LR-AKE-Based AAA for Network Mobility (NEMO) Over Wireless Links , Member, IEEE
advertisement
IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 1725 LR-AKE-Based AAA for Network Mobility (NEMO) Over Wireless Links Hanane Fathi, Member, IEEE, SeongHan Shin, Kazukuni Kobara, Shyam S. Chakraborty, Hideki Imai, Fellow, IEEE, and Ramjee Prasad, Senior Member, IEEE Abstract—Network mobility introduces far more complexity than host mobility. Therefore, host mobility protocols such as Mobile IPv6 (MIPv6) need to be extended to support this new type of mobility. To address the extensions needed for network mobility, the IETF NEMO working group has recently standardized the network mobility basic support protocol in RFC 3963. However, in this RFC, it is not mentioned how authentication authorization and accounting (AAA) issues are handled in NEMO environment. Also, the use of IPsec to secure NEMO procedures does not provide robustness against leakage of stored secrets. To address this security issue and to achieve AAA with mobility, we propose new handover procedures to be performed by mobile routers and by visiting mobile nodes. This new handover procedure is based on leakage resilient-authenticated key establishment (LR-AKE) protocol. Using analytical models, we evaluate the proposed handover procedure in terms of handover delay which affects the session continuity. Our performance evaluation is based on transmission, queueing and encryption delays over wireless links. Index Terms—Authenticated key exchange, authentication authorization accounting (AAA), handover delay, IP-based mobile networks, leakage resilience, mobile IPv6 (MIPv6), mobile routers, NEMO, session continuity, visiting mobile nodes. I. INTRODUCTION T HE INCREASING demand for ubiquitous connectivity leads us towards the incorporation of wireless communication technologies not only in fixed premises such as airports and hotels but also in vehicular environments such as cars, trains, and buses. Consequently, the concept of mobility originally bound to hosts is being extended to an entire network which changes its point of attachment to Internet. This is referred to as network mobility (NEMO). Network mobility introduces far more complexity than host mobility. Therefore, host mobility protocols such Mobile IPv6 Manuscript received June 5, 2005; revised February 1, 2006. The work of H. Fathi was done while at the Center for TeleInfrastuktur (CTIF), Aalborg University, Denmark. The work of S. S. Chakraborty was done while with the Academy of Finland and the Helsinki University of Technology, Finland. This work was supported in part by the Danish “Statens Teknisk-Videnskabelige Forskningsråd” through the Center for Network and Service Convergence (CNTK) and in part by the Academy of Finland. H. Fathi, S. Shin, K. Kobara, and H. Imai are with the Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, Chiyoda-ku, 101-0021 Tokyo, Japan (e-mail: hanane.fathi@aist.go.jp; seonghan.shin@aist.go.jp; k-kobra@aist.go.jp; h-imai@aist.go.jp). R. Prasad is with the Center for TeleInfrastuktur (CTIF), Aalborg University, 9220 Aalborg, Denmark (e-mail: prasad@kom.aau.dk). S. S. Chakraborty is with Ericsson Finland, 02420 Jorvas (e-mail: ssc@cc. hut.fi). Digital Object Identifier 10.1109/JSAC.2006.875111 (MIPv6) [1] need to be extended to support this new type of mobility. Originally, Mobile IP was designed to provide a host the ability to stay connected to the Internet regardless of its location. In MIPv6, the mobile node (MN) obtains a new Internet protocol (IP) address in the visited network. To maintain continuous connectivity, the MN needs to update its location with its corresponding node (CN) and its home agent (HA) whenever it moves to a new subnet so that it can receive packets. To address the extensions needed for network mobility, the IETF NEMO working group has recently standardized the network mobility basic support protocol in [2]. This protocol allows for session continuity for every node in the mobile network as the network moves. The mobile network has at least one mobile router (MR), maybe some local fixed nodes (LFNs), and visiting mobile nodes (VMNs). In [2], a bidirectional tunnel is proposed to be established between the MR and its HA using MIPv6. In [3], various attacks (e.g., redirection attacks) against NEMO were described and lead to adoption of IPsec [4] to protect inbound and outbound NEMO traffic. IPsec is used also to protect the binding update (BU) messages between the MR and its HA. In [5], a threat analysis on NEMO is given pointing out the weaknesses of the integration of IPsec within NEMO. This analysis results in the identification of attacks such as BU spoofing that have been overcome in [2]. In [6], a secure route optimization is devised for NEMO based on public key infrastructure (PKI), on cryptographically generated addresses and on crypto-based host identifiers. However, weaknesses remain related to the leakage of secrets from mobile devices. IPsec often relies on PKI or on symmetric key cryptography, and it is widely known that none of these prevent against leakage of stored secrets. The leakage of stored secrets has always been a critical issue in security and this is discussed in [7]. Leakage of secret-keys or private-keys causes a serious flaw in the system which is enough to breakdown the overall security, but unfortunately the potential of such risk is not negligible due to computer viruses, bugs in programs or misconfigurations of the system and due to lost/stolen portable devices used for wireless communications. Cryptographic authentication relies on the possession of a key by the party to be authenticated. Such keys are often stored using special devices such as tamper-resistant modules (TRMs). However, there are situations where this is inconvenient (e.g., when PKI is used) or expensive (i.e., due to the need of purchasing an extra TRM chip). Note that TRMs are also not completely free from bugs or misconfigurations. Therefore, there is a need for secure communication relying on a short secret that can be remembered by humans to avoid leakage from devices. This is the motivation behind passwordbased authenticated key exchange (PAKE) protocols, in general, 0733-8716/$20.00 © 2006 IEEE 1726 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 and of the leakage-resilient authenticated key exchange protocol (LR-AKE) [8]. In this paper, we decide to use LR-AKE instead of PAKE because LR-AKE provides clear advantages in terms of leakage-resilience, as well as communication and computational efficiency (i.e., bandwidth, delay, etc.). Also, LR-AKE is appropriate for NEMO environment for which PKI is not suitable. In this paper, we overcome both the classical security attacks and the problem of leakage by using the LR-AKE protocol. Also, in RFC 3963 [2], it is not mentioned how authentication authorization and accounting (AAA) issues are handled in NEMO environment. An AAA infrastructure typically consists of AAA servers interacting with each other. AAA servers authenticate users, handle authorization requests, and collect accounting data. For users as well as routers visiting a foreign domain, usually the AAA foreign (AAAF) server and the AAA home (AAAH) server need to contact each other to verify if the user is allowed to obtain the requested service. Recently, [9] appeared and proposed an AAA architecture for nested NEMO based on diameter and on protocol for carrying authentication network access (PANA) for access control and used IPsec for MIP registrations and user data packets. In this paper, we join NEMO-MIPv6 with AAA in a unique mechanism that is robust against leakage of secrets and classical attacks (i.e., spoofing, eavesdropping). While the combination of AAA and MIP procedures has been widely investigated