Sie sind auf Seite 1von 11

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 1

Achieve Secure Handover Session Key Management


via Mobile Relay in LTE-Advanced Networks
Qinglei Kong, Student Member, IEEE, Rongxing Lu, Senior Member, IEEE,
Shuo Chen, and Hui Zhu, Member, IEEE

AbstractInternet of Things (IoT) is expanding the network by enough processing power, are perfect candidates for the real-
integrating huge amount of surrounding objects which requires time environmental monitoring and mapping, which is an
the secure and reliable transmission of the high volume data indispensable part of IoT [6] [7]. For the information and data
generation, and the mobile relay technique is one of efficient ways
to meet the on-board data explosion in LTE-Advanced (LTE-A) collected by the on-board sensors, they can be aggregated and
networks. However, the practice of the mobile relay will pose processed by the on-board units, and then transmitted to the
potential threats to the information security during the handover Internet by on-board mobile devices. In the meanwhile, the
process. Therefore, to address this challenge, in this paper, we mobile devices which belong to the passengers are also respon-
propose a secure handover session key management scheme via sible for managing the small scale autonomous networks, and
mobile relay in LTE-A networks. Specifically, in the proposed
scheme, to achieve forward and backward key separations, the the constant wireless broadband network access is mandatory
session key shared between the on-board UE and the connected for these on-board mobile devices [8] [9].
Donor evolved Node B (DeNB) is first generated by the on-board However, for public transportation, due to the fast moving
UE and then securely distributed to the DeNB. Furthermore, well-shielded carriage, data transmission will suffer from high
to reduce the communication overhead and the computational penetration path loss, severe Doppler frequency shift, and low
complexity, a novel proxy re-encryption technique is employed,
where the session keys initially encrypted with the public key of handover success rate caused by a large number of on-board
the mobility management entity (MME) will be re-encrypted by a mobile devices performing frequent handovers simultaneously.
mobile relay node (MRN), so that other DeNBs can later decrypt To circumvent the above problems, the concept of mobile relay
the session keys with their own private keys while without the is proposed in the 3GPP in LTE-A networks [10]. A mobile
direct involvement of the MME. Detailed security analysis shows relay consists of an outer antenna mounted on the top of the
that the proposed scheme can successfully establish session keys
between the on-board UEs and their connected DeNB, achieving moving transportation providing a wireless backhaul with a
backward and forward key separations, and resisting against the Donor evolved Node B (DeNB) located along the roadside,
collusion between the MRN and the DeNB as the same time. In while the wireless connection to the on-board users is realized
addition, performance evaluations via extensive simulations are by the inner antenna installed inside the carriage [11], [12].
carried out to demonstrate the efficiency and effectiveness of the As such, the Doppler effect in this network scenario can be
proposed scheme.
mitigated by referring to the speed and track information [13].
Index TermsInternet of Things, LTE-A Networks, Mobile To increase the handover success rate, the mobile relay node
Relay, Handover, Secure Key Establishment (MRN) represents all the user equipments (UEs) to conduct
handover, as a result, the heavy traffic loads caused by the
I. I NTRODUCTION handover can be released [14] [15].
From the perspective of mobile operators, the deployment of
With the proliferation of various enabling technologies, MRNs may introduce heavy capital expenditure (CAPEX) due
many small objects that surround us can be integrated into the to the large quantity of public transportation, and bring high
Internet in one form or another, which is called the Internet of operating expenditure (OPEX) owing to their moving charac-
Things (IoT) paradigm [1]. The Third Generation Partnership teristics [16]. Meanwhile, the public transportation companies
Project (3GPP) has identified machine type communication may have a high motivation to install their own MRNs on
(MTC) to be one of the facilitators for IoT in LTE-Advanced the top of their public transportation to improve the on-board
(LTE-A) networks [2] [3], and the highly penetrated portable experiences of their passengers and the quality of the IoT-
electronic devices (smart phones, tablets, etc.) are regarded related services, and it can further gain more reputation and
as common contact points or gateways for the large-scale economic profits. Despite the countless advantages brought by
deployment of IoT devices [4] [5]. Advanced transportation the MRNs, there still exists many practical challenges in real
(high-speed trains, buses, trams, cars, etc.) which are moving applications. One crucial challenge is the emerging threats and
along the rails/roads and equipped with various sensors and difficulties in session key establishment between the on-board
UE and the DeNB during the handover process [17].
Q. Kong, and S. Chen are with the School of Electrical and Elec-
tronic Engineering, Nanyang Technological University, Singapore, e-mail: In the 3GPP LTE-Advanced Networks, the session key
qlkong@ntu.edu.sg, schen@ntu.edu.sg established between one UE and one DeNB, aims to protect
R. Lu is with the Faculty of Computer Science, University of New the integrity and confidentiality of the control-plane signaling,
Brunswick, Fredericton, Canada E3B 5A3. e-mail: rxlu@ieee.org
H. Zhu is with the School of Cyber Engineering, Xidian University, Xian, and the confidentiality of the user-plane data transmission [18],
710071, China, e-mail: zhuhui@xidian.edu.cn [19]. In the Evolved Packet System (EPS) of the LTE-

