PAK
AK => AK =>
KEK|HMAC_KEY_D| KEK|HMAC_KEY_D|
HMAC_KEY_U HMAC_KEY_U

PKM-RSP[PKMv2 SA TEK Challenge]

SA-TEK 3way PKM-REQ[PKMv2 SA TEK Request]
handshake
PKM-RSP[PKMv2 SA TEK Response]
PKM-REQ[PKMv2 Key Request]

TEK Generation TEK

exchange
PKM-RSP[PKMv2 Key Reply : EKEK[TEK]]

Decrypt TEK
ETEK[Data]

Fig. 2. RSA-based and EAP-based Authorization in PKMv2

b) PKMv2 : It supports authentication protocol mechanisms based on RSA protocol

and EAP protocol, optionally. It provides mutual authentication between the user and
the network. The RSA based authorization in PKMv2 is similar to the authorization in
PKMv1. However, PKMv2 RSA based authorization supports mutual authorization
by verifying the MS and BS’s certification and shares Pre-PAK to derive the PAK
and AK between the BS and MS. An EAP based authorization in PKMv2 uses EAP
protocol in conjunction with an operator-selected EAP method. The RSA based (the
70 S.-H. Lim et al.

left side) and EAP based (the right side) authorization detail procedures in PKMv2 are
shown in Fig. 2.

2)Key Derivation. The IEEE 802.16e defines the PKMv2 key hierarchy. Since
PKMv2 defines RSA-based and EAP-based authentication schemes, there are two
primary sources of keying material. The RSA-based authorization yields the pre-
Primary AK (pre-PAK) and the EAP-based authorization yields the MK. The AK will
be derived by the BS and the MS from the PMK (from EAP-based) and/or the PAK
(from RSA-based). The AK can be derived in one of three ways depending on the
authentication scheme used RSA-based or EAP-based or both. The BS and the MS
shall derive both a shared KEK to encrypt transport keys and HMAC/CMAC keys to
validate the authenticity management messages before the TEK 3-Way handshake.
Fig. 3 depicts the key derivation in PKMv2.

Fig. 3. Key derivation in PKMv2

2.3 UMTS

The Universal Mobile Telecommunication System (UMTS), which is known as the

third generation (3G) cellular mobile communication system, adopts the security
feature of GSM in order to interwork with GSM smoothly and adds new security
features to design an authentication and key agreement protocol (AKA).
UMTS provides security features, such as mutual authentication, agreement on an
integrity key between MS and SN, and freshness assurance of the agreed cipher key
and integrity key.
Furthermore, standardization activities emphasize the important role of the 3G-
WLAN handover[5][11]. Various interconnection mechanisms of 3G and WLAN are
discussed in the literature. Extensible Authentication Protocol-Authentication and
Key Agreement (EAP-AKA) is foreseen by 3GPP to be used in context of WLAN
and UMTS interworking scenarios. EAP-AKA uses two roundtrips to authenticate
and authorize the peer and EAP server and generate session keys using authentication
vectors. The EAP server and the peer use CK and IK in key derivation. On EAP-AKA
authentication, a Master Key (MK) is derived from the AKA values (CK and IK
keys), and the identity. A Master Session Key (MSK) for link layer security is derived
from the MK. The MSK can be used as the Pairwise Master Key (PMK) for
depending on the security mechanism of the wireless networks.
 A Secure Handover Protocol Design in Wireless Networks with Formal Verification 71

3 Secure Handover Protocol Design with Formal Verification

The WLAN, WiBro and UMTS have their own mechanisms for authentication and
link layer security. However, when the handover happens, a full mutual authentication
involving MN’s HN can hardly fulfill the requirements of a short delay.
In this section, we propose a secure handover protocol for a seamless handover.
The security mechanisms in wireless networks have many similarities. The secure
handover protocol is dependent on link layer security mechanism such as
authentication and key agreement mechanisms of each wireless network. We
design a secure and efficient authentication method for a seamless handover in
wireless networks. In addition to, we specify and verify a secure handover
protocol using Automated Validation of Internet Security Protocols and
Applications (AVISPA).