for host mobility, this issue seems to have received relatively less attention for NEMO. In RFC 2977, IETF specifies the requirements for AAA to support Mobile IP services. In [10], the basic pillars for combining AAA and MIP are given. In [11], an integration of AAA with hierarchical MIPv6 is proposed to achieve better registration latency. Concerning secure wireless roaming, [12] introduces the use of identity-based cryptography for MIP with AAA. All the results in the cited literature focus on host mobility and are not easily extendable to NEMO. In this paper, we propose a handover procedure for network mobility (NEMO) achieving AAA and mobility with security against leakage, and various active and passive attacks. We consider the mobility of the MR and the mobility of the VMN. We do not consider nested mobile networks but our proposal can easily be extended to nested mobile networks. We devise mechanisms based on LR-AKE for registrations at the HA for MR and VMN and for registrations at the CN to guarantee route optimization for VMN. The registration to the CN from the VMN is applicable also for the MR to achieve route optimization. We analyze the security of the proposed architecture. To assess the performance impact of the proposed architecture, we focus on the session continuity over wireless links which is the essential point of NEMO and specifically on VoIP session continuity that is affected by handover delays higher than 300 ms [13], [14]. Therefore, we evaluate the handover delay as function of the frame error rate (FER) in the wireless link and the messages arrival rate at the HA. The evaluation is made using analytical methods for transmission delays based on a random error process and queueing delays. The handover delay is analytically derived in various situations. The method used involves queueinghttp://folk.uio.no/paalee/ theory and reliability mechanism of each protocol to overcome losses that are most likely to happen over a wireless link. We give the proportion of the handover delay due to the security procedure, the MIPv6 procedure, the encryption, and the queueing in order to identify the dominant factors. The rest of this paper is organized as follows. In Section II, the NEMO protocol based on Mobile IPv6 is described. Section III presents the weaknesses of IPSec in NEMO in terms of leakage resilience. Section IV introduces the LR-AKE protocol. In Section V, we propose a new secure handover mechanisms for achieving AAA in NEMO. The security analysis of our proposal is given in Section VI. The performance analysis of the proposed mechanisms in terms of handover delay using analytical models is given in Section VII. Then, the results for the handover delay are presented in Section VIII considering various conditions, and the concluding remarks are given in Section IX. II. NETWORK MOBILITY: NEMO Network mobility (NEMO) protocol enables mobile networks to attach to different points in the Internet with session continuity. The protocol is an extension of Mobile IPv6 that allows for session continuity and reachability for every node in the mobile network. The MR, which connects the network to the Internet, uses the NEMO basic support protocol with its HA to achieve session continuity. The protocol is designed in such a way that network mobility is transparent to the nodes inside the mobile network. A mobile network is considered as a network segment or subnet which moves and attaches to points in the fixed network. The entry point in a mobile network is a MR that manages the network’s movement. There is at least one MR per mobile network that is responsible for maintaining a bidirectional tunnel to a HA. The mobile network consists of LFNs that always belong to the same mobile network and communicate via the same MR and VMNs that attach temporarily to the mobile network and to the MR. The HA advertises an aggregation of mobile networks to the infrastructure. A mobile network can also consist of multiple and nested subnets but this is not considered in this paper. A MR has a unique home address through which it is reachable when it is registered with its HA. The MR advertises one or more prefixes in the mobile network attached to it. When the MR moves away from the home link and attaches to a new access router, it acquires a care-of-address (CoA) from the visited link. As soon as the MR acquires a care-of address, it immediately sends a BU to its HA. When the HA receives this BU, it creates a binding cache entry binding the MR’s home address to its CoA at the current point of attachment. When the MR provides connectivity to nodes in the mobile network, it indicates this to the HA by setting a flag (R) in the BU. It may also include information about the mobile network prefix in the BU, so that the HA can forward packets meant for permanent nodes in the mobile network to the MR. The HA acknowledges the BU by sending a binding acknowledgement to the MR. A positive acknowledgement means that the HA has set up forwarding for the mobile network. Once the binding process completes, a bidirectional tunnel is established between the HA and the MR. FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS The tunnel endpoints are MR’s care-of address and the HA’s address. If a packet with a source address belonging to the mobile network prefix is received at the MR from the mobile network, the MR sends the packet in a reverse-tunnel to the HA using IP-in-IP encapsulation. The HA decapsulates this packet and forwards it to the correspondent node. For traffic originated by itself, the MR can use reverse tunneling. When a correspondent node sends a packet to a node in the mobile network, this packets is routed via the HA which currently has the binding for the MR. It is expected that the MR’s network prefix would be aggregated at the HA, which advertises the resulting aggregation. The HA can receive the data packets destined to the mobile network by advertising routes to the mobile network prefix. When the HA receives a data packet meant for a node in the mobile network, it sends it via the tunnel to MR’s current CoA. The MR decapsulates the packet and forwards it onto the interface where the mobile network is connected. The link between MR and HA is protected by IPsec in tunnel mode. The MR also has to make sure the destination address on the inner IPv6 header belongs to a prefix used in the Mobile Network before forwarding the packet to the mobile network. Otherwise, it should drop the packet. The VMNs in the mobile network should perform the MIPv6 with their HAs and CNs to guarantee session continuity once in a foreign mobile network. III. WEAKNESSES OF IPSEC IN NEMO In IPsec, the establishment and maintenance of security association is performed by Internet key exchange (IKE) protocol [15]. IKEv1 [15] defines three types of keys upon which a phase I might be based: a preshared symmetric key, a pair of keys for public-key encryption, and a pair of keys for digital signature. In any case, a party should store a cryptographically strong key (symmetric key, private keys for public-key encryption, and digital signature) on devices. Leakage of such keys results in total breakdown of security since authentication only depends on the strong secret the party holds. If the symmetric-keys are weak secret-like passwords, offline dictionary attacks can be applied [16]. Recently, IKEv2 [17] specified digital signature-based authentication (called SIGMA) and password-based authentication [18] both of which become insecure if the stored secrets are leaked out (refer to [19] for the insecurity of [18]). Moreover, BUs to CN originally secured by the return routability procedure are weak against on-path attackers, as stated in [1]. IV. LEAKAGE-RESILIENT AUTHENTICATED KEY EXCHANGE (LR-AKE) PROTOCOL BASED ON RSA In this section, we give an overview of LR-AKE protocol to be used in our proposed architecture. The first LR-AKE protocol has been proposed in [8] but it was based on the Diffie–Hellman protocol which is not appropriate for mobile devices with limited computing power.1 In this paper, we propose to use a slightly modified version of the LR-AKE protocol 1In general, a modular exponentiation with an exponent of 160-bits long over 1024-bits modulus as used in the Diffie–Hellman protocol requires heavy computing power. 