Local Fast Re-authentication Protocol for 3G-WLAN ... - IEEE Xplore

Download PDF
3 downloads 274003 Views 455KB Size Report
Comment
Many advantages are attained by integrating 3G and WLAN systems to form a 3G-WLAN interworking architecture. However, securing the architecture is a.
Local Fast Re-authentication Protocol for 3G-WLAN Interworking Architecture Ali Al Shidhani and Victor C.M. Leung Department of Electrical and Computer Engineering University of British Columbia, Vancouver, Canada {alia, vleung}@ece.ubc.ca

Abstract Many advantages are attained by integrating 3G and WLAN systems to form a 3G-WLAN interworking architecture. However, securing the architecture is a great challenge because of the number of vulnerabilities introduced. EAP-AKA is the authentication solution adopted by the 3GPP to secure accesses to 3G-WLAN architectures. Two types of EAP-AKA authentication are available, full authentication and fast re-authentication. This paper presents a localized fast re-authentication protocol to substitute the standard fast re-authentication protocol. The proposed protocol achieves faster reauthentication by locally performing the authentication procedure. A new keying framework is introduced to minimize authentication delays during re-authentication and handover operations.

EAP-Authentication and Key Agreement (EAPAKA) is the authentication method adopted to authenticate a WLAN-UE in a 3G-WLAN interworking environment [1][3]. It relies on preshared secrets held by the WLAN-UE and the 3G home network. Two types of authentication are supported by EAP-AKA, full authentication and fast re-authentication. The full authentication protocol is shown in Figure 1.

1. Introduction Third generation mobile systems (3G) and wireless local area networks (WLANs) complement each other in terms of bandwidth, cost and service coverage. Therefore 3G-WLAN interworking is being widely considered by service providers. However, 3G-WLAN interworking introduces new security challenges and problems. Solutions to these problems are published as technical specifications [1] by the Third Generation Partnership Project (3GPP). Per the specifications [1], the WLAN user equipment (WLAN-UE) must be authenticated by the 3G home network using an authentication procedure involving servers in the 3G home network including the Home Authentication, Authorization and Accounting (HAAA) server, Home Location Registry (HLR) and Home Subscriber Server (HSS). Authentication information is exchanged via the Extensible Authentication Protocol (EAP) [2] using authentication, authorization and accounting (AAA) messages.

1-4244-0697-8/07/.00 ©2007 IEEE.

Figure 1. EAP-AKA full authentication protocol The ultimate goal of EAP-AKA in 3G-WLAN interworking is to authenticate the WLAN-UE and to derive new security keys. The WLAN-UE and the HAAA exchange series of EAP messages to request/respond authentication-related information. EAP messages might traverse multiple networks and AAA proxy servers on its way to the destination. HAAA communicates with the HLR/HSS to obtain essential security keys and information known as Authentication Vector (AV). On successful authentication, several keys are derived by the HAAA and the WLAN-UE; the important key among them is the Master Session Key (MSK).

The HAAA forwards this key to the access point (AP) in association with the WLAN-UE. The WLANUE and the AP use MSK to derive a new session key, known as the Transient Session Key (TSK), to be used to secure data link communications between them. TSK is derived from MSK using the 4-way handshake protocol introduced in the IEEE 802.11i standard [4]. EAP-AKA supports a relaxed version of full authentication called fast re-authentication. Fast reauthentication is either periodically triggered or activated when a WLAN-UE associates with a new AP. In fast re-authentication, the HAAA does not need to retrieve a new set of AV from the HLR/HSS, but reuses the previously received AV to derive a new set of keys including a new MSK. The total authentication delay is reduced by the amount of time it takes the HAAA to retrieve AV from the HLR/HSS. It is essential to reduce the time it takes to re-authenticate the WLAN-UE. That is because the quality of service (QoS) experienced by real-time applications running on the WLAN-UE is highly affected by the reauthentication delay. Therefore, re-authentication delays must be minimized as much as possible. Figure 2 illustrates the fast re-authentication protocol in EAPAKA.