3.1 Handover in the Wireless Network

We briefly describe the domain model shown as the Fig. 4[9].

• Mobile Node (MN) is a user domain including the mobile terminal.

• Serving Network (SN) means the network domain that serves the MN before
handover.
• Target Network (TN) means the network domain that serves the MN after
handover.
• Home Network (HN) is the network domain in charge of user subscriptions and
other supporting services, like billing, authorization, and authentication.

3.2 Handover Security Trust Relations

The trust relations should be established beforehand for fast and secure authentication
handover in wireless networks as listed in Fig.4 and Table 3[8].

Fig. 4. The Trust Relation beforehand and Domains Definition involved in a Handover

3.3 Secure Handover Protocol Design

We design a secure and efficient authentication method for a seamless handover
without additional security materials from AS using similar security mechanisms in
72 S.-H. Lim et al.

Table 1. The Trust Relation for HO

Trust Establishments
Relation Property Term
Trust between MN and HN must confirm a security key by
mutual authentication via SN assuming that t2 is a trust
A long-term
t1 relation.
relation
Mutual authentication is established by authentication
mechanisms as EAP-AKA, EAP-TLS, EAP-SIM, etc.
A long-term
t2 Trust between SN and HN must be assumed.
relation
It is established by mutual authentication in each wireless
network. A short-
t3 t3 relation derives PTK from PMK generated in t1 relation term
establishment or shares the protected TEK. relation
t3 generates KEK, KCK and TK.
Depending
t4 The trust is built beforehand in order to support handover.
on policies

wireless networks. During the HO process, SN plays a trusted party to MN and TN,
so that HN/AuC is not involved during the HO phase. That provides a faster HO for
the network entities such as MN and TN. Each wireless network entity can use its
own security policy and parameters, so no additional security changes for this
proposed protocol are needed. We classify the handover procedures into 3 phases,
before the HO phase, during the HO phase, and after the HO phase.
Fig. 5 shows the detail procedures of secure handover.
1)Before the HO phase. An initial authentication procedure must be performed
completely. This recommends mutual authentication between a MN and a HN via a
SN. After the MN and HN via a SN are authenticated successfully, the MN and the
HN generate PMK from MK. The HN sends a PMK to the MN’s SN. In the sequel,
the t1 and t3 relations derive the KEK and the KCK from PMK.
2)During the HO phase. For a seamless handover, the SN should play an important
role as a Trusted Third Party (TTP) as it distributes key materials to the MN and the
TN. The security contexts built between the MN and SN are used to generate
cryptographic keying material for the handover. A trust between the SN and the TN
must be established beforehand.
Secure Handover Protocol
0. Prerequisite
− t3 trust relation has a key TK for protecting the data traffic in the wireless network.
− t4 trust relation has a key ST for protecting the data between the SN and the TN.
1. HO decision.
2. The SN as a TTP role distributes security information for handover to MN and TN.
The SN generate hokek=hkey(TK,KEK) and hokck=hkey(TK,KCK).
Msg 1.SNÆTN : {TIDMN.IDMN.hokek.hokck}_ST
Msg 2.SNÆMN : {IDTN.TIDMN}_TK
 A Secure Handover Protocol Design in Wireless Networks with Formal Verification 73

Fig. 5. Secure Handover Protocol in the wireless networks

3. The MN and the TN confirm the key agreement for a HOKEK and a HOKCK
protecting and authenticating the data during the handover. The MN receiving Msg2
from the SN is ready for connection with the TN. The MN keeping the KEK and the
KCK generate hokek=hkey(TK,KEK) and hokck=hkey(TK,KCK).
Msg 3.MNÆTN : {{IDSN.TIDMN.r1}_hokek}.{MAC(hokck,IDSN.TIDMN.r1)}
Msg 4.TNÆMN: {{IDSN.TIDMN.r1.r2}_hokek}.{MAC(hokck,IDSN.TIDMN.r1.r2)}
We propose reusing KEK and KCK in the PTK derived from the PMK as the HO
key material. The key materials hokek and hokck for secure handover are generated
from the KEK and KCK by computing hash algorithm. The hokek and hokck have
enough strong points.

