Article Preview
TopIntroduction
Next Generation Network (NGN) technology evolved in the past few years. NGN architecture is a Next Generation Network where wired and wireless services are converged and quality of service is guaranteed. One of NGN access networks is the Wireless LANs (WLAN). WLAN systems are more suited for hotspots coverage and offer high data rates with low investment cost. The multimedia services provided to the users through WLAN depend on the IP multimedia subsystem (IMS) (3GPP TS 23.228 -v8.1.0, 2007), which is based on All-IP architecture. NGN provides many new services through different access networks, which in turn raises security issues. New security architecture is currently under study (3GPP TS 33.234 -v7.2.0, 2006; 3GPP TS 33.203 - v7.6.0, 2006) that aim at protecting the mobile users, the data transferred and the underlying network. This architecture make the WLAN user have to execute multi-pass Authentication and Key Agreement (AKA) procedure in order to get access to the IMS services. The architecture specifies three authentication steps (see Figure 1). In the first step, the user executes the (Extensible Authentication Protocol) EAP-AKA protocol (Arkko & Haverinen, 2006) to register in WLAN domain. In the second step, the user executes the Internet Key Exchange version 2 (IKEv2) protocol (Kaufman, 2005) that encapsulates EAP-AKA, which registers him to the 3G public land mobile network (PLMN) domain. In the third step the user using the Session Initiation Protocol (SIP) (Rosenberg et al., 2002) executes the IMS-AKA procedure (3GPP TS 33.203 - v7.6.0, 2006) for registration in the IMS domain. As we can see the EAP-AKA has been repeated and an execution of IMS-AKA introduce an authentication overhead (Asokan, Niemi, & Nyberg, 2005) . This overhead is related to: (i) the exchange of messages that cause delays in users' authentication (i.e., especially in cases that the users are located away from their home network) and consume radio resources; and (ii) the computational processing that will consume the limited energy and computational resources at the mobile devices. Therefore, the aforementioned multi-pass AKA procedure deteriorates the overall system performance and may impact negatively on the quality of service offered to the end-users.
Figure 1. Multi-pass AKA procedure for IMS services
There is a rather limited literature that copes with the aforementioned authentication overhead in NGN. Veltri, Salsano, and Martiniello (2006) suggest an integrated authentication protocol, which is based on SIP and authenticates both the WLAN and the 3G PLMN within a single procedure, and thus reduces the overall authentication latency. However, the main drawback of this authentication procedure is that it is vulnerable to Denial of Service attacks. An adversary could simply send false authentication messages that the WLAN has to forward to the 3G PLMN causing overflow. Crespi and Lavaud (2004) propose the introduction of a new functional entity, called WLAN SIP proxy, in the WLAN that enables the latter to perform localized IMS services. However, this approach requires the implementation of the new entity and the related functionality increasing the deployment complexity. Ntantogian and Xenakis (2008) presents a one-pass AKA procedure for NGN that eliminates the repeated authentication steps without compromising the provided level of security. The one-pass AKA based on security key binding between the authentication steps. However this technique can be enhanced by binding the elements of the network.