Figure 2. EAP-AKA fast re-authentication protocol Although fast re-authentication performs better than full authentication in terms of delay, the WLAN-UE is still authenticated by the HAAA located in the 3G home network. The communication link between the WLAN AAA server (WAAA) and HAAA could experience long delays if multiple AAA proxy servers separate the two networks.

In practice, the HAAA is always busy answering authentication requests from other WLAN-UEs. As a result, additional delays are introduced. In summary, WAAA-HAAA link delay and HAAA processing delay significantly increase the total authentication delay of fast re-authentication. In this paper, we propose a new re-authentication protocol that delegates WLAN-UE authentication procedure to the WAAA instead of the HAAA. Hence, WAAA-HAAA link delay and HAAA processing delay is completely removed from the total authentication delay. In our proposal, the HAAA gives the WAAA proper privileges to locally authenticate the WLAN-UE. To realize this, we extend the EAPAKA key hierarchy and modify the full EAP-AKA authentication. Our proposal performs better than the standard fast re-authentication protocol in terms of reauthentication delay, and is capable of offering a better QoS for delay-sensitive wireless applications. Section 2 explains the proposed protocols. Sections 3 and 4 analyze and discuss the security and delay performance of the proposal. Section 5 concludes the paper.

2. Proposed Solution To further reduce re-authentication delays, we propose that the HAAA delegates WLAN-UE’s authentication to the WAAA. This is done by giving WAAA proper privileges to locally authenticate WLAN-UEs and generate fresh keys. To achieve this goal, we propose an extension to the key hierarchy adopted by EAP-AKA in 3G-WLAN interworking [3][5]. The standard key hierarchy along with the proposed extensions are shown in Figure 3. The full authentication protocol in EAP-AKA must be modified as a result of the modifications to the key hierarchy. These modifications provide the required platform to design a new re-authentication protocol. The new protocol proposed in this paper is named “Local Fast Re-authentication protocol (LFR)”. Delegating the authentication operation to an authentication broker close to the client has been considered in [6][7][8]. These previous proposals had different scopes and experienced some limitations. The proposal of Kim et al. [6] used AAA messages to reduce authentication delays and was specific to 3G cellular networks. The protocol did not address key generation and management operations. Lee et al. [7] suggests modifying the 3G-WLAN architecture by adding a location-aware service platform. The new platform includes location aware service brokers that perform pre-authentication depending on the location of the client.

trust agreement. The HAAA only needs to verify the DC of the WAAA it is communicating with. WAAA public key can be extracted from the DC and used by the HAAA to encrypt confidential messages. x A WAAA controls multiple APs, forming what is known as a “WLAN domain” in this paper. The WAAA and all APs in its WLAN domain must share a long term SA as well.

Figure 3. Key hierarchy of (a) standard EAP-AKA (b) proposed extensions In [8], a localized authentication protocol for 3GWLAN interworking systems was proposed. The proposed protocol used EAP-Transport Layer Security (EAP-TLS) and EAP-Tunneled Transport Layer Security (EAP-TTLS) instead of the recommended EAP authentication method for 3G-WLAN authentication, EAP-AKA. The disadvantage of that is the need for WLAN-UEs to hold digital certificates (DCs). Furthermore, certificate based authentication could add extra processing delays in resource-limited wireless devices. LFR differs from these protocols because it does not require modifications to the existing 3G-WLAN infrastructure nor using authentication method other than the recommended EAP-AKA. It also differs from the standard EAPAKA fast re-authentication because it achieves localized, faster and secured re-authentication with efficient key management.