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 2

Advanced Networks, the session key generation is based on the re-encrypts the received messages into messages that can be
simultaneous key update of both the UE and the DeNB during decrypted by the target DeNB without revealing the contents
the handover process according to a key chaining counter of the established session keys. Furthermore, as the MME
[20]. However, there exist many problems related to this key is not involved during the session key establishment process,
management scheme. One of the potential threats is the desyn- the proposed scheme introduces no computational load to the
chronization attack caused by manipulating the key chaining MME.
counter, and this type of attack may leave the subsequent 3) Finally, to validate the effectiveness of our proposed
session keys vulnerable to be compromised [21]. Especially handover key management scheme, we conduct numerical
in our MRN scenario, on the one hand, the on-board UEs experiments. We first implement the cryptographical results
may experience frequent handover, and the probability of the using Java, then we examine the computational delay with
desynchronization attack may increase. On the other hand, the respect to (w.r.t.) the number of MRNs and the number of
untrusted third-party owned MRN can store all the messages UEs, and the communication overhead and storage load are
it received-and-forwarded, and the corruption of a chain of also analyzed.
session keys can potentially lead to the devastating effect The remainder of this paper is organized as follows. We in-
of the leakage of all the transmitted messages. Furthermore, troduce the system model and security requirements, and iden-
the frequent handover may also bring in heavy computational tify the design goals of our work in Section II. In Section III,
pressure to the mobility management entity (MME) in the core we briefly review the LTE EPS handover key management, and
network, due to the frequent fresh keying material generation. recall the bilinear pairing and proxy re-encryption techniques
To protect the secure data transmission between the on- as preliminaries, which will be utilized in subsequent sections.
board UEs and the DeNBs, a new handover key management We propose our handover key management in MRN scenario
scheme needs to be devised. For the on-board UEs, the in Section IV, followed by security analysis and performance
proposed scheme should be able to protect the confidentiality evaluation in Section V and in Section VI, respectively. We
and integrity of the data transmission. From the perspective give related work in Section VII, and finally conclude our
of the DeNBs, if one DeNB is compromised by a rogue base work in Section VIII.
station attack, the corrupted DeNB should be isolated from
the network. And the establishment of the large amount of
II. S YSTEM M ODEL , S ECURITY R EQUIREMENT AND
session keys should also not introduce heavy computational
D ESIGN G OAL
load and severe handover latency. From the perspective of
the MME, the key establishment process should not introduce In this section, we introduce the system model, present the
heavy computational burden. For the MRN, the ultimate goal security requirements, and identify our design goals.
of the deployment of the MRN is to bring high quality wireless
access service to the on-board UEs, and the MRNs can also
be involved in the session key establishment process without A. System Model
revealing the content of the session keys. The mobile relay network scenario under the 3GPP LTE
Motivated by the above-mentioned analysis, in this paper, architecture is composed of the access domain (Evolved
we devise a novel secure handover key management scheme in Universal Terrestrial Radio Network, E-UTRAN) and the
LTE-A networks, when the MRNs are owned by third parties. core domain (Evolved Packet Core, EPC) [20]. The access
With the proposed handover key management scheme, each domain consists of on-board UEs, MRNs installed on public
on-board UE can successfully establish its session key with transportation, and mobile relay capable DeNBs, as shown in
the DeNB during the handover process while guaranteeing the Fig. 1. The DeNBs are connected to each other through the X2
forward and backward session key separations. Specifically, link, while the DeNB and the MME is connected by the S1-C
the main contributions of this paper are threefold. link [20]. When public vehicles or trains are moving forward,
1) Firstly, instead of updating the session key at both the on- the UEs located inside the carriage maintain their connections
board UE and the DeNB sides, the session key is generated by to the network by communicating with the MRNs which are
the on-board UE itself and delivered to the DeNB. Thus, the moving along with the on-board UEs. While at the same time,
DeNB can achieve perfect one-hop forward/backward key sep- the MRNs communicate with the fixed DeNBs located near the
aration and resist against the desynchronization attack. While roads or railways. In the core network domain, we only take
in the EPS key management scheme, the forward separation is the mobility management entity (MME) into consideration,
achieved on a two-hop basis and the key management process and the functionalities of an MME includes performing mutual
is vulnerable to the desynchronization attack [20]. authentication with the UEs on behalf of the EPC and taking
2) Secondly, the session key generated by the on-board UE control of mobility management of the UEs.
is encrypted by a universal public key, i.e., the public key of When an on-board UE communicates with one DeNB
the MME, and there requires no public key transmission of through the cooperation of a MRN, it may roam out of the
the connected DeNB. The location information of the target coverage area of the current DeNB, and then connect to
DeNB is also exploited in the session key encryption to avoid another DeNB. The 3GPP LTE network supports two types of
collusion between the mobile relay and the compromised handover, i.e., inter-MME handover and intra-MME handover.
DeNB. Since the target DeNB cannot decrypt the received Since the inter-MME handover occurs between the UE and
message encrypted by the public key of the MME, the MRN MME by running full Evolved Packet System authentication

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 3

UEs. If one DeNB is corrupted, without the previous session


keys, the messages transmitted between the previous DeNBs
and the on-board UEs cannot be decrypted, and the attack can
only compromise the transmission of the corrupted DeNB.
Forward Key Separation. Given the session keys shared
S1-C MME S1-C
between the on-board UEs and the connected DeNB, the
DeNB is not computationally feasible to know the future
X2
Source Target session keys after the subsequent handover. Forward key
DeNB MRN DeNB separation prevents a corrupted DeNB from compromising
Backhaul
Link Access other future DeNBs, and keeps the security breaches as local
Link as possible.
Collusion Resistance [23]. For any compromised DeNB,
On-Board even though the malicious MRNs owned by third-parties
UEs
possess sufficient storage and computation capability, it is
computationally infeasible for a collusion coalition between
Fig. 1. System Model under Consideration
a corrupted DeNB and a malicious MRN to recover any of
the previous and afterwards transmitted messages.

key agreement (EPS-AKA) procedure, without the involve- C. Design Goals


ment of any signaling transmission between DeNBs, we only
Based on the aforementioned system model and security
consider the intra-MME handover process and focus on the
requirements, our design goal is to develop an efficient and
wireless links between the DeNB and the on-board UEs. Under
robust key management scheme during the handover process.
this mobile relay network scenario, the on-board UEs conduct
Specifically, the following objectives should be achieved for
intra-MME handover between two neighboring DeNBs with
the key management scheme during handover.
the help of a MRN which is moving along. When a group
Security: The above-mentioned security requirements
of on-board UEs roam to the coverage of a new DeNB, new
should be satisfied in the devised handover key management
session keys need to be generated and established to protect
scheme. According to the previous statement and analysis,
the security of the radio access links between the on-board
without taking the secure handover key management scheme
UEs and the new DeNB.
into consideration, the real application of the MRNs is not
even possible. Thus, the proposed handover key management
B. Security Requirements scheme should simultaneously guarantee the secure session
A secure handover key management mechanism is one of key derivation and association, achieve forward and backward
the most important processes for the successful practice of a key separation, at the same time, resist collusion attacks in the
MRN. In our security model, we regard all the entities in the mobile relay handover scenario.
EPC and all the on-board UEs as trustable. Since the MRNs Efficiency: The security handover mechanism should not
are owned and deployed by the third parties instead of the introduce heavy computational load to the MME, due to
operators in this network scenario, the MRNs are considered the keying material generation and update caused by the
to be untrusted. All the messages transmitted between the simultaneous frequent handover of the large amount of on-
DeNBs and the on-board UEs are received-and-forwarded by board UEs. For the on-board UEs and the target DeNB,
the MRNs, the MRNs can eavesdrop, modify and replay the the proposed handover key management scheme should not
received messages. Furthermore, the DeNBs are also viewed introduce heavy computational and traffic load, and the latency
as untrusted since they reside in the open environment, and caused by the session key establishment should not degrade
the adversaries can launch some active attacks to corrupt the the user experience of the on-board UEs.
DeNBs. Therefore, the following security requirements should
be satisfied in the secure handover key management. III. P RELIMINARIES
Secure Session Key Establishment [22]. During the han- In this section, we first make a brief introduction of the EPS
dover process, a secure session key between each on-board UE handover key management mechanism, which was originally
and the DeNB should be derived and established to protect presented in 3GPP Release 11 for LTE networks [20]. Then we
the confidentiality and integrity of the transmission in the recall the cryptographic techniques: bilinear pairing and proxy
radio access link. The MRN should not disrupt the secure re-encryption, which function as the basis of our proposed
session key generation and association or achieve the session handover key management mechanism.
keys shared between the on-board UEs and the DeNB, even
though it is capable of eavesdropping, modifying or replaying
the messages passed through. A. Review of EPS Handover Key Management
Backward Key Separation. For any connected DeNB, it is During an intra-MME handover process, it is the task of the
computationally infeasible to derive the previous session keys current source eNB to provide the next hop session keys shared
based on the current session keys shared with the on-board between the target eNB and the roaming UEs, and the session