1727 given in [19] that is based on RSA and can be regarded as the appropriate solution for “unbalanced” wireless networks where a party has a limited computing power capability on the one hand, and the corresponding party has higher computing power capabilities on the other hand. Also, the LR-AKE protocol [19] is remarkably efficient as computing RSA encryption with small primes (i.e., small encryption exponents) is more lightweight than computing the Diffie–Hellman values. The LR-AKE protocol is based on a two-party (client and server) model. A. Security Goal The security goal of an AKE protocol is to establish secure channels between two parties, authenticating each other and sharing a common session key (e.g., the key is used for confidentiality and/or data integrity) at the end of the protocol. In addition to mutual authentication and generation of session keys in AKE, LR-AKE protocols provide additional security features that protect a party’s short secret against leakage of stored secrets from the both parties. To summarize, our RSA-based LR-AKE protocol guarantees both leakage-resilience of stored secrets and forward secrecy. B. Preliminaries Here, we provide a definition of the standard RSA function, which is the basis for the security of the LR-AKE protocol, and some notations. An RSA public and private key pair is computed as follows: 1) such that , are distinct and odd are integers satisfying mod primes and 2) . We call a RSA modulus. The RSA encryption funcis defined by mod and the tion is . RSA decryption function Thus, the RSA function is simply exponentiation with exponent (i.e., or ) in the group , whose order is (1) The basic security property of the RSA function is one-wayness, meaning given , , , it is computationally hard to com. pute Let denote the security parameter for hash functions and denote the temporal random values (say, 160 bits). Let the set of binary strings set of finite binary strings and of length . Let “ ” denote the concatenation of bit strings in . Let us define secure one-way hash functions as follows: while denotes a full-domain hash function from to , hash functions from to are denoted , for ,1,2,3,4. Here, we will assume that and are distinct random functions from one another. Let and be the identities of client and server, respectively. C. The LR-AKE Protocol Based on RSA 1) The Relevant Context: The relevant situations or environments to benefit most from LR-AKE are wireless networks 1728 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 Fig. 1. The whole protocol of RSA-based LR-AKE where the enclosed values in rectangle represent stored secrets of client and server, respectively. including heterogeneous devices (i.e., with different computational capabilities): for instance, such network enables communications between a user (so-called client) which has insecure devices, such as mobile phones or PDAs, with limited computing power but some memory capacity itself and a server that has enough computing power to generate a pair of (public and private) keys of RSA and to perform the RSA decryption function when is a small prime number. In order to speedup com(for the client’s efficiency), can be chosen putation of to be a small prime with a small number of 1’s in its binary rep).2 In addition, neither TRM nor PKI is resentation (e.g., needed to support LR-AKE. 2) The Process: The RSA-based LR-AKE protocol consists of three phases: initialization, public-key verification, and session-key generation. In the initialization phase, a client regis- e 2Choosing “ ” as a small prime (e.g., 3) does not incur any security problem known so far. Of course, it is the case that the modulus “ ” is a composite of two prime numbers with each size equal (following the RSA key generation procedure shown in preliminaries in Section IV-B). The actual security of the RSA function is not in the public key, but in factoring the composite “ .” Since the RSA key (including “ ”) is generated in the initialization phase of the RSAbased LR-AKE protocol, there is no possible attack on “ ” even if “ ” is a small prime. N N N e e ters the verification data to a server . In the public-key verification phase, the client and the server verify the server’s RSA key via challenge-response protocol. In the session-key generation phase, the client and the server authenticate each other, and then they generate a shared session key. The whole protocol is illustrated in Fig. 1. • Initialization: During the initialization, the client generates verification data with the secret values , and his password (2) The user registers the verification data and securely to server . This could be done only once when the user subscribes to the server. Then, the user just stores the secrets and on insecure devices (e.g., mobile devices with . low computing power) and remembers his password • Public-key verification: The public-key verification protocol runs between client and server as follows. At chosen first, they both exchange random numbers , , and along the latter the server sends its from FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS RSA public key and to the client as is in the right range. The long as the received number , is generated by server RSA key pair and are calculated with under the . Each of is a divided hash value private key . Upon receiving all of these of and values, client checks the validity of with its public key . These two flows are used in order to thwart so-called -residue attacks [19]. This phase is executed only once. • Session-key generation: The client computes using the and the password . Then, the client calsecret value culates using a mask generation function as the product of an encryption of a random value under the public key with a full-domain hash of and other values, before sending it in a masked message (MM) to server . The latter can divide this encrypted value by a hash of its secret value registered by the client and other values, and then so decrypt the resultant value under its private key as to obtain that is used to compute its authenticator carried in a server authenticator message (SA) and the session key. After receiving from the server, client com, as long putes his authenticator and the session key is valid, and it sends to server as the authenticator in a client authenticator message (CA). If the authenticator is valid, the server actually computes the session which is used for their subsequent cryptographic key algorithms. At the end of the protocol, the client stores a new secret value , after updating the secret value as follows: . In the same way, the server stores a new secret value , after updating the . secret value as follows: D. The Security of LR-AKE We consider an attacker who has capability to control fully the communications between the parties. For the full security proof and several security features, please refer to [19]. Some ways for the attacker to break the LR-AKE protocol are the following. • To guess a password and to make an online trial with respect to and only after getting the user/client’s saved secret (i.e., ). The LR-AKE protocol is secure against online attacks by having the server take an appropriate policy with limited number of trials. • To use a RSA function that is not a permutation. With