• Sharing only between the MN and the SN

• Never used except in the authentication procedure
• Sufficient size for applying the HO phase (128~160 bits)
• Not compromised from other wireless networks
74 S.-H. Lim et al.

Table 2. Significant HLPSL Syntax used in this paper

MN,SN,TN:agent %principals

TK:symmetric_key %protect data between MN and SN

ST:symmetric_key %protect data between SN and TN

KEK:symmetric_key %protect transport key between MN and SN

KCK:symmetric_key %authenticity key between MN and SN

HOKEK,HOKCK:symmetric_key %new key for handover

MAC:hash_func %keyed Message Authentication Code

%keyed hash function to derive HOKEK, HOKCK from KEK, KCK

HKEY:hash_func

IDMN,IDSN,IDTN:text %Identity of each agent

TID_MN:text %Temporal MN’s Identity

r1,r2:protocol_id %Random Number

SA,SB,SC,RA,RB,RC:channel(dy) %Session

• Ensure backward secrecy preventing a TN from decoding messages exchanged

before the handover
• Hash computation for generating the hokek and the hokck has no effect on delay
for seamless handover
• No more generate and distribute the security materials for handover with the help
of the HN
• Keep the its own security mechanisms in each wireless network without additional
procedure for handover

3)After the HO phase. After the handover is completed, if necessary, a full

authentication with the help of the HN via TN could be performed.

3.4 Formal Specification and Validation of the Secure Handover Protocol

1)AVISPA
Due to the nature and sensitive of security protocols, there has been a renewed
emphasis on integrating formal validation in design and development phase. It is
necessary to validate our proposed solution by automatic tools which use a formal
specification language to input a protocol and backend mathematical tools to produce
possible flaws in a protocol.
 A Secure Handover Protocol Design in Wireless Networks with Formal Verification 75

Automated Validation of Internet Security Protocols and Applications (AVISPA)

[7] is a tool which provides a modular and expressive formal language called the High
Level Protocol Specification Language (HLPSL) for specifying intended protocols
and formally validating them.
We have used AVISPA in order to validate the designed secure handover protocol
by the HLPSL specification.

Fig. 6. The SPAN animator screenshot executing the proposed secure handover specification

Table 3. Goals of validation by AVISPA

goal

% secrecy_of HOKEK, HOKCK

secrecy_of
sec_hokck0,sec_kck0,sec_hokek1,sec_hokck1,sec_hokek2,sec_hokck2

secrecy_of kek0,kck0,kek1,kck1

% MN authenticates TN on r1

authentication_on r1

% TN authenticates MN on r2

authentication_on r2

end goal
76 S.-H. Lim et al.

2)Specifying the secure handover protocol

We specify the proposed secure handover protocol by the HLPSL language and check
the specification by the SPAN.
The role of a SPAN (Security Protocol Animator for AVISPA)[13] is to
symbolically execute a HLPSL protocol specification so as to have a better
understanding of the specification, check that it is executable and that it corresponds
to what is expected.
Fig.6 is the screenshot executing the proposed secure handover protocol
specification by the HLPSL.

Table 4. Result by AVISPA validation for secure handover protocol

SUMMARY

SAFE

DETAILS

BOUNDED_NUMBER_OF_SESSIONS

TYPED_MODEL

PROTOCOL

/home/avispa-1.1/testsuite/results/ho.if

GOAL

AS Specified

BACKEND

CL-AtSe

STATISTICS

Analysed : 1079 states

Reachable : 215 states

Transition : 0.10 seconds

Computation: 1.53 seconds

3)Verifying the secure handover protocol

We have modeled and validated the proposed secure handover protocol using
Intrusion model. Validation of the secure handover protocol has goals which specify
secrecy and authentication.
 A Secure Handover Protocol Design in Wireless Networks with Formal Verification 77

Suppose the intruder is playing the role MN or TN, then intruder’s knowledge is
defined the parameters of the corresponding instance of the role MN or TN. If the TK
which is a key between the MN and the SN, and the ST which is a key between the
SN and the TN, do not reveal to attacker, secure handover protocol results in secure
validation by AVISPA. In the sequel, the proposed secure handover protocol has no
security flaw.