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 4

UE S-DeNB T-DeNB MME


(0) Fresh Keying Material,
(1) Measurement Report NHNCC, NCC
(2) Handover Request
KeNB, NCC
(3-a) Handover Request ACK
(3-b) Handover Command, NCC NCC
(4) Handover Confirmation
(5) S1 Path Switch Request
(6) S1 Path Switch ACK

Fig. 2. Message Flow during Intra-MME Handover

key transfer is realized by the secure X2 link established value, which results in the desynchronization of the target
between eNBs [21]. To ensure backward key separation, the eNB. The desynchronization attack leads the target eNB to
source eNB generates the next-hop session key KeN
B for give up the forward key separation, and only able to perform
the target eNB based on the current session key KeN B by the horizontal key derivation, in which a set of session keys
applying a one-way hash function, which is also called the can be linked to each other. To reduce the loss brought by
key derivation function (KDF): the desynchronization attacks, root key update is an efficient
way to prevent further session key exposure [21]. However,
KeN B = KDF (KeN B , ) (1) the frequent root key update involves the transmission of the
where denotes the physical parameter related to the target UEs identity, and it introduces heavy traffic and computation
eNB, and the above key update process is also denoted as the load to the MME in the core network, especially in this MRN
horizontal key derivation. However, after several horizontal scenario with the involvement of tens of on-board UEs.
key derivations, a set of session keys are linked to each other,
which is known as the handover key chaining, and the current B. Bilinear Pairing
session key could be derived from the previous eNBs. To Let G and GT be two multiplicative groups with the same
guarantee forward key separation, the vertical key derivation prime order q. The bilinear map e: G G GT has the
is introduced. After each intra-MME handover process, the following properties:
MME provides fresh keying material N HN CC to the target 1) Bilinearity: g, h G, and a, b Zq , we can derive
eNB for the next hop session key generation: the equation e(g a , hb ) = e(g, h)ab ;
2) Nondegeneracy: There exists at least one g, where g G
KeN B = KDF (N HN CC , ) (2)
and one h, where h G, which satisfies the condition that
where N HN CC represents that the next hop (N H) key has e(g, h) 6= 1GT ;
been updated next-hop chaining counter (N CC) times, and 3) Computable: g, h G, there is an efficient algorithm
the current security association between the target eNB and to compute e(g, h).
UE is based on the value of N CC value. And the value of In group G, the Computational Deffie-Hellman (CDH)
N HN CC and the initial value N H0 are generated as following problem is computationally intractable, i.e., given (g, g a , g b )
for g G and unknown a, b Zq , it is computationally
N HN CC = KDF (KASME , N HN CC1 ) ab
(3) infeasible to calculate g in polynomial time [24]. While the
N H0 = KDF (KASME , KeN B ) Decisional Diffie-Hellman (DDH) problem is easy to solve,
i.e., given (g, g a , g b , g c ) for g G and unknown a, b, c Zq ,
where KASME is the first intermediate key used to protect the
it is easy to determine whether c = ab mod q by checking
security of the NAS layer. Thus, a two-hop based forward key ?
separation is maintained, that is, the source eNB cannot derive whether e(g a , g b ) = e(g c , g).
the following session keys after two handovers. Fig. 2 depicts Definition 1: A bilinear parameter generator Gen denotes a
the message flow during an intra-MME handover process, by probabilistic algorithm that takes a parameter related to as
implementing the vertical key derivation. the input, and gives a 5-tuple (q, g, G, GT , e) as the output,
In the proposed handover key management scheme, a where q is -bit prime, G, and GT are two multiplicative
desynchronization attack may happen to disrupt the update groups with order q, g G is a generator, and e : GG GT
of the NCC value in message (2) or after message (6). is non-degenerated and computable bilinear map.
To be more specific, if an eNB which is compromised by
an adversary through physical, host, and network protocol C. Proxy Re-encryption
vulnerabilities, when a UE is connected to the compromised Proxy re-encryption technique is a cryptographic technique
eNB, the compromised eNB can disrupt the update of the NCC which allows a proxy to alter a ciphertext encrypted for one

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 5

TABLE I
entity into a new ciphertext which can be decrypted by another N OTATIONS OF OUR PROPOSED SCHEME
entity. Assume User B encrypts a message with the public key
of User A, and it can only be decrypted by the private key of Notation Definition
User A. If User A permits User C to reveal the content of eN B IDj Identifier of the target DeNB
H1 (Lj ) Location-based Generator of DeN Bj
the message encrypted by the public key of User A, User A xj Private Key of DeN Bj
distributes the corresponding re-encryption key rkAC to the yj Public Key of DeN Bj
proxy. And the proxy transforms the ciphertext encrypted by xM Private Key of the MME
yM Public Key of the MME
the public key of User A into a new ciphertext which could
H1 (Lj )xj /xM Re-encryption Key of DeN Bj
be decrypted by the private key of User C. Meanwhile, the xi Private Key of U Ei
proxy server is not able to read or reveal the contents of the yi Public Key of U Ei
underlying messages [25]. Kij Session Key Shared between U Ei and DeN Bj