2.1 Assumptions Before discussing the extensions to the key hierarchy and the details of the LFR protocol, some general assumptions introduced by the proposed protocol are outlined. x The HAAA and all WAAAs must have roaming and trust agreements. Long term security associations (SAs) must be maintained between them. The SA can either be established based on a shared secret key or a pair of public/private keys. Since a single HAAA is responsible for many WAAA, it is recommended that both parties use public key cryptography to exchange private messages. The advantage of public key cryptography is that the HAAA does not need to maintain a shared secret key for every WAAA. Public key cryptography can be implemented by simply issuing a Digital Certificates (DC) for each WAAA when signing the

x WAAA and WLAN-UE must maintain an R_Counter that indicates the number of times reauthentications have been performed. Both entities increment the R_Counter after every successful reauthentication. The 3G network operator decides on the maximum value of the R_Counter. The counter is reset to the assigned initial value after a successful full EAP-AKA authentication.

2.2. Proposed extensions to the key hierarchy In EAP-AKA, both EAP peers (i.e., WLAN-UEs) and EAP server (i.e., HAAA) must generate MSK, EMSK and TEK based on the full EAP-AKA authentication protocol. TEK is used to derive the K_auth and K_encr keys that are used to preserve the integrity and confidentiality of EAP messages during authentication. MSK is transported by the HAAA to the AP to be used in generating a TSK; see Figure 1. EMSK usage is not specified. In fast re-authentication, the WLAN-UE and HAAA utilizes MKAKA and counter values to generate a fresh set of MSK and EMSK; see Figure 2. In our proposal, we extended the usage of MSK and EMSK to derive additional keys to achieve faster localized authentication. MSK and EMSK in the extended key hierarchy are used to generate WLAN domain-level keys specific to a WLAN domain. These keys are used further to derive WLAN local-level keys to be used locally within the WLAN domain. Local-level keys are used to derive TSKs. Therefore, MSK is considered as the root key for re-authentication operations. Since EMSK is not used by EAP-AKA, we propose using it to achieve secured fast handovers. Therefore, EMSK becomes the root key for handover operations. Handover protocols and keys derived from the new key hierarchy will not be discussed in this paper. The advantage of separating re-authentication keys from handover keys is to give the 3G service provider more control on different security parameters. The service provider can set filters based on the lifetime of re-authentication and handover keys. These filters aid in enforcing service policies.

authentication

x Generation of a Nonce by the WLAN-UE. The Nonce is included in the EAP Response/AKA challenge messages.

Modifications to the EAP-AKA full authentication protocol are required as a result of the extensions in the key hierarchy. Details of the modifications are as follows. x Five keys are generated from MSK and EMSK.

x Generation of a next re-authentication ID to be used by the WLAN-UE. The ID is generated by the HAAA and delivered to the WLAN-UE and the WAAA. This ID is used by the WLAN-UE on the next re-authentication procedure. In contrary to the standard EAP-AKA full authentication, the generation of the next re-authentication ID is a must in our proposal.

2.3 Modifications to full protocol in EAP-AKA

a. The root re-authentication key for a specific WLAN domain, DRK, is derived from the MSK by the HAAA and the WLAN-UE only. Both nodes use a special pseudo random function (PRF) for this purpose. DRK is derived as follows. DRK = PRF(MSK || Nonce || WAAA ID || UEM), where Nonce is a random number generated by the WLAN-UE, WAAA ID is the identity of the WAAA, and UEM is the WLAN-UE MAC address. The key lifetime of DRK is shorter than MSK but it is larger than all its child keys. The key is securely delivered to the WAAA using the long term SA between the HAAA and WAAA. b. The local-level re-authentication key, LRK, is derived from DRK by the WAAA and the WLAN-UE only. It is generated as follows. LRK = PRF(DRK || R_Counter || AP ID || UEM), where R_Counter is the re-authentication counter maintained by the WLAN-UE and the WAAA. It is continuously incremented until it reaches maximum number of re-authentications allowed. AP ID is the identity of the AP that is going to receive this key. The key is securely delivered to the AP using the long term SA between the WAAA and the AP.

x Transporting DRK, DHOK and the next WLAN-UE re-authentication ID from the HAAA to the WAAA. x Transporting LRK by the WAAA to the AP. x Derivation of HOK, DHOK, DRK, LRK and KWAAA-UE by the WLAN-UE.

