Fast certificate-based authentication scheme in multi-operator maintained wireless mesh networks

Levente Buttyán, László Dóra, Fabio Martinelli, Marinella Petrocchi
2010 Computer Communications  
In this paper, we consider QoS aware mesh networks that are maintained by multiple operators and they cooperate in the provision of networking services to the mesh clients. In order to support mobile users and seamless handover between the access points, the authentication delay has to be reduced. Many proposed fast authentication schemes rely on trust models that are not appropriate in a multi-operator environment. In this paper, we propose two certificate-based authentication schemes such
more » ... the authentication is performed locally between the access point and the mesh client. We assume that the access point is always a constrained device, and we propose different mechanisms for mesh clients with different computational performance. For constrained devices, we propose a mechanism where weak keys are used for digital signatures to decrease the latency of the authentication. The authenticity of the weak keys are provided by short-term certificates issued by the owner of the key. The short-term certificate has the digital signature generated by the owner's long-term key. We prove formally that the use of our weak key mechanism on the mesh client side is as secure as the use of some stronger keys. We perform a detailed performance evaluation on our proof-of-concept implementation, and we also compare our solution to the current standard methods. paper, we refer to such networks shortly as the EU-MESH network. The EU-MESH network consists of mesh routers that form a static wireless ad hoc network. Some of the mesh routers function as gateways to the wired Internet, and some of them function as wireless access points (AP) where mobile mesh clients can connect to the network. The sets of gateways and APs can overlap and they do not necessarily cover the entire set of mesh routers. We envision that the mesh routers are potentially operated by multiple operators, and they cooperate in the provision of networking services to the mesh clients. This cooperation is based on business agreements (similar to roaming agreements in the case of cellular networks). Mesh clients (MC) are mobile computing devices (laptops, PDAs, etc.) operated by customers. Customers may be associated with one or more operators by contractual means and have the ability to roam to the rest of the cooperating operators, if necessary. We assume that MCs connect to APs directly (i.e., MCs are one hop away from the mesh network). MCs use the services provided by the mesh network in order to run various applications. Typically, MCs use the mesh network to access the Internet. The mesh network supports QoS-based applications and mobility of the MCs. QoS services may have requirements on the length of the interruptions in the communication that they can tolerate. When a MC moves from one AP to another, it has to re-authenticate itself as part of the handover process. Before a successful authentication process, the MC should not be allowed to access the network (otherwise, it can exploit the free short-term access by changing the APs and gaining access without authentication). Thus, the re-authentication delay must be minimized in order to ensure that the interruption caused by the handover remains tolerable for the applications. In this paper, we are focusing on the MC re-authentication process in EU-MESH networks. Furthermore, we consider the problem of setting up a connection key between the MC and the AP that is used for the continuous enforcement of some access control policy in the network. Although the problem of fast authentication in [1] has been studied before, the proposed schemes rely on trust models that are not appropriate in a multi-operator environment. Our main contribution is that we propose a fast authentication scheme applicable in case of a multi-operator environement. Requirements The main requirements for authentication and access control enforcement in a QoS aware multi-operator maintained mesh network can be categorizes into two groups: One concerning the authentication method and another one which is related to the establishment of the connection keys for the access control enforcement. Requirements on the authentication method between mesh client and access point: • Fast authentication method to support user mobility: As a main requirement, the authentication method has to support mobility of mesh clients
doi:10.1016/j.comcom.2010.01.014 fatcat:iza5undcqfaprnj2jh2eybyrha