IV. P ROPOSED H ANDOVER K EY M ANAGEMENT S CHEME


to DeNB j. Since the DeNB j periodically broadcasts the pilot
In this section, we introduce our proposed secure handover
signal containing the T AC and eN B IDj in its coverage
key management scheme in the MRN scenario, as shown in
area, the MRN can also produce the generator H1 (Lj ) of
Fig. 3. The session keys are first generated and encrypted by
DeNB j.
the on-board UEs, and then delivered to the MRNs. The MRNs
re-encrypt the received messages, so that the target DeNB
can successfully decrypt the received messages to obtain the B. Handover Key Management Scheme in MRN Scenario
session keys. The message flows between an on-board UE and the target
DeNB with the involvement of the source DeNB and MRN in
A. System Initialization the secure handover key management process is depicted in
Fig. 3.
Given the security parameter , the MME first generates Step 1: Before the handover process, the MRN conducts
the bilinear parameters (q, g, G, GT , e) by running Gen(), the communication channel measurement on behalf of the
then chooses a symmetric encryption algorithm Enc() and on-board UEs under its coverage area. After conducting the
two secure one-way Hash functions H1 and H2 , where H1 : measurement process, the MRN generates and sends a channel
{0, 1} G and H2 : {0, 1} G. In addition, the MME measurement report to the source DeNB as a request for
owns a private key xM , and computes yM = g xM as its public handover (message (1)).
key, the notations are shown in TABLE I. Finally, the MME Step 2: While at the same time, the MRN generates
keeps the private key xM in confidential, and publishes the sys- H1 (Lj ) = H1 (T ACkeN B IDj ) and delivers H1 (Lj ) to
tem parameter params = (q, g, G, GT, e, H1 , H2 , yM , Enc()). the on-board UEs under its coverage. The MRN also ac-
For each on-board UE i, it owns a private key xi , and the knowledges the on-board UEs to prepare for the generation
corresponding public key yi , where yi = g xi . The public key of the session keys that will be utilized during the next hop
of a UE is stored in the MME during the registration phase, transmission (message (a)).
and it can be achieved by the DeNBs under the coverage of
the MME. Algorithm 1 Session Key Generation and Encryption
For DeNB j, it also possesses a pair of private and public Data: A group of n on-board UEs obtain the location-based generator
keys, which are denoted as xj Zq and yj = H1 (Lj )xj . H1 (Lj ) of the target DeNB j from the MRN;
Lj = (T AC||eN B IDj ) is a unique parameter which is a Compute:
for i = 1 : n do
combination of the location information and its unique identity. 1. On-board UE i chooses a random number ri Zq ;
The location of DeNB j is indicated by the tracking area code 2. Then on-board UE i generates c1i with public key of the MME yM :
(T AC), which is a unique code that is assigned by the operator c1i = (yM )r = (g xM )r = (g rxM );
to each of its tracking area, including a group of neighboring 3. On-board UE i generates c2i with the session key Kij :
DeNBs. The unique identity of the DeNB j (eN B IDj ) c2i = Kij e(H1 (Lj ), g)r ;
4. On-board UE i generates the signature sji with the current time
is also assigned by the operator during the infrastructure identifier T imestamp and its private key xi :
deployment phase. When DeNB j registers itself to the MME, sji = H2 (Kij ||T imestamp)xi
DeNB j delivers the public key yj = H1 (Lj )xj to the MME, end for
and proves the authenticity of yj using the following zero- Output: Cij = (c1i , c2i , sji ), f or i = 1, 2, , n
knowledge proof process [26]. The MME first picks a random
number rz and a random message Mz to form the ciphertext Step 3: According to the channel measurement report,
(aj = H1 (Lj )rz , bj = yjrz Mz ), and then delivers (aj , bj ) to the source DeNB determines whether the MRN representing
DeNB j. Then DeNB j decrypts the received ciphertext and the on-board UEs under its coverage begins to conduct the
replies the random message Mz = bj /(aj )xj to the MME. handover process or not. If the source DeNB decides to
Thus, the DeNB j can prove that it does deliver its public key handover to the target DeNB, it initiates a handover request
to the MME and it does use the unique generator H1 (Lj ) in to the target DeNB with the public keys of the on-board UEs
the public key yj . After the validation of DeNB j, the MME attached, which will be further utilized by the target DeNB
generates a re-encryption key H1 (Lj )xj /xM and distributes it for signature validation (message (2)).

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 6

UE MRN S-DeNB T-DeNB MME


(1) Measurement Report
(a) Key Generation (2) Handover Request
Request
(3-a) Handover Request
(3-b) Handover Command
(b) Encrypted
Session Key (4) Re-encrypted Session Keys
(5) S1 Path Switch
Request
(6) S1 Path Switch ACK

Fig. 3. Message Flow in MRN Scenario when UE handovers over from the source DeNB to the target DeNB

Step 4: After receiving the handover request from the (message (4)).
source DeNB, the target DeNB checks its current traffic Step 7: When the re-encrypted message Cij = ( c1i , c2i , sji )
load. If there is enough spare resource for the on-board arrives at the target DeNB, the target DeNB j first decrypts
UEs, the target DeNB accepts the handover request and the session key generated by the on-board UE i with its own
replies its re-encryption key H1 (Lj )xj /xM back to the source private key xj , and validates the accuracy of the session key
DeNB (message (3)). Then the source DeNB helps to deliver with the public key yi of the on-board UE i, as shown in
H1 (Lj )xj /xM to the MRN and send a handover command to Algorithm 3.
the MRN (message (3)). Correctness. We first validate the correctness of the decryp-
Step 5: After achieving (message (a)), on-board UE i tion process of Kij at the target DeNB j:
randomly generates a session key, Kij , which later will be
shared between on-board UE i and the target DeNB j. Then
c2i Kij e(H1 (Lj ), g)r
all the on-board UEs begin to compute their encrypted session Kij = =
x1 1
keys and the corresponding signatures using Algorithm 1, c1i )
( j (e(g, H1 (Lj )rxj ))xj
(4)
where sji is the signature of the session key Kij , aiming to Kij e(g, H1 (Lj ))r K j e(g, H1 (Lj ))r
validate the correctness and integrity of the session key sent = = i
(e(g, H1 (Lj ))rxj )xj
1
e(g, H1 (Lj ))r
to the target DeNB after the decryption process. Then the on-
board UE transmits Cij to the MRN. Regardless of which
Then we check the correctness of the signature verification
DeNB it is connected to, all the on-board UEs utilize the
process by exploiting the following mathematical process:
universal public key of the MME yM for the session key
encryption instead of exploiting the public key of the target
?
DeNB, which saves the computational and communication e(sji , g) = e(H2 (Kij ||T imestamp), yi) (5)
resource spent on update of the public key. Furthermore, the
generation of c1i and c2i can be done offline in Algorithm 1, Step 8: After the signature verification, the symmetric
which can effectively reduce the computational delay. session key Kij is successfully established between the target
DeNB j and the on-board UE i, and it is used to protect the
Step 6: Since the session key Kij shared between the on-
control-plane and data-plane transmission.
board UE i and the target DeNB j is encrypted by the public
key of the MME yM , without the private key xM , the target Thus, we can achieve the objective of the secure key
DeNB cannot decrypt Kij directly. Even though the MRN is establishment between the target DeNB and the on board UEs
owned and deployed by the third party public transportation under the help of the MRN.
company, the ultimate goal of the deployment of the MRN
is to provide high-quality wireless access services to the on- Algorithm 2 Session Key Re-encryption
board UEs. Besides, the MRN possesses certain computational Data: The MRN obtains the re-encryption key H1 (Lj )xj /xM from the target
capability. Thus, the MRN has the motivation and ability DeNB j;
Compute:
to join in the key establishment process and functions as a
for i = 1 : n do
proxy. In this situation, the MRN acts as a delegate to transfer The MRN derives c1i from c1i and H1 (Lj )xj /xM :
the messages encrypted with the public key of MME into c1i = e(c1i , H1 (Lj )xj /xM ) = e(g, H1 (Lj ))rxj ;
messages, that can be decrypted with the private key of the Update C j :
i
j
target DeNB without revealing the contents of the messages.
Ci = ( c1i , c2i , sji );
end for
During the re-encryption process, the MRN converts c1i into j , f or i = 1, 2, , n
Output: C i
c1i by performing Algorithm 2, then the converted message
Cij = (
c1i , c2i , sji ) is delivered to the target DeNB, as shown in