2.4. Local fast re-authentication (LFR) The proposed LFR protocol is invoked when the WLAN-UE is within the WLAN domain. Contrary to the standard fast re-authentication protocol in EAPAKA, authentication procedure is performed locally in LFR without the need to contact the HAAA. As a result, LFR protocol experiences less authentication delays than the standard re-authentication protocol. In LFR, the WAAA controls WLAN-UE authentication as long as the R_Counter value does not exceed its maximum limit and the keys are not expired. Figure 4 depicts the LFR protocol.

c. Handover root key (HOK) and domain level handover key (DHOK). HOK derivation is similar to the procedure used in [9]. DHOK derivation is similar to DRK derivation with the exception of using EMSK instead of MSK. Since handover operations are outside the scope of this paper, handover keys generation and usage are not discussed any further. d. A shared secret key KWAAA-UE to secure traffic exchanged between the WLAN-UE and the WAAA. The key is derived by the WLAN-UE and the WAAA only. The key is derived from DHOK and DRK as follows. KWAAA-UE = PRF(DHOK || DRK || WAAA ID || UEM). Key lifetime is pre-agreed upon between the WLAN-UE and the WAAA x Inclusion of the WAAA ID in Request/AKA-Challenge messages.

the

EAP

Figure 4. Local Fast Re-authentication (LFR) The proposed protocol proceeds as follows

1.

2.

3.

4.

Upon receiving the WLAN-UE re-authentication ID, the WAAA first checks if the received ID is valid and if so retrieves its corresponding DRK and KWAAA-UE. Secondly, the WAAA validates the key lifetime of DRK and KWAAA-UE. LFR is stopped if any of the keys are expired. Thirdly, the WAAA checks the value of the R_Counter to make sure that the number of re-authentications has not exceeded the assigned limit. If all checks are positive, the WAAA generates a new local reauthentication ID to be used in the next reauthentication, and sends an EAP Request/AKA re-authentication message to the WLAN-UE, which includes the new ID, the current R_Counter value and a new Nonce value (N) different from the one received in the full authentication. All these values are encrypted with KWAAA-UE. Additionally, the WAAA includes a Message Authentication Code (MAC) of the entire message calculated using N. Upon receiving the EAP Request/AKA reauthentication message, the WLAN-UE stores the new ID and verifies the R_Counter received. It calculates its own MAC using N and compares it with the received MAC. LFR is stopped if there are discrepancies in the R_Counter and MAC values. If all checks are positive, WLAN-UE replies to the request with an EAP Response message that includes R_Counter and a new MAC. The R_Counter in the message is encrypted with KWAAA-UE. The WAAA receives the EAP Response/AKA reauthentication message from the WLAN-UE and verifies that the received R_Counter and MAC values are correct. It then derives LRK from DRK. Finally the WAAA increments R_Counter and sends an EAP success message to the WLANUE. In addition, LRK is securely pushed to the AP using an AAA message and it is deleted from the WAAA database. Upon receiving the EAP success message, the WLAN-UE derives LRK from DRK and increments R_Counter.

The WLAN-UE and the AP use LRK and the 4-way handshake protocol in 802.11i to derive a fresh TSK.

3. Security Analysis This section analyzes the security of the proposed LFR protocol. The protocol achieves important security goals like WLAN-UE authentication, identity protection and secured key management.

3.1 WLAN-UE authentication In LFR, the WAAA challenges the WLAN-UE by sending R_Counter and N encrypted with KWAAA-UE in addition to a MAC. The WLAN-UE receives the challenge and responds with the same counter value and a new calculated MAC. The reception of correct counter and MAC values by the WAAA indicates the legitimacy of the WLAN-UE. Correctly received counter and MAC signify that the WLAN-UE holds a valid KWAAA-UE. That is because it was able to correctly decrypt the challenge and read R_Counter and N. This means that the WLAN-UE holds the correct DHOK and DRK which was initially derived from EMSK and MSK. This implicitly guarantees the authenticity of the WLAN-UE. On the other hand, the fact that TSK is successfully derived by the WLANUE and AP means that they both hold a valid LRK. This means that WLAN-UE and WAAA holds the same DRK. This reinforces the legitimacy of the WLAN-UE.