the , the attacker tries all the passwords, and only view of a strict fraction lead to in the image of . But for that, the attacker has to forge a proof of validity for . The optimal parameter can be obtained from [20]. or to check the correct pass• To use the authenticator word. But this requires the ability to solve one-wayness of the RSA function. or , but being lucky. • To send a correct authenticator E. Efficiency With respect to computation costs, client needs to comwith the exponent and pute one modular exponentiation one modular multiplication . When is a small prime, the 1729 in case of ) becomputation costs (i.e., come very small compared with the Diffie–Hellman computations. In particular, the remaining costs after precomputation is only one modular multiplication and additional negligible operations for modular additions and hash functions. As for combits munication costs, it requires a bandwidth of approximately. V. LR-AKE-BASED AAA FOR NEMO In this paper, we propose an AAA and handover process for NEMO based on LR-AKE and MIPv6 to protect against leakage of stored secrets without compromising the protection against classical active and passive attacks. Our proposed procedure is based on LR-AKE performed between the MR and the LFNs, between the MR and its HA, and between VMNs and their HA and CNs. • The security of the communications on the link between the MR and the LFNs is guaranteed by LR-AKE; MR and LFNs should perform the message exchange illustrated in Fig. 1 before any communication. • The security of the communications (i.e., signaling and data) on the link between the MR and its HA is guaranteed by LR-AKE. • The security of the communications (i.e., signaling and data) on the link between the VMN and its HA is guaranteed by LR-AKE. • The security of the communications (i.e., signaling and data) on the link between the VMN and its CNs is guaranteed by LR-AKE. • The security of the communications (i.e., signaling and data) on the link between the VMN and MR is guaranteed by the establishment of a shared symmetric key sent by via a path secured by LR-AKE and the procedure proposed in Fig. 4. The verification data necessary for LR-AKE is stored by the administrator at the HA and at the MR for HA-MR link, by the user at the LFN and at the MR for securing the LFN-MR link and at the VMN and at its HA for securing VMN-HA link. We expose in the following sections how the handover process for the MR and the VMN is performed. Note that all the encryptions performed in this architecture are based on AES used in counter mode. A. Architectural Elements In our scenario, every MR with LFNs belongs to a home domain. When the MR requests a network connection in a particular domain, the process involves the AAA server (AAAF if the MR is in a foreign domain; AAAH if the MR is in its home domain) for billing purposes and the HA for session continuity and authentication purposes. When a VMN requests a network connection in a foreign domain, the process involves the AAA server (AAAF and AAAH) for billing purposes and the HA for authentication purposes and the CN for session continuity. As illustrated in Fig. 2, the AAA infrastructure in a mobile environment is based on a set of servers (AAAF, AAAH) located in different domains. If the MR or the VMN are in a foreign domain, the procedure involves the AR, the AAAF, the AAAH, the 1730 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 session keys to be used for encrypting the BUs/BAs. Therefore, as illustrated in Figs. 2 and 3, the MR sends the masked message (MM) to its HA. The HA sends back the server authenticator (SA) message to the MR. Upon reception of SA, the MR checks the legitimacy of the HA, sends back the client authenticator (CA) message and generates the session key . Upon reception of CA, the HA authenticates the MR and generates the same key . Finally, the MR can send to its HA a BU encrypted with . Upon reception of BU, the HA sends AAA message request (AMR) encrypted with the secret symmetric key to the AAAH.3 After receiving the AMR, the AAAH sends to AAAF encrypted with the preshared secret . a random number also encrypted The AAAF answers with a random number with the preshared secret . Based on this exchange, AAAF and AAAH generate the session key in the following way: Fig. 2. Messages flow for registrations to HA with proposed security architecture. k are session keys and r are random numbers used to generate the keys. (3) This key is generated to prevent against replay attacks. Then, the AAAH sends AMR encrypted with to AAAF specifying the MR’s CoA and its profile. The AAAF sends back an AAA message acknowledgment (AMA) to show that the authorization is granted to MR. The AAAH informs the HA about the authorization by sending AMA encrypted with . HA thus sends back to the MR. Upon reception of BA, the a BA encrypted with access is granted to the MR and AAAF starts charging for it. The path between the MR and its HA is secured using LR-AKE that establishes a session key with three-way handshake. The path between both AAA servers is secured using a temporary symmetric session key. The link between AAAH and HA is protected by symmetric key cryptography. C. Messages Flow for VMN Fig. 3. Messages flow during the registrations to HA with proposed security architecture. HA, and the CN (for the VMN). These are the entities we consider further in the next section. We consider also that the AAAF and the AAAH have a pre-established roaming agreements and and the AAAH therefore have set up a preshared secret key and the HA have a preshared secret key that is encrypted with introduced in Fig. 1 (later is deleted). We also consider that AAAH and HA are collocated or have a trustful relationship as they are part of the same administrative domains. B. Messages Flow for MR The mechanism proposed including all security, AAA, and mobility procedures is illustrated in Figs. 2 and 3. The MR needs first to realize that it is in a foreign network through the exchange of router solicitations and router advertisements. Once the change of network is detected, the MR and its HA uses LR-AKE to achieve mutual authentication and to generate the The VMN needs first to realize that it is in a foreign network through the exchange of router solicitations and router advertisements with the MR or with other routers in the mobile network. Once the change of network is detected, the VMN and its HA uses LR-AKE to achieve mutual authentication and to generate the session keys to be used for encrypting the BUs/BAs. Therefore, the VMN performs the same procedure as the MR to achieve AAA and mobility registration securely, as illustrated in Fig. 2. The path between the VMN and its HA is secured using LR-AKE that establishes a session key with three-way handshake. The path between both AAA servers is secured using a temporary symmetric session key. The link between AAAH and HA is protected by symmetric key cryptography. To update its binding at its CN, the VMN needs to perform the following procedure. Once the change of network is detected, the VMN and the CN need to generate the session keys to be used for encrypting the messages exchanged on the path VMN-CN direct and via their respective HAs. • The path between the VMN and its HA is secured using LR-AKE that establishes a session key with three-way handshake: VMN (playing the role of Client in LR-AKE) 3If AAAH and HA are not collocated and do not belong to the same administrative domain, they can then exchange random numbers to generate a temporary session key as performed in (5) FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS 1731 performs the three way handshake as described earlier to used to encrypt the BUs and generate the session key messages sent to HA. The path between CN and its HA is secured in the exact same way using encryption with the session key . Both VMN-initiated and CN-initiated procedures do not have to be simultaneous but CN must have established with its HA prior to VMN’s handover. • The path between CN’s HA and VMN’s HA is secured by the use of leakage-resilient PKI. Both HAs need to protect (to be used to their secret keys and the symmetric key secure exchanges between HAs) by encrypting them with is never the secret value introduced in Section IV. transmitted, instead random numbers and generated by CN’s HA and VMN’s HA, respectively, are exchanged only once using the HAs’ public keys, as illustrated in used for all the folFig. 