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 7

Algorithm 3 Session Key Decryption and Signature Verifi- corresponding re-encryption key H1 (Lj )xj /xM for the
cation session key are distinctly different at different Lj , the
j , i {1, 2, , n} ;
Data: The DeNB j gets C forward and afterward DeNB cannot decrypt and obtain
i
Compute:
the session key. As a result, the backward and forward
for i = 1 : n do
1. The DeNB decrypts the session key Kij with xj : key separation can be achieved during the handover key
j
Kij =
c2
i
=
Ki e(g,H1 (Lj ))r
;
management in the MRN scenario.
1 e(g,H1 (Lj ))r
c1
(i)
x
j The proposed handover key management mechanism can
2. The DeNB conducts the following computation: resist the collusion attack between the corrupted DeNB
e(H2 (Kij ||T imestamp), yi );
3. The DeNB checks whether: and the MRN. Suppose DeNB h is corrupted by an
? attacker and colludes with a malicious MRN, and the
e(sji , g) = e(H2 (Kij ||T imestamp), yi );
end for goal of collusion is intended to reveal the transmission
Output: Kij , f or i = 1, 2, , n content of DeNB j. In our scheme, if we do not introduce
the location-based generator H1 (Lj ) in the re-encryption
key, i.e., H1 (Lj )xj /xM becomes g xj /xM , and c2i will be
V. S ECURITY A NALYSIS computed as c2i = Kij e(g, g)r . Therefore, when DeNB
In this section, detailed security analysis of the proposed h and the malicious MRN intend to reveal the session
handover key management scheme is given to demonstrate key Kij , the malicious MRN can transform c1i with the
that it satisfies the requirements of the efficient secure session re-encryption key g xh /xM of DeNB h and obtain the
key establishment, backward and forward key separation, and following
collusion-resistance. c1h
i = e(g
xM r xh /xM
,g ) = e(g, g)xh r (7)
The proposed handover key management scheme can
Then, the session key can be gained by the DeNB h with
efficiently achieve the goal of secure session key estab-
its private key xh
lishment between the on-board UEs and the target DeNB.
When each on-board UE uses the public key yM of c2i Kij e(g, g)r
the MME for the session key encryption, the ciphertext Kij = = (8)
c1h
(i )
xh 1
e(g, g)r
(c1i , c2i ) for the session key Kij shared between the on-
board UE i and the target DeNB j can only be decrypted Since our proposed scheme introduces H1 (Lj ) in the
by the MME with the private key xM , which is shown re-encryption key H1 (Lj )xj /xM , obviously, the above
below collusion does not work. Therefore, the goal of the
collusion attack resistance can be achieved.
c2i Kij e(H1 (Lj ), g)r
Kij = 1 = 1 . (6)
e(c1i , H1 (Lj ))xM e(g rxM , H1 (Lj ))xM VI. P ERFORMANCE E VALUATION
In this section, we evaluate the performance of the proposed
Therefore, no one else can obtain the session key Kij
handover key management scheme in the MRN scenario, in
at this stage. Because the MRN possesses computational
terms of the computational delay of DeNB, MRN, and on-
capability and has the motivation to conduct the re-
board UE, the communication overhead of the DeNB and on-
encryption, the MRN converts the messages encrypted
board UE transmission, and the storage costs of DeNB, MRN,
by the public key yM of the MME into messages which
and on-board UE.
could be decrypted by the private key xj of the target
DeNB. After the re-encryption, only the target DeNB can
decrypt the session key Kij with its private key xj , as A. Computational Cost
indicated in Eq. (4). To guarantee the correctness and TUE , TMRN , and TDeN B denote the average computational
integrity of the decrypted session key, a signature sji is cost of an on-board UE, an MRN, and a DeNB, respectively.
introduced to further prevent the MRN from distorting The experimental environment is a desktop with dual-core
the session key. Thus, the goal of the secure session key 3.10GHz processor and 8.00GB installed memory, using the
establishment can be achieved. Type A pairing in the Java Pairing-Based Cryptography Li-
The proposed handover key management mechanism can brary [27]. We test the value of TUE , TMRN , and TDeN B
achieve the backward and forward key separation of the 1000 times, and their average values are reported as 13.3ms,
session keys during the handover process. During each 10.1ms, and 21.2ms, respectively.
handover, the session key Kij shared between the target Assume there are n on-board UEs and m MRNs installed
DeNB j and the on-board UE i is generated randomly by on a public transportation, and we also assume that the
the on-board UE i, and transmitted to the target DeNB MRNs and the target DeNB have the ability of conducting
via the MRN without revealing the content of the session parallel computation, i.e., four calculations
 n  can be carried
key. Since one session key is randomly generated and out simultaneously. Thus, there are 4m + 1 on-board UEs
can only be utilized once, the compromise of one session allocated to each MRN.
key cannot further corrupt the other sessions keys shared As shown in Fig. 4, when TMRN TDeN B , the bottleneck
between the on-board UE and the other DeNBs. Further- of the computational delay is TDeN B , that is, the second on-
more, during each session key establishment process, the board UE needs to wait a short time for the DeNB to conduct

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 8

900
On-board UE1 TUE TMRN TDeNB
Proposed Scheme, Number of MRN=1
time 800 Without Group Handover, Number of MRN=1
On-board UE2 TMRN TDeNB Proposed Scheme, Number of MRN=2
0 TUE+TMRN+TDeNB TUE+TMRN+2TDeNB Without Group Handover, Number of MRN=2
700
time

Delay of DeNB (ms)


600

Fig. 4. Computational Delay of DeNB, when TM RN TDeNB 500

400
decryption and signature verification after the re-encryption of
the MRN. In this case, the time consumption for the on-board 300