3.2 Identity protection The re-authentication ID used by the WLAN-UE is a one-timer identity. Therefore a new re-authentication ID must be received by the WLAN-UE after every (re-)authentication. The next re-authentication ID is confidentially received by the WLAN-UE via a full EAP-AKA authentication and in the proposed LFR protocol. In full authentication, the ID is encrypted with K_encr, which is held by the WLAN-UE and the HAAA only. In LFR, the ID is encrypted with KWAAA-UE, which is held by the WLAN-UE and the WAAA only. No other node has KWAAA-UE. This guarantees the confidentiality of the ID. ID confidentiality protects the system against identityrelated attacks.

3.3 Secured key management Key distribution and management is an essential part of our proposal. The WLAN-UE and the AP always install a fresh key at the end of every authentication. This key is then used to derive specific session keys for confidentiality and integrity services in the data link layer. The security of the key management scheme in our proposal is discussed in terms of key scope and distribution and key confidentiality and freshness. Key scope and distribution

The keys generated in our proposal have a limited scope, usage and distribution. No unnecessary distribution of keys takes place. This ensures that the keys will be held by the minimum number of nodes possible, and thus minimizes the chances of exposing them to attackers. This security goal is known as the principle of least privilege [10], which prevents against the “domino effect” problem. DRK and LRK are analyzed to prove their limited usage scope and to prove that they satisfy the principle of least privilege and prevent domino effect. Similar conclusions can be drawn regarding KWAAA-UE. x DRK is only generated by the HAAA and the WLAN-UE but it is specific to a WAAA and a WLAN-UE. This key can only be generated by the HAAA and the WLAN-UE because no other nodes have access to the MSK and the Nonce values used in the generation process. WAAA ID and UEM are also used to generate DRK, these values aids in limiting the scope and uniqueness of DRK to the WLAN-UE and the WAAA. As a result, no nodes other than the WLAN-UE and HAAA are able to derive the same DRK. To emphasize the principle of least privilege and to prevent domino effect, DRK is deleted from HAAA database after delivering it to the WAAA. x LRK is only generated by the WLAN-UE and the WAAA but it is specific to a WLAN-UE and the AP. LRK can only be generated by the WAAA and the WLAN-UE because no other node has access to R_Counter and DRK values used in the generation process. Note that DRK is deleted from HAAA database. AP ID and the UEM address are also used to generate LRK, these values aids in limiting the scope and uniqueness of LRK to the AP and the WLAN-UE. As a result, no node other than the WLAN-UE and its associated WAAA are able to derive the same LRK. To achieve the principle of least privilege, the WAAA must delete LRK once it is delivered to the AP. Key confidentiality and freshness No keys are transmitted in the clear. All keys in our proposal are delivered in an encrypted form. DRK and DHOK are securely transmitted to the WAAA using a long term SA between the HAAA and the WAAA. LRK is also encrypted with the long term SA between the WAAA and the APs when it is delivered. No keys are transmitted in the 802.11 link between the WLANUE and the AP.

All keys in our proposal are freshly generated. The modified full EAP-AKA authentication protocol results in generating a fresh DRK and DHOK. This is because of the inclusion of a new Nonce value in the key generation process. Since DHOK and DRK are fresh, KWAAA-UE is believed to be fresh as well. The proposed LFR protocol produces a fresh LRK on every re-authentication. This is because of the inclusion of R_Counter in the key generation process. R_Counter is continuously incremented by the WLAN-UE and the WAAA. Therefore, a new value of R_Counter is always fed into the PRF to generate a new LRK. R_Counter and Nonce values are always transmitted in an encrypted form to defend against reply attacks.