4. Once this step is achieved, lowing exchanges between the given HAs is computed by both HAs in the following way: (4) This is done to ensure lower computational cost as the public key cryptosystem is generally known for being 1000 times more time and computation-consuming that the use (128 bit random number). Thereof a symmetric key fore, all the following exchanges between both given HAs happen much faster. • VMN and CN should communicate directly and in a secure way to exchange BUs/BAs. This is ensured by the estab(128 bits random lishment of a symmetric session key number) that is generated at each endpoint via the exchanges of random numbers on the safe path: . From the VMN to its HA, is encrypted using key generated the random number by LR-AKE . Between both HAs, is encrypted by . Between CN and its HA, is encrypted by generated by LR-AKE. CN sends back to VMN a random number on the same safe path. Finally, VMN and CN can generate the session key to be used to protect their exchanges (5) The BUs to the HA can be sent in a secure manner thanks to LR-AKE using the session key , and the BUs sent directly to the CN are secured by the symmetric key . Also, the VMN’s HA establishes only once the session key with the CN’s HA. Moreover, all the VMNs linked to the same HA1 communicating with CNs belonging to the same HA2 use the same symmetric key for performing inter-HA communications and handovers. D. LR-AKE Considerations Considering the LR-AKE exchange between MR and its HA and the VMN and its HA, the initialization phase and the public-key verification phase shown in Fig. 1 are only executed once for all when the MR subscribes to its home network. They are not performed at every handover, and therefore are Fig. 4. Message flow for registrations to CN for VMN with proposed security architecture. k are session keys and r are random numbers used to generate the keys. decoupled from the handover delay. The phase triggered at every handover is the session key generation phase (three-way handshake). For MIPv6 registrations to CN and to HA, the HAs private keys for PKI and the subsequent session keys between HAs and with AAAH are encrypted with the secret stored value as , where its key: is the key for PKI, is the symmetric key is the session key beshared between HA and AAAH, represents some public information. tween HAs and Then, the value is deleted on HAs sides. This protects the private key against leakage of stored secrets from both VMN/CN, MR and HAs. The delay to perform protection against leakage is negligible as the HA has high computational power and needs to be done only once and possibly offline. VI. SECURITY ANALYSIS Here, we show that the security architecture proposed in Section V not only guarantees the authenticity and the confidentiality of the messages exchanged between MR, LFN, VMN, CN, and HAs, but also provides security against leakage of stored secrets which may be even more important and practical threat in the real world. As we pointed out in Section I, cryptographic protocols used for authentication are totally useless if the stored secrets leak out due to accidents such as lost/stolen devices. Let us consider an attacker who has ability to eavesdrop, modify, and insert the messages exchanged by parties, as well as to have access to parties’ stored secrets (MR in Fig. 2, and VMN and CN in Fig. 4). Theorem 1: The proposed security architecture of Fig. 2 provides secure BU/BA exchanges if the LR-AKE protocol and the symmetric-key encryption are secure. 1732 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 Proof: In order to simplify the discussion, we assume that AAAH and HA are the same party so that the communications between them can be done securely. There are three cases for the is attacker to break the MIPv6 handover. The first case to break the underlying symmetric-key encryption that is used to encrypt BU/BA messages with the established temporal session is to break key between MR and HA. The second case the symmetric-key encryption used to encrypt AMR/AMA between AAAF and AAAH. The third case is to break the underlying LR-AKE protocol that is used to authenticate and then generate a session key between MR and HA. Therefore, the overall success probability for the attacker is upper-bounded by messages with the established temporal session key between is to break the symVMN and CN. The second case metric-key encryption used to encrypt random numbers between VMN and MN’s HA. The same case can be considered between MN’s HA and CN’s HA, and between CN and CN’s HA. The is to break the underlying LR-AKE protocol third case that is used to authenticate and then generate a session key between VMN and MN’s HA, and between CN and CN’s HA. is to break the underlying public-key The fourth case encryption used to encrypt random numbers between MN’s HA and CN’s HA. Therefore, the overall success probability for the attacker is upper-bounded by (6) (8) (7) where is the case that the attacker does not break the underlying LR-AKE protocol. is negligible. Lemma 1: If the symmetric-key encryption is secure, it is obvious. Lemma 2: is negligible. Let us remind that the security of the LR-AKE protocol depends on the password and the stored secret value . So we discuss its security against both online and offline dictionary attacks. In offline dictionary attacks, an attacker who records the communications of one or more sessions tries to eliminate a significant amount of possible passwords so as to impersonate one party. In online dictionary attacks, an attacker can do no better than guess at most one password during each interaction to the parties. While online dictionary attacks can be applied to any password-based protocols, they are not so threatening since they can be detected by the other party and prevented by limiting the number of trials within certain period (e.g., a server that terminates a transaction after three trial-failures on password!). can be interpreted as to break the secrecy of session keys in the context of executing the LR-AKE protocol. Without leakage of , the attacker cannot even apply online dictionary attacks since the secrecy of session keys depends on the strong secret . Even if the attacker gets , the secrecy of session keys can be shown where the attacker is confined in Section IV-D. That is, online dictionary attacks are not so threatening with the same reason as the above discussion. Therefore, is negligible, so is . Lemma 3: is negligible. If the symmetric-key encryption is secure, it is obvious. Theorem 2: The proposed security architecture of Fig. 4 provides secure BU/BA exchanges if the LR-AKE protocol, the symmetric-key encryption, and the public-key encryption are secure. Proof: There are four cases for the attacker to break the MIPv6 handover. The first case is to break the underlying symmetric-key encryption that is used to encrypt BU/BA (9) and are the cases that the attacker does not where break the underlying LR-AKE protocol and the public-key encryption, respectively. We omit the remaining proof that each probability is negligible since it can be shown very similarly as in Theorem 1. VII. DELAY