UE with the maximum computational delay is 200


j n k
TmaxUE = TUE + TMRN + ( + 1)TDeN B . (9) 100
4m
0
When TMRN > TDeN B , as shown in Fig. 5, the correspond- 20 40 60 80
Number of UE
ing time consumption of the on-board UE with the maximum
computational delay is denoted as
Fig. 6. Comparison of Computational Delay of DeNB w.r.t. the number of
UE
j n k
TmaxUE = TUE +( + 1)TMRN + TDeN B (10)
4m 900
Proposed Scheme, Number of UE=40
800 Without Group Handover, Number of UE=40
Proposed Scheme, Number of UE=60
Without Group Handover, Number of UE=60
700
On-board UE1 TUE TMRN TDeNB

Delay of DeNB (ms)


600
time
On-board UE2 TMRN TDeNB
0 500
TUE+TMRN+TDeNB TUE+2TMRN+TDeNB
time
400

Fig. 5. Computational Delay of DeNB, when TM RN > TDeNB 300

Under both cases, the time consumption of the on-board 200


UEs with the minimum delay keeps the same, i.e., the compu-
100
tational delay of the first on-board UE, which is TminUE =
TUE + TMRN + TDeN B . In our proposed handover key 0
1 2 3 4
management scheme, we use Eq. (9) to calculate the maximum Number of MRN
delay of the on-board UEs, since TMRN TDeN B . And the
total time consumption of the target DeNB during the session Fig. 7. Comparison of Computational Delay of DeNB w.r.t. the number of
key establishment process is TtotalDeN B = mTmaxUE . MRN
Since there are m MRNs installed on the public transportation,
and the time consumption of the target DeNB with one MRN exploiting the group handover scheme by choosing different
equals the maximum transmission delay of the on-board UE. number of MRNs, which ranges from 1 to 4. As shown
To validate the efficiency of the proposed group handover in Fig. 7, the total computational delay of the target DeNB
key management scheme, we compare the proposed scheme (with and without exploiting group signature) increases w.r.t.
with the sequential handover scheme, that is, on-board UEs the increase of the number of MRNs, when the number of
conduct the handover separately. The time consumption of the on-board UEs are set to be 40 and 60, respectively.
each on-board UE without exploiting the group handover is This is explained by the fact that for multiple MRNs, the
TminUE , and the total time consumption of the target DeNB computational delay of the on-board UE and the MRNs in

is TtotalDeN B = nTminUE . TtotalDeN B are calculated multiple times. In the sequential
In Fig. 6, we compare the computational delay of the target handover scheme, the computational delay of the target DeNB

DeNB with and without exploiting the group handover scheme TtotalDeN B almost keep the uniform, this is explained by the
with varying number of the on-board UEs, which is from fact that each on-board UE calculates the computational delay
20 to 80. As shown in Fig. 6, with more on-board UEs, the independently.
computational delay of the target DeNB becomes longer, when Since the proposed group handover key management
the number of the MRN is set to be 1 and 2, respectively. scheme not only needs to consider the computational delay
As shown in Fig. 6 and Fig. 7, the computational delay of of the DeNB, but also needs to evaluate the computational
the DeNB in our proposed group handover scheme is always delay of the on-board UEs, which is related to the quality of
shorter than that in the sequential handover scheme, which service of the on-board UEs. Thus we compare the maximum,
shows the efficiency of our proposed scheme in terms of the average, and minimum computational delay of an on-board UE
DeNBs computational delay. in the group handover scheme in Fig. 8, when the number of
Given the same parameter setup, we simulate and compare MRN is set to be 2 and 3. With the increase of the number of
the computational delay of the target DeNB with and without the on-board UEs, the maximum and average computational

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 9

300
Maximum Delay, Num RN=2
Average Delay, Num RN=2
250 Maximum Delay, Num RN=3
Average Delay, Num RN=3 600
Minimum Delay

Maximum Delay of UE (ms)


500
Delay of One UE (ms)

200
400

150 300

200
100
100

50 0 1
100 2
80 3
60
40 4
0 20
20 30 40 50 60 70 80 90 100 0 5
Number of UEs Number of MRNs
Number of UE

Fig. 8. Computational Delay of UE w.r.t. the Number of UE Fig. 10. Maximum Computational Delay of UE w.r.t. the Number of MRN
and UE

delay of the on-board UE increases. This is because with more B. Communication and Storage Overhead
on-board UEs, the maximum and average waiting time of the In order to analyze the communication overhead, we as-
on-board UEs are longer. sume that both the MRN and the DeNB successfully re-
The computational delay of the on-board UE is also related encrypts and decrypts the received messages. For each MRN,
to the number of the MRN, so we compares the maximum, since the length of the generator H1 (L) is 1024 bits, the
average, and minimum computational delay of the on-board total throughput caused by the location-based generator is
UEs. We simulate the computational delay of the on-board calculated as T hroughputLB = 1024 m bits. For the on-
UEs by choosing different number of MRN, which is from board UEs under the coverage of one MRN, the introduced
1 to 5. As shown in Fig. 9, with more MRNs, the maximum throughput is T hroughputUE = 3 1024 n bits. The overall
and average computational delay of the on-board UE decrease. throughput taking the 1024 bits re-encryption key transmission
This is because the increase of the number of the on-board into consideration is 1024 + 1024 m + 3072 n m bits.
UEs lead to the decrease of the number of the on-board UEs We analyze the storage overhead of the handover key man-
attached to each MRN, the maximum and average waiting time agement scheme, from the perspective of the three involved
of the on-board UE decrease. entities. For the on-board UEs, the occupied storage space for
the public key of the MME is 1024 bits. The storage space
of the MRN for the re-encryption key is also 1024 bits. From
350 the perspective of the DeNB, the storage space of the public
Maximum Delay, Num UE=60
Average Delay, Num UE=60
keys belongs to the on-board UEs is 1024 m n bits.
300
Maximum Delay, Num UE=40
Average Delay, Num UE=40
250
Minimum Delay
VII. R ELATED W ORKS
Delay of One UE (ms)