4. Performance Analysis This section compares the performance of the proposed LFR protocol with the fast re-authentication protocol in the EAP-AKA standard. The performance is measured based on the re-authentication delay, which is the difference in time between the start and the end of the EAP session. Two re-authentication delays are analyzed here, the standard fast EAP-AKA re-authentication delay (Dauth(standard)) and the LFR delay (Dauth(LFR)). Three delay elements constitute the total re-authentication delay (Dauth) in both cases; they are, the processing delay, transmission delay and propagation delay. Dauth = Dproc + Dtrans + Dprop

(1)

The transmission delay, Dtrans, is the delay experienced while transmitting an EAP message. This delay is insignificant compared to the processing and propagation delays [8], and hence it is not included in the calculation of the total authentication delay. The processing delay, Dproc, is the delay experienced by each node while processing a message. Operations like encryption/decryption, key generation and MAC calculation accounts for most of the processing delay. The processing delay depends mainly on the processing capabilities including CPU power and memory of devices. Servers like the WAAA are equipped with adequate CPU power and a large amount of memory. Therefore, the processing delay in these devices is insignificant. On the other hand, WLAN-UEs have limited processing capabilities and could incur substantial processing delays. By comparing the standard fast re-authentication protocol and the proposed LFR, we note that the WLAN-UE performs essentially the same operations. In the standard fast re-authentication protocol, the WLAN-UE decrypts the counter, Nonce and next-

authentication ID. Then it verifies MAC and Counter and calculates a new MAC. Then it encrypts the counter and finally derives the MSK. The exact operations are performed by the WLAN-UE in LFR protocol except that LRK is derived at the end of the protocol instead of MSK. As a result, the processing delay in both protocols is almost identical Dproc(standard)  Dproc(LFR)

(2)

We acknowledge that the two protocols might employ different cryptographic algorithms, which differ in their calculation speed. However, we assume both protocols uses symmetric key encryption algorithms with similar key sizes. Since we ignore the transmission delay and we assume that the processing delays of both protocols are identical, comparisons of the total authentication delay depend completely on the propagation delay, Dprop. We identify the following propagation delays in this paper. Dprop(UE-AP) is a one-direction propagation delay between the WLAN-UE and the AP. Dprop(APWAAA) is a one-direction propagation delay between the AP and the WAAA. Dprop(WAAA-HAAA) is a one-direction propagation delay between the WAAA and the HAAA. From (1) we can deduce the total delay for the standard fast re-authentication protocol to be Dauth(standard) = Dproc(standard) + 5×Dprop(UE-AP) + 4×Dprop(AP-WAAA) + 4× Dprop(WAAA-HAAA) (3) while the total delay for the proposed LFR is Dauth(LFR) = Dproc(LFR) + 5×Dprop(UE-AP) + 4×Dprop(AP-WAAA) (4) From (2), (3) and (4) we note that the difference between Dauth(standard) and Dauth(LFR) is 4× Dprop(WAAAHAAA), i.e., four times a one-direction propagation delay between the WAAA and the HAAA. Since we did not implement a test-bed to measure the actual delay times, we used the values found in [8] and [11] to compare LFR with the standard fast re-authentication protocol, as shown in Table. 1. Table.1. Authentication delay comparison between the standard fast re-authentication and the LFR

Approx time in ms

Full auth

Fast re-auth (Dauth(standard))

LFR (Dauth(LFR))

1244

605

305

In [8], Dprop(WAAA-HAAA) is approximated to 75 ms. Thus 4×Dprop(WAAA-HAAA) is approximately 300 ms. Therefore, Dauth(LFR) is less than Dauth(standard) by 300