PERFORMANCE ANALYSIS In this section, we analyze the delay of the proposed handover mechanism. In this paper, we evaluate the time interval between the moment when the MR or the VMN sends an router solicitation and the moment when the MR or the VMN can send and receive IP packets, under various conditions. The analysis consists of four steps. • The first step consists in the evaluation of the transmission delay of NEMO-MIPv6 messages. It considers the FER of the wireless link and the retransmissions strategies to overcome the losses. • The second step is similar to the first step but considers the security procedure based on LR-AKE and AAA message exchanges necessary. • The third step deals with the queueing delays experienced by the different messages on the communication path. • The fourth step considers the en/decryption delay induced by the LR-AKE cryptographic functions. A. NEMO-MIPv6 Delay In this section, we assume the following. • A random error process. • An router advertisement is sent only if a router solicitation has been previously received. • A binding acknowledge is sent only if a BU has been received previously. • Error correcting codes are not considered here. FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS • The link-layer reliability mechanism is assumed to operate in the transparent mode where link layer retransmissions are not performed. Let be the probability of a frame being erroneous in the air link. Therefore, considering frames contained in a packet, the . packet loss rate is We denote as the interframe time, being the time interval between the transmissions of two consecutive frames, and as the frame propagation delay through the radio access network (RAN). Therefore, the propagation delay from MR to RAN for . a message is 1) Retransmission Timer: The retransmission timers for MIPv6 follow the exponential backoff mechanism. Let be the initial backoff timer. The backoff timer upon the th doubles after each retransmission. Hence transmission (10) The initial retransmission timer can be taken from the specification, see Table II. 2) Retransmission Probability: The probability of retransmission is the probability of a transaction having failed: this means that the first packet sent (solicitation containing frames) is lost or that the first packet is received but the response (advertisement containing frames) is lost. Therefore, the probability of having a retransmission of solicitation is (11) (12) The value of is changing reflecting the size of the messages exchanged in the transaction. be the maximum 3) Average Transmission Delay: Let number of transmissions. The average delay for the MIP “request” message to the successful transmission of the RAN is as follows: 1733 is the delay between the RAN and the HA which where is mainly Internet delay. The transmission delay to the RAN for the registration to CN is given as (15) B. Security Delay The security delay consists of the delay to perform LR-AKE, to establish a session keys and to exchange AAA messages. To evaluate LR-AKE security delay, the same reasoning as MIPv6 delay described in the previous section is used. We assume that the reception of MM messages trigger the transmission of SA messages and SA’s reception triggers transmission of CA messages. We do not consider error-correction codes, and we consider that the link layer reliability mechanism operates in transparent mode. The probability of retransmission is as mentioned in (12). The average delay for transmitting successfully an th LR-AKE packet is analogous to the one for MIP expressed in (13). The total LR-AKE delay is (16) where is the total number of LR-AKE messages necessary to establish the session key between clients and servers. Concerning the exchanges between AAAH and AAAF, we need to consider the exchange of random numbers and the exchange of AMR and AMA messages. This delay is denoted which takes . The transmission delay of messages exchanged between HA and AAAH is considered negligible as AAAH and HA are assumed to be collocated in the same domain. The total security delay for registrations to HA is (17) For registrations to CN, once LR-AKE performed, the paths between HAs and the direct path MN-CN are secured with the establishment of session keys and . The key establishment which we consider proportional to Inbetween HAs takes ternet delay. The key establishment between MN-CN takes which is the addition of the transmission delay of each necessary messages involving (13). The total security delay for registrations to CN is (13) The handover delay is the addition of the delays for all the messages necessary to perform the handover. The transmission for the registration to HA is given as delay to the RAN (14) (18) C. Queueing Delay In this section, we determine the queueing delays of a MIP/LR-AKE message at the MR, the VMN, the HA, and the CN and the queueing delays of AAA messages at the AAA servers. We consider an M/M/1 queueing model at the MR, at the VMN, at the HA, and at the AAA servers. We consider 1734 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 an M/G/1 model for CN because while VMN, MR, and HA perform dedicated tasks, the CN may be serving a variety of non-MIP related tasks with a general service distribution time. We assume that multiple MRs and VMNs are served by HAs and the AAA servers. So, the MIP message arrival rate at the is a fraction of the message arrival MR and at the VMN . rate at the HA and at the AAA servers Using results from the queueing theory [21], the average queueing delay at the MR and at the VMN follow the same expression: (19) where is service rate of the MIP message at MR and at the VMN. The average queueing delays at the HA and at the AAA servers follow the same expression: the RSA encryption involves thus 17 multiplication which takes 0.0004 s on our test terminal. Due to the precomputation involved of LR-AKE, only one multiplication needs to be performed during the handover which takes 23.5 s. Also, Advanced Encryption Standard (AES) in countermode is used to encrypt the BUs, the BAs, and random numbers exchanged between AAA servers and the AAA messages. On the test terminal, we obtain for AES in CBC4 mode 0.04 s per byte. We multiply this by the amount of data (in bytes) to be encrypted, and we obtain the encryption delay. E. Handover Delay Expressions The handover delay is the cumulative delay due to the transmission5 of MIPv6, LR-AKE, and AAA messages, the queueing, and the en/decryption. Therefore, the average handover delay is as follows: (20) (24) where is the HA’s load and the AAA’s loads. The queueing delay at the CN is the following: VIII. NUMERICAL RESULTS (21) where is the load at the destination for non-MIP messages, is the service rate of MIP messages at the destination. The value equals , where and are the second moments of and the service rate of non-MIP messages at the CN , respectively. The overall average queueing delay for registrations to the HA is the following: (22) where is the total number of necessary messages processed by MR for registration to the HA, is the number of mesis the number of messages sages going through HA, and processed by the AAA servers during the registration. The overall average queueing delay for registrations to the CN is the following: (23) where is the total number of necessary messages to perform the registration (i.e., number of messages necessary for MIPv6 is the number of messages going through and LR-AKE), is the number of messages processed by the CN. HA, and D. En/Decryption Delay To evaluate the en/decryption delay, we use measurement achieved with OpenSSL running on windows XP platform of a handheld device VAIO type U 1 GHz. The RSA encryption used in LR-AKE needs to perform 16 modular squarings and . As a modone modular multiplication when