4 Conclusion and Future Work

In this paper, we showed the security mechanisms in the wireless networks such as
the WLAN, the WiBro, and the UMTS for interworking WLAN. Many discussions
about a fast authentication for a seamless handover in the wireless are going actively.
A fast authentication for the handover without the help of HN during the handover
phase in the pervious studies[8][10] is proposed.
We analyzed the security mechanisms in the wireless network and derived the
secure and efficient handover protocol by securely reusing the key generated before
the handover phase. We specify and verify the proposed secure handover protocol
using AVISPA. No new attack or vulnerability has been surfaced by automatic
analysis. We have no significant consideration for Permanent Identity protection and
use of the temporary identity.
Future works will be focused on the implementation of the protocol and performance
tests. Moreover, we intend to design the protocol including the ID protection, timestamp
and so on, in detail. And we will specify and verify the designed protocol approach to
formal method.
Acknowledgments. This research was supported by the MIC(Ministry of Information
and Communications), Korea, under the ITRC(Information Technology Research
Center) support program supervised by the IITA(Institute of Information Technology
Advancement).
This work was supported by the 2006 Research Fund of Kookmin University and
the Kookmin Research Center UICRC in Korea.

References
1. IEEE, “Part11: Wireless LAN Medium Access Control(MAC) and Physical Layer(PHY)
specifications”, IEEE Std 802.11i, 2004.
2. IEEE, “Part16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems”,
IEEE Std.802.16e, 2006.
3. IEEE, “Port-Based Network Access Control”, IEEE Std 802.1x, 2004.
4. RFC 3748, “Extensible authentication protocol(EAP)”, June 2004.
5. 3GPP, “3rd Generation Partnership Project; Technical Specification Group Services and
System Aspects; 3G Security, Wireless Local Area Network(WLAN) interworking
security”, 3GPP TS 33.234, June 2005.
6. A. R. Prasad, H. Wang, “A protocol for secure seamless handover”, in Proc. of
International Conference on Telecommunications(ICT’04), Fortaleza, Brazil, August 1-7
2004.
7. Avispa – a tool for Automated Validation of Internet Security Protocols.
http://www.avispa-project.org.
78 S.-H. Lim et al.

8. Hu Wang and Anand R. Prasad, “Fast authentication for inter-domain handover”, in Proc.
Of International Conference on Telecommunications(ICT’04), Fortaleza, Brazil, August 1-
7, 2004.
9. H. Wang, A. R. Prasad, P. Schoo, “Research issues for fast authentication in inter-domain
handover”, in Proc. of Wireless World Research Forum(WWRF), Beijing, China, February
2004.
10. H. Wang, A. R. Prasad, “Security context transfer in vertical handover”, in Proc. of
PIMRC 2003, Beijing, China September , 7-10 2003.
11. K. M. Bayarou, C.Eckert, S. Rohr, A.R. Prasad,P. Schoo, H. Wang, “3G and WLAN
interworking:Towards a secure solution for tight coupling”, in Proc. of WPMC 2004, Italy,
Padova, September 12-15, 2004.
12. M. Georgiades, H. Wang, R. Tafazolli, “Security of context transfer in future wireless
communications”, in Proc. of Wireless World Research Forum(WWRF), Toronto, Canada,
November 4-5, 2004.
13. Span – a Security Protocol Animator for AVISPA. http://www.irisa.fr/lande/genet/span
14. Sun-Hee Lim, Okyeon Yi, “A study on EAP-AKA authentication architecture for WiBro
wireless network”, KICS2005-11-457.
15. Sun-Hee Lim, Okyeon Yi, Chang-Hoon Jung, Ki-Seok Bang, “A Fast and Efficient
Authentication Protocol for a Seamless Handover between a WLAN and WiBro”,
Publication at IEEE COMmunication System softWAre and MiddlewaRE
2007(COMSWARE2007), Bangalore, India, Jan. 7-12, 2007.