ms. Plugging these numbers into the test-bed results described in [11], we find Dauth(LFR) to be 305 ms comparing to 605 ms in the standard fast reauthentication protocol. It is clear that LFR cuts down half of the delays experienced by the standard reauthentication protocol. Note that Dprop(WAAA-HAAA) is susceptible to dramatic increases if multiple Proxy AAA servers are placed between the WAAA and the HAAA. Our proposal outperforms the standard reauthentication protocol because Dprop(WAAA-HAAA) is not involved when calculating the total re-authentication delay. Another positive aspect in our proposal is the fact that it does not involve HAAA processing delays. Such delays can be significant. Therefore, LFR is superior to the standard EAP-AKA fast reauthentication and best suited to handle delaysensitive wireless applications. Since our proposal posed changes to the standard full EAP-AKA protocol, the performance analysis of this change needs to be considered. The main changes introduced here is to generate three extra keys by the HAAA and two extra keys by the WAAA. Moreover, five extra keys need to be generated by the WLANUE. Key generation in servers like HAAA and WAAA does not introduce significant delays. Nevertheless, five key generations by the WLAN-UE may introduce some processing delays. Given that full authentication is normally performed at the beginning of a new session, and re-authentication is most likely invoked during an ongoing session, it is reasonable to tolerate additional delays at the beginning of a session than to tolerate delays during a live on-going session. Therefore, adding a little extra delay to the EAP-AKA full authentication in order to experience less delay during re-authentication is an attractive alternative.

5. Conclusions and Future Work To address the security challenges of 3G-WLAN interworking, it is important to design a secured authentication protocol with acceptable performance. Improvements to the standard EAP-AKA full authentication and fast re-authentication protocols used in 3G-WLAN networks are presented in this paper. A new key hierarchy and re-authentication protocol is designed to achieve faster reauthentication. The proposed re-authentication protocol outperforms the standard re-authentication protocol by significantly reducing the impact of the delays between a 3G system and a WLAN. We are currently designing inter- and intra-WLAN secured fast handovers protocols based on the modifications to the EAP-AKA full authentication and key hierarchy. We will perform further analyses of LFR and the

anticipated handover protocols using the Burrow, Abadi and Needham (BAN) authentication logic.

6. Acknowledgment This work is funded by the Electrical and Computer Engineering Department at Sultan Qaboos University under Contract number 1907/2005, Bell Canada and the Natural Sciences and Engineering Research Council of Canada under grant CRDPJ 328202-05.

7. References 1.

3rd Generation Partnership Project, 3GPP Technical Specifications, “3G Security; WLAN interworking security (Release 7)”, 3GPP TS 33.234 v7.0.0, Mar. 2006. 2. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Extensible Authentication Protocol (EAP)”, IETF RFC 3748, June 2004. 3. J. Arkko and H. Haverinen, “Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)”, IETF RFC 4187, Jan. 2006. 4. IEEE Standard for local and metropolitan area networks, “Wireless LAN Medium Access Control (MAC) and Physical Layer Specifications, MAC Security Enhancements”. ANSI/IEEE Std 802.11i, 2004 Edition. 5. B. Aboba, "Extensible Authentication Protocol (EAP) Key Management Framework", IETF Internet Draft (draft-ietf-eap-keying-14), June 2006. 6. H. Kim, H. Afifi, “Improving Mobile Authentication with New AAA protocols”, IEEE Int. conf. on communications vol. 1, pp 497-501, May 2003. 7. M. Lee, G. Kim and S. Park, “Seamless and secure mobility management with Location-Aware Service (LAS) broker for future Mobile interworking networks”, Journal of Communications and Networks, vol. 7, No. 2, pp 207-221. June 2005. 8. P. Prasithsangaree and P. Krishnamurthy, “A new authentication mechanism for loosely coupled 3GWLAN integrated networks”, IEEE 59th Vehicular Technology Conf. vol.5, pp. 2998-3003, 2004. 9. J. Salowey, L. Dondeti, V. Narayanan and M. Nakhjiri, "Specification for the Derivation of Usage Specific Root Keys (USRK) from an Extended Master Session Key (EMSK)", IETF Internet Draft (draft-salowey-eapemsk-deriv-01) 10. R. Housley and B. Aboba, "Guidance for AAA Key Management", IETF Internet Draft (draft-housley-aaakey-mgmt-06), November 2006. 11. H. Kwon, K.-Y. Cheon, K.-H. Roh and A. Park, “USIM based Authentication Test-bed for UMTS-WLAN Handover”, in Proc. IEEE Infocom, Barcelona, Spain, April 2006.