ular squaring can be considered as a modular multiplication, In this section, we present results based on the previous analysis. This section presents the results of the average handover delay for MIPv6-AAA proposed procedure for NEMO. The number and the size of the messages exchanged affect the average handover delay. For the evaluation, the approximate size for each MIP message is obtained from [1]. The number of frames is needed in each case and we take into consideration and the a channel with 128 kb/s. The values of the delay interframe time are set, respectively, 10 and 1 ms. The delay from AR to HA or from AAAH and AAAF or from and is set to 100 ms. For MIPv6, the maximum number of transmissions is set to 7 and the values of the fixed backoff timers are obtained from [1]. Concerning the queueing delay, we assume that the handover message arrival rate is and that the service rate at the HA and the AAA servers are the same (i.e., ). Also, we . For the results considering a varying FER, assume the MIP message arrival rate at the MR, and at the VMN are . For the results considering assumed to be a varying , the FER is kept constant at 1%. The other system parameters values are given in Tables I and II. The average handoff delay is evaluated at various FER between 0%–10%. The proportion of handover delay that is due to the queueing and encryption is in relatively small proportion compared with the transmission delays: 115 s for encryption and 9 ms for queueing. As shown in Figs. 5 and 7, the main contributors in the handover delay are the transmission delays of MIPv6, AAA, key establishment, and LR-AKE messages to perform the handover securely. The handover delay for registrations to CN are 200 ms shorter due to a shorter security procedure that does not involve AAA messages. 4As countermode is not yet available in OpenSSL, we used the results obtained with CBC mode which is almost the same or a bit slower than the countermode. 5The Internet delay is included in the transmission delay. FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS 1735 TABLE I SIZE AND NUMBER OF FRAMES FOR MESSAGES SENT OVER THE WIRELESS LINK TABLE II BACKOFF TIMER INTERVALS FOR LR-AKE AND FOR MIPV6 [1] Fig. 6. Handover delay induced by secure registration to HA for MR and for VMN versus handover messages arrival rates. Fig. 7. Handover delay induced by secure registration to CN for VMN versus FER. Fig. 5. Handover delay induced by secure registration to HA for MR and for VMN versus FER. To encompass the scenario with higher HA load, we compute the handover delay as a function of the messages arrival rate. Fig. 6 shows how little the message arrival rate affects the handover delay. It is in the order of 10 ms for message arrival rate increasing from 50 requests/s to 250 requests/s. So the queueing delays are not the most affecting factors. The handover delay obtained for registrations to CN and to HA even for low FER is too high to provide session continuity for stringent applications like VoIP. It could provide session continuity for video session if an appropriate buffer is implemented and proactive measures are taken. The crucial parameters to minimize the handover delay are the retransmission timers that are too generous in the specifications of MIPv6, the retransmission mechanisms, and the number and size of messages exchanged. This can be further improved in the future. IX. CONCLUSION In this paper, we have proposed and evaluated a new and secure architecture to achieve AAA and handovers for NEMO comprising MRs and VMNs. The handover mechanism proposed is based on MIPv6 and LR-AKE; and prevents against classical attacks and leakage of stored secrets. We have analyzed the security of the proposed architecture. We have evaluated the handover delay of the proposed procedure depending on the FER in the wireless link and the server’s load to show the impact of the enhanced security. The main contributors in the handover delay have been considered: transmission, queueing, and encryption processes. The heaviest contributor is the transmission delay due to exchanges of MIPv6 messages, and LR-AKE messages through the wireless link which can be highly erroneous. This can be improved by using fast-handoff and hierarchical MIPv6. LR-AKE and the proposed architecture can easily be transposed in such optimization techniques. On the other hand, the use of link-layer retransmission coupled with appropriate 1736 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 9, SEPTEMBER 2006 retransmission timers may significantly improve the handover delay even for fast or hierarchical handoff mechanisms. Moreover, to improve the analytical model used here, one could evaluate the handover delay using more complex model for correlated errors. Our analytical results will also be confronted to measurements results in the future. REFERENCES [1] D. Johnson, C. Perkins, and J. Arkko, Mobility support in IPv6,” IETF, RFC 3775, Jun. 2004. [2] V. Devarapalli, R. Wakikawa, A. Petrescu, and P. Thubert, “Network mobility (NEMO) basic support protocol,” IETF, RFC3963, Jan. 2005. [3] A. Petrescu, A. Olivereau, C. Jeanneteau, and H.-Y. Lach, “Threats for basic network mobility support (NEMO threats),” IETF Internet Draft: draft-petrescu-nemo-threats-01.txt, Jan. 2004, expired. [4] S. Kent and R. Atkinson, “Security architecture for the Internet protocol,” RFC 2401, Nov. 1998, . [5] S. Jung, F. Zhao, S. F. Wu, and H. Kim, “Threat analysis on network mobility (NEMO),” in Lecture Notes in Computer Science. New York: Springer-Verlag, 2004, Proc. ICICS. [6] M. Calderon, C. Bernados, M. Bangulo, and I. Soto, “Securing route optimization in NEMO,” in Proc. 3rd Int. Symp. Modeling and Optimization in Mobile, Ad Hoc, Wireless Netw., Apr. 2005, pp. 248–254. [7] S. Shin, K. Kobara, and H. Imai, “A simple leakage-resilient authenticated key establishment protocol, its extensions and applications,” IECE Trans. Fundamentals, vol. E88-A, no. 3, pp. 736–754, Mar. 2005. [8] S. Shin, K. Kobara, and H. Imai, “Leakage-Resilient Authenticated Key Establishment Protocols,” in Lecture Notes in Computer Science. New York: Springer-Verlag, 2003, Proc. ASIACRYPT, pp. 155–172. [9] S. Zrelli, T. Ernst, J. Bournell, G. Valadon, and D. Binet, “Access control architecture for nested mobile environments in IPv6.,” in Proc. 4th Conf. Security and Network Architecture (SAR), Jun. 2005, pp. 115–126. [10] C. Perkins, “Mobile IP joins forces with AAA,” IEEE Pers. Commun., pp. 59–61, Aug. 2000. [11] P. Engelstad, T. Halselstad, and F. Paint, “Authentication access for IPv6 supported mobility,” in Proc. ISCC 2003, 2003, pp. 569–576. [12] B. Lee, D. Choi, H. Kim, S. Sohn, and K. Park, “Mobile IP and WLAN with AAA authentication protocol using identity-based cryptography,” in Proc. ICT 2003, 2003, pp. 597–603. [13] ETSI, Ts 122 105, Release 6 ETSI, Tech. Rep., 2005. [14] ——Ts 10129-2, Release 1.3.0 ETSI, 3GPP, Tech. Rep., 2002. [15] D. Harkins and D. Carrel, “The Internet key exchange (IKE),” IETF, RFC 2409, Nov. 1998. [16] R. Perlman and C. Kaufman, “Analysis of the IPSec key exchange standard,” in Proc. WET ICE 2001, E. Security, Ed., 2001, pp. 120–131. [17] C. Kaufman, Internet key exchange (IKEv2) protocol IETF, RFC4306, Dec. 2005. [18] S. Halevi and H. Krawczyk, “Public-key cryptography and password protocols,” ACM Trans. Inf. Syst. Security, vol. 2, no. 3, pp. 230–268, 1999. [19] S. Shin, K. Kobara, and H. Imai, “Efficient leakage-resilient authenticated key transport protocol based on RSA,” in Lecture Notes in Computer Science. New York: Springer-Verlag, 2005, Proc. ACNS , pp. 269–284. [20] ——, “A lower bound of complexity of RSA-based password-authenticated key exchange,” in Lecture Notes in Computer Science. New York: Springer-Verlag, 2005, Proc. EuroPKI 2005, pp. 