200
Our work is related to the secure handover key management
scheme via mobile relay in LTE-A networks. In this section,
150 we discuss some related work on the concept and characteris-
tics of mobile relay, and we also review the key management
100
during handover in LTE-A networks.
Mobile relay networks. The study of the MRN has attracted
50
great attention in LTE-Advanced networks, and we make a
0 brief review on some current directions of the MRN related
1 2 3 4 5
Number of MRN
to our work [11] [14] [28]. One direction mainly concentrates
on the comparison between architectures for the mobile relays.
Fig. 9. Computational Delay of UE w.r.t. the Number of MRN In [11], the authors investigate the network architecture of the
mobile relays, that is, the packet data-gateway and the serving-
As shown in Fig. 10, we show the maximum computational gateway selection during mobile relay handover processes.
delay of UE w.r.t. the increase of number of MRN and UE. The other direction is related to the mobility management
The maximum computational delay of UE increases w.r.t. the scheme, that is, group handover [14] [28]. The group handover
increase of the number of UE under the same number of MRN. is investigated under the scenario that when on-board UEs are
While with the increase of the number of MRN, the maximum travelling in a public transportation, they will be stay in close
computational delay of UE decreases under the same number distance with each other and perform handovers simultane-
of UE. ously which may lead to the network congestion and blocked

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 10

handover [29] [30]. The group handover strategy treats the NTU/NXP Smart Mobility Test-bed, and the National Natural
on-broad UEs under the coverage of one MRN as a group, so Science Foundation of China [No.61303218].
that the signalling overhead and handover delay can be reduced
and it can also decrease the rate of radio link failure. The au- R EFERENCES
thors in [31] proposed a novel eNodeB-to-eNodeB handover
[1] A. Le, J. Loo, A. Lasebae, M. Aiash, and Y. Luo, 6lowpan: a study
scheme for high speed moving vehicular femtocell networks, on qos security threats and countermeasures using intrusion detection
by utilizing an outside transceiver to perform handover, the system approach, Int. J. Communication Systems, vol. 25, no. 9, pp.
connections between outside transceivers and eNodeBs are 11891212, 2012.
[2] Z. Zhou, M. Dong, K. Ota, G. Wang, and L. T. Yang, Energy-efficient
maintained seamlessly, and the outage probability is reduced resource allocation for D2D communications underlaying cloud-ran-
compared to conventional handover scheme. However, very based LTE-A networks, IEEE Internet of Things Journal, vol. 3, no. 3,
limited efforts have been made on the issues of security and pp. 428438, 2016.
[3] J. Wu, M. Dong, K. Ota, L. Liang, and Z. Zhou, Securing distributed
key management scheme in mobile relay networks [32]. storage for social internet of things using regenerating code and blom
Handover Key Management. There have has been a few key agreement, Peer-to-Peer Networking and Applications, vol. 8, no. 6,
research works related to the key management strategies pp. 11331142, 2015.
[4] L. Costantino, N. Buonaccorsi, C. Cicconetti, and R. Mambrini, Per-
during the handover process in LTE-A networks [18] [19] [21] formance analysis of an LTE gateway for the iot, in 2012 IEEE
[33]. The authors in [21] identify the possible threats of desyn- International Symposium on a World of Wireless, Mobile and Multimedia
chronization attacks during the handover key management, Networks, WoWMoM 2012, San Francisco, CA, USA, June 25-28, 2012,
2012, pp. 16.
which may disrupt the forward key separation, and leaving [5] R. W. H. Jr., M. L. Honig, S. Nagata, S. Parkvall, and A. C. K. Soong,
the subsequent keys vulnerable to be compromised. Currently, Lte-advanced pro: part 1 [guest editorial], IEEE Communications
the most effective way to avoid the desynchronization attack Magazine, vol. 54, no. 5, pp. 7475, 2016.
[6] Z. Zhou, M. Dong, K. Ota, and Z. Chang, Energy-efficient context-
is using the root key update, i.e., the EPS-AKA [33]. The aware matching for resource allocation in ultra-dense small cells, IEEE
EPS-AKA process involves the mutual authentication between Access, vol. 3, pp. 18491860, 2015.
the UE and the core network, and the corresponding key [7] M. Peng, Y. Li, Z. Zhao, and C. Wang, System architecture and key
technologies for 5g heterogeneous cloud radio access networks, IEEE
derivation. However, this authentication method requires the Network, vol. 29, no. 2, pp. 614, 2015.
transmission of the UEs identity, and the transmission of [8] L. Atzori, A. Iera, and G. Morabito, The internet of things: A survey,
UE identities through the MRN brings potential threats to Computer Networks, vol. 54, no. 15, pp. 27872805, 2010.
[9] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, Internet of things
the on-board UEs. In our work, we develop a novel secure (iot): A vision, architectural elements, and future directions, Future
key management scheme in mobile relay networks without Generation Comp. Syst., vol. 29, no. 7, pp. 16451660, 2013.
the transmission of the identities, and it also does not bring [10] Technical specification group radio access network; mobile relay for
evolved universal terrestrial radio access (e-utra), 3GPP TR 36.836,
computational load to the core network. To the best of our 2012.
knowledge, our work is the first key management scheme in [11] L. Chen, Y. Huang, F. Xie, Y. Gao, L. Chu, H. He, Y. Li, F. Liang, and
mobile relay networks. Y. Yuan, Mobile relay in lte-advanced systems, IEEE Communications
Magazine, vol. 51, no. 11, pp. 144151, 2013.
[12] J. Kokkoniemi, J. Ylitalo, P. Luoto, S. Scott, J. Leinonen, and M. Latva-
VIII. C ONCLUSION aho, Performance evaluation of vehicular LTE mobile relay nodes, in
24th IEEE Annual International Symposium on Personal, Indoor, and
In this paper, we have proposed a secure handover key Mobile Radio Communications, PIMRC 2013, London, United Kingdom,
management scheme in the third-party owned MRN scenario, September 8-11, 2013, 2013, pp. 19721976.
[13] O. Altrad and S. Muhaidat, Intra-frequency handover algorithm design
which mainly concentrates on establishing secure session keys in LTE networks using doppler frequency estimation, in Workshops
between the on-board UEs and the target DeNB while exploit- Proceedings of the Global Communications Conference, GLOBECOM
ing the third-party owned MRNs during the key establishment 2012, 3-7 December 2012, Anaheim, California, USA, 2012, pp. 1172
1177.
without disclosing the content of the session keys. Detailed [14] Y. Sui, J. Vihriala, A. Papadogiannis, M. Sternad, W. Yang, and
analysis shows that the proposed secure handover key man- T. Svensson, Moving cells: a promising solution to boost performance
agement scheme can successfully establish the session keys, for vehicular users, IEEE Communications Magazine, vol. 51, no. 6,
2013.
achieve the requirements of the backward and forward key [15] N. Lin, X. Huang, and X. Ma, Analysis of the uplink capacity in
separation, and resist the collusion attack. We also conducted the high-speed train wireless communication with full-duplex mobile
the performance evaluation in terms of computational cost, relay, in IEEE 83rd Vehicular Technology Conference, VTC Spring
2016, Nanjing, China, May 15-18, 2016, 2016, pp. 15.
communication overhead, and storage cost to demonstrate the [16] F. Y. Lin, C. Hsiao, K. Chu, and Y. Liu, Minimum-cost qos-constrained
effectiveness and efficiency of our proposed scheme, and the deployment and routing policies for wireless relay networks, J. Applied
trade-off between the number of MRNs and the computational Mathematics, vol. 2013, pp. 517 846:1517 846:19, 2013.
[17] C. Lai, H. Li, R. Lu, R. Jiang, and X. Shen, SEGR: A secure and
latency was deliberately discussed. In our future work, we plan efficient group roaming scheme for machine to machine communications
to carry on smart-phone based and real public transportation between 3gpp and wimax networks, in IEEE International Conference
scenario based experiments to verify the effectiveness and on Communications, ICC 2014, Sydney, Australia, June 10-14, 2014,
2014, pp. 10111016.
efficiency of the proposed handover key management scheme. [18] G. M. Kien, Mutual entity authentication for LTE, in Proceedings of
the 7th International Wireless Communications and Mobile Computing
Conference, IWCMC 2011, Istanbul, Turkey, 4-8 July, 2011, 2011, pp.
ACKNOWLEDGMENTS 689694.
This research is supported in part by the research grant [19] D. Forsberg, LTE key management analysis with session keys context,
Computer Communications, vol. 33, no. 16, pp. 19071915, 2010.
S15-1105-RF-LLF URBAN from the Economic Develop- [20] 3GPP system architecture evolution (SAE); security architecture (Re-
ment Board, Singapore, for the project of Development Of lease 11), 3GPP TS 33.401, 2011.