191–205. [21] L. Kleinrock, Queuing Systems Vol. I Theory, W. N. York, Ed. New York: Wiley, 1975. Hanane Fathi (S’05–M’06) received the M.S. degree in electrical engineering from Aalborg University, Aalborg, Denmark, and the Telecommunications Engineering Diploma at Ecole Centrale d’Electronique of Paris, Paris, France, both in 2002. She received the Ph.D. degree in wireless communications from the Center for TeleInfrastruktur at Aalborg University in 2006. She is currently working at the AIST Research Center for Information Security, Tokyo, Japan. Her research interests include VoIP over wireless networks, mobility management, authentication schemes, and wireless security. SeongHan Shin received the B.S. and M.S. degrees in computer science from Pukyong National University, Busan, Korea, in 2000 and 2002, respectively, and the Ph.D. degree in information and communication engineering, information science and technology from the University of Tokyo, Tokyo, Japan, in 2005. From October 2005 to March 2006, he was with the Institute of Industrial Science, University of Tokyo as a Postdoctoral Researcher. Since December 2005, he has been with the Research Center for Information Security, National Institute of Industrial Science and Technology, Japan, as a Researcher of the Research Team for Security Fundamentals. His research interests include information security, cryptography and wireless security. Dr. Shin received the CSS Student Paper Award and the IWS 2005/WPMC 2005 Best Student Paper Awards in 2003 and 2005, respectively. Kazukuni Kobara received the B.E. degree in electrical engineering and the M.E. degree in computer science and system engineering from the Yamaguchi University, Yamaguchi, Japan, in 1992 and 1994, respectively, and the Ph.D. degree in engineering from the University of Tokyo, Tokyo, Japan, in 2003. From 1994 to 2000 and 2000 to 2006, he was a Technical Associate and a Research Associate, respectively, at the Institute of Industrial Science, University of Tokyo. In 2006, he joined the Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, where he is now Chief Researcher. His current research interests include cryptography, information and network security. Dr. Kobara is a member of the Institute of Electronics, Information and Communication Engineers (IEICE) of Japan and IACR. He received the SCIS Paper Award and the Vigentennial Award from the ISEC Group of IEICE, in 1996 and 2003, respectively. He also received the Best Paper Award of WISA, the ISITA Paper Award for Young Researchers, and the IEICE Best Paper Award (Inose Award) in 2001, 2002, and 2003, respectively. He served as a member of CRYPTREC (2000–present) and the Vice Chairperson of the WLAN Security Committee of Japan (2003). Shyam S. Chakraborty received the M.Tech. degree from the Indian Institute of Technology (IIT), Delhi, and the Licenciate of Technology and the Doctor of Science (Technology) from Helsinki University of Technology, Helsinki, Finland. He has been a Visiting Professor at the Asian Institute of Technology, Guest Professor at Aalborg University, and Guest Researcher at TU-Berlin. He is a Guest Editor of the IETE Journal of Research (Special Issue on Protocols for Resource, Link and Mobility Management). He joined Ericsson Corporate Research in Finland in 2005. He is a Docent to the Department of Electrical and Computer Engineering, Helsinki University of Technology. His research interests are modeling and performance analysis of protocols, multihop networks, diversity combining, link, mobility, signaling and security management, VoIP in wireless systems, etc. Dr. Chakraborty is a recipient of the Academy Fellowship from the Academy of Finland (2000). He is Guest Editor of the IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS (Special Issue on Multihop Wireless Mesh Networks) and General Co-Chair of the Workshop “Meshnets,” 2005. FATHI et al.: LR-AKE-BASED AAA FOR NETWORK MOBILITY (NEMO) OVER WIRELESS LINKS Hideki Imai (M’74–SM’88–F’92) was born in Shimane, Japan, on May 31, 1943. He received the B.E., M.E., and Ph.D. degrees in electrical engineering from the University of Tokyo, Tokyo, Japan, in 1966, 1968, and 1971, respectively. From 1971 to 1992, he was on the faculty of Yokohama National University. In 1992, he joined the faculty of the University of Tokyo, where he is currently a Full Professor in the Institute of Industrial Science. Concurrently, he serves as the Director of Research Center for Information Security, National Institute of Advanced Industrial Science and Technology. His current research interests include information theory, coding theory, cryptography, and information security. Dr. Imai received the Best Book Awards in 1976 and 1991, Best Paper Awards in 1992, 2003, and 2004, the Yonezawa Memorial Paper Award in 1992, the Achievement Award in 1995, the Inose Award in 2003, and the Distinguished Achievement and Contributions Award in 2004, from the Institute of Electronics, Information and Communication Engineers (IEICE). He also received the Golden Jubilee Paper Award from the IEEE Information Theory Society in 1998, and Official Commendations from the Minster of Internal Affairs and Communications in June 2002, and from the Minister of Economy, Trade and Industry in October 2002. He was awarded the Honor Doctor Degree by Soonchunhyang University, Korea, in 1999, and the Docteur Honoris Causa by the University of Toulon Var, France, in 2002. He is also the recipient of the Ericsson Telecommunications Award 2005. He is a member of the Science Council of Japan. He was elected an IEICE Fellow in 2001. He has chaired many committees of scientific societies and organized a number of international conferences. He served as the President of the Society of Information Theory and Its Applications in 1997, of the IEICE Engineering Sciences Society in 1998, and of the IEEE Information Theory Society in 2004. He is currently the Chair of THE Cryptography Techniques Research and Evaluation Committee of Japan (CRYPTREC). 1737 Ramjee Prasad (M’88–SM’90) was born in Babhnaur (Gaya), Bihar, India, on July 1, 1946. He received the B.Sc. degree in engineering from the Bihar Institute of Technology, Sindri, India, the M.Sc. degree in engineering and the Ph.D. degree from the Birla Institute of Technology (BIT), Ranchi, India, in 1968, 1970, and 1979, respectively. Since June 1999, he has been with Aalborg University, Aalborg, Denmark, where he is currently Director of the Center for Teleinfrastruktur (CTIF), and holds the Chair of Wireless Information and Multimedia Communications. He is a project leader of several international, industrially funded projects. He is the Coordinating Editor and Editor-in-Chief of the Springer International Journal on Wireless Personal Communications and a member of the editorial board of other international journals. He has published over 500 technical papers, contributed to several books, and has authored, coauthored, and edited 16 books. Dr. Prasad has received several international awards; the latest being the Telenor Nordic 2005 Research Prize (website: http://www.telenor.no/om/). He is Coordinator of the European Commission Sixth Framework Integrated Project MAGNET (My personal Adaptive Global NET). He was involved in the European ACTS project FRAMES (Future Radio Wideband Multiple Access Systems) as a DUT Project Leader. He is also the founding Chairman of the European Center of Excellence in Telecommunications, known as HERMES, and he is now Honorary Chair. He is a Fellow of IEE, a Fellow of IETE, a member of The Netherlands Electronics and Radio Society (NERG), and a member of IDA (Engineering Society in Denmark). He is advisor to several multinational companies. He has served as a member of advisory and program committees of several IEEE international conferences.