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2614976, IEEE Internet of
Things Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, JANUARY 2016 11

[21] C. Han and H. Choi, Security analysis of handover key management Rongxing Lu (S09-M11-SM15) received the
in 4g LTE/SAE networks, IEEE Trans. Mob. Comput., vol. 13, no. 2, Ph.D. degree in computer science from Shanghai
pp. 457468, 2014. Jiao Tong University, Shanghai, China, in 2006, and
[22] M. L. Das, Two-factor user authentication in wireless sensor networks, the Ph.D. degree in electrical and computer engineer-
IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086 ing from the University of Waterloo, Waterloo, ON,
1090, 2009. Canada, in 2012. From May 2012 to April 2013,
[23] M. Rezvani, A. Ignjatovic, E. Bertino, and S. Jha, Secure data aggrega- he was a Postdoctoral Fellow with the University
tion technique for wireless sensor networks in the presence of collusion of Waterloo. Since May 2013, he has been an
attacks, IEEE Trans. Dependable Sec. Comput., vol. 12, no. 1, pp. 98 Assistant Professor with the School of Electrical
110, 2015. and Electronic Engineering, Nanyang Technological
[24] R. Lu, X. Lin, and X. S. Shen, SPOC: A secure and privacy-preserving University, Singapore. Since August 2016, Rongxing
opportunistic computing framework for mobile-healthcare emergency, Lu has been an Assistant Professor with the Faculty of Computer Sci-
IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 3, pp. 614624, 2013. ence, University of New Brunswick. His research interests include computer
[25] H. Lin, J. Shao, C. Zhang, and Y. Fang, CAM: cloud-assisted privacy network security, mobile and wireless communication security, and applied
preserving mobile health monitoring, IEEE Transactions on Informa- cryptography. Dr. Lu was the recipient of the Canada Governor General Gold
tion Forensics and Security, vol. 8, no. 6, pp. 985997, 2013. Metal.
[26] M. Bauer, Proofs of zero knowledge, CoRR, vol. cs.CR/0406058,
2004.
[27] A. D. Caro and V. Iovino, jpbc: Java pairing based cryptography, in
Proceedings of the 16th IEEE Symposium on Computers and Commu-
nications, ISCC 2011, Kerkyra, Corfu, Greece, June 28 - July 1, 2011,
2011, pp. 850855.
[28] M. Pan, T. Lin, and W. Chen, An enhanced handover scheme for
mobile relays in LTE-A high-speed rail networks, IEEE T. Vehicular
Technology, vol. 64, no. 2, pp. 743756, 2015.
[29] W. Lee and D. Cho, Enhanced group handover scheme in multiaccess
networks, IEEE Trans. Vehicular Technology, vol. 60, no. 5, pp. 2389
2395, 2011.
[30] , Group handover scheme using adjusted delay for multi-access
networks, in Proceedings of IEEE International Conference on Com-
munications, ICC 2010, Cape Town, South Africa, 23-27 May 2010,
Shuo Chen received the Master of Engineering
2010, pp. 15.
degree from the School of Electrical and Electronic
[31] S. Chae, T. Nguyen, and Y. M. Jang, A novel handover scheme
Engineering at Nanyang Technological University,
in moving vehicular femtocell networks, in 2013 Fifth International
Singapore in 2014. He is currently a Research As-
Conference on Ubiquitous and Future Networks (ICUFN), Da Nang,
sociate of the School of Electrical and Electronic
2013, 2013, pp. 144148.
Engineering at Nanyang Technological University,
[32] R. Balakrishnan, X. Yang, M. Venkatachalam, and I. F. Akyildiz,
Singapore. His research interests include network
Mobile relay and group mobility for 4g wimax networks, in 2011 IEEE
security and applied cryptography.
Wireless Communications and Networking Conference, WCNC 2011,
Proceedings, Cancun, Mexico, 28-31 March, 2011, 2011, pp. 1224
1229.
[33] C. Lai, H. Li, R. Lu, and X. S. Shen, SE-AKA: A secure and efficient
group authentication and key agreement protocol for LTE networks,
Computer Networks, vol. 57, no. 17, pp. 34923510, 2013.

Hui Zhu (M13) received the M.Sc. degree from


Wuhan University, Wuhan, China, in 2005, and the
Ph.D. degrees from Xidian University, Xian, China,
in 2009. From June 2010 to December 2014, he was
an associate professor with the school of Telecom-
munications Engineering, Xidian University, China.
Since January 2015, he has been with the school
of Cyber Engineering, Xidian University, China, as
an associate professor. His research interests are in
the areas of applied cryptography, cyber security and
privacy.
Qinglei Kong (S15) received the M.Eng. degree in
electronic and information engineering from Shen-
zhen Graduate School, Harbin Institute of Tech-
nology, Shenzhen, China, in 2015, and the B.Eng.
degree in communication engineering from Harbin
Institute of Technology, Harbin, China, in 2012.
She is currently pursuing Ph.D. degree in School
of Electrical and Electronic Engineering, Nanyang
Technological University, Singapore, since 2015.
Her research interests include wireless communica-
tions, VANET, and game theory.

2327-4662 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.