2017 International Conference on Advanced Computing and Communication Systems (ICACCS -2017), Jan.
06 – 07, 2017, Coimbatore, INDIA
A Secure Certificate Based Authentication to
Reduce Overhead for Heterogeneous Wireless
Network
M. PRASAD
Dept. of Computer Science and Engineering
Pondicherry Engineering College
Puducherry, India
Prasad.m.m@ieee.org
Abstract— Heterogeneous Wireless Networks (HWN)
have various challenging issues in that seamless and secure
handoff are the most important this is due to open access
medium and frequent mobility of users among various
wireless networks. This requires strong, quick and mutual
authentication during Vertical Handover (VHO). This paper
presents a novel authentication algorithm Signed Trusted
Authentication for Vertical Handover (STAVHO). It has the
ability to protect the identity of the user and provides data
integrity and confidentiality. STAVHO also resists against
man-in-the-middle attack and replay attacks.
Keywords— Vertical handover, Heterogeneous Wireless
Networks, Authentication, Attacks.
I. INTRODUCTION
As the development and deployment of a large
number of wireless networking technologies including
LTE, WLANs, Bluetooth, and Ultrawideband are merged
into the core of the networking infrastructure of the
Internet Protocol Suite (IP). IPv4 is widely deployed
throughout the Internet and the deployment of IPv6 is in
process. It provides large IP address space (128 bits) as
well as easier protocol processing and mobility
enhancements. Due to the enhanced IP must support key
features associated with wireless networking, including
handover, location services, and mobility management.
However, multiple choices available from many service
providers, different access technologies, and different
application’s QoS requirements, there is a significant need
to provide a single unified approach. The LTE-A
architecture envisages flexible and adaptive incorporation
of various mobile client systems and network
technologies to support built-in ability to unbroken
wireless access. Indirectly, it also means that there will be
a need for mobile devices that can cope with the
complexity and dynamics of next generation (LTE-A)
wireless access environments.
With the improvement in technologies, services, and
devices creates the gap between the service levels offered
by new access networks and adding more complexity to
the handover process. It must support integrated location
management for uninterrupted roaming as well as for
micro and macro cell mobility management. It provides
higher mobility and wide area coverage. In other hand,
978-1-5090-4559-4/17/$31.00©2017IEEE
Dr. R. Manoharan
Dept. of Computer Science and Engineering
Pondicherry Engineering College
Puducherry, India
WLAN offers high data rates with low mobility over
smaller areas.
Depending on the user requirements they can choose
their desired network among the available wireless
networks. This intends to the integration of WLAN-
UMTS along with protocol to reserve handover is
presented by Faouzi Zarai [1]. This integration improves
bandwidth and quality of service in heterogeneous
wireless network. This can be further enhanced to provide
handover authentication and hence provide security in a
foreign network. Vertical Handover is the key point for
the integration of different network technologies so as to
use the best characteristics of various technologies.
Various researches are going on in the Heterogeneous
wireless network it leads to significant improvement
depends upon the needs of the users. An enormous
increase in the number of subscribers and service
provider’s needs of authentication for communicating the
entities is mandatory. Authentication is required to grant
access to network resources only to registered and valid
users. The identity of the user is validated and safeguard
by the authority. Mutual authentication enables secure
future communication with the combination of
cryptographic functions in wireless networks. It ensures
the interaction between communicating entities and
provides data integrity, confidentiality and protection
against various attacks.
To design an efficient authentication algorithm to
authenticate unknown subscribers in foreign network is a
challenging task. At the entry point of the unknown
subscriber to the foreign network there are no validation
credentials about the subscribers. Subscriber’s identity
must be protected from adversary attacks during the
handover so as to make the subscribers movement
untraceable.
In wireless network authentication can be provided in
two ways password based and certificate based. Even
though certificate based authentication requires more
overhead in certificate management, yet it is highly
secure. Here we present a certificate authentication based
on a symmetric key distribution which provides
subscribers to receive certification from foreign network.
Authentication combines Extensible Authentication
2017 International Conference on Advanced Computing and Communication Systems (ICACCS -2017), Jan. 06 – 07, 2017, Coimbatore, INDIA

Protocols – Transport Layer Security (EAP-TLS) [2] Some of the EAP authentication protocols support
provides continuous mobility for the mobile node with robust authentication for roaming subscribers in wireless
symmetric certificate, which provided privacy of networks are conceded here. EAP-TLS provides mutual
subscribers. STAVHO provides privacy and integrity of authentication between client and server with robust,
subscribers and also the advantages of the EAP-TLS, such secure public key certificate based authentication
as mutual authentication, key exchange and establishment. protocol. It also affords protection against man-in-the-
It provides support for data integrity, fragmentation, middle and replay attack. Though EAP-TLS does not
reassembly and protection against various attacks provide identity protection for subscribers, creating and
throughout the communication session. managing the subscriber’s certificates enforce more
overhead. Tunneled TLS (EAP-TLS) and Protected EAP
The heterogeneous wireless network must satisfy the (PEAP) are developed to astound the flaws of EAP-TLS.
following requirements for the secure authentication By using the public key algorithm and certificate issued
process. They are Mutual Authentication, credential by a mutually trusted certificate authority a secure tunnel
security, resistance to dictionary attack, man-in-the- is established between the server and the client. EAP-
middle, forgery, replay and Denial of Service. Besides TTLS [4] provides double execution of EAP-TLS so it
these requirements several recommendations also needed consumes more process overhead in its execution.
for the secure handover in foreign network such as
regulation of management messages, integrity check, and EAP-TTLS is an EAP method that provides enhanced
key protection mechanism, reduced computational functionalities that available in EAP-TLS. It uses a TLS
overhead and fast reconnection. handshake to mutually authenticate a client and server. It
extends this authentication negotiation by using the secure
TABLE 1. VARIOUS TECHNOLOGIES AND THEIR connection established by the TLS handshake to exchange
SPECIFICATIONS additional information between client and server. It allows
Network Coverage Data Rates Mobility Cost legacy password based authentication protocols used
4G
Approx.
1Gb/s Very high High against existing authentication protocols. The only
100Km difference in PEAP and EAP-TTLS is it authenticates the
Approx. 9.6 kb/s up
GSM/GPRS
35Km to 144 kb/s
High High server to the client other than that both are similar in all
Approx. Max. 70 ways. This leads to the reduction in complexity of the
IEEE 802.16a Medium Medium protocol and the computational cost, it also protects user
30Km Mb/s
Approx. identity. In rare cases EAP-TTLS and PEAP undergoes
IEEE 802.20 1-9 Mb/s Very high High
20Km man-in-the-middle attack.
Up to 2
UMTS 20 Km High High
Mb/s
The Subscriber Identity Module (EAP – SIM) [5] was
70 up to 300
HIPERLAN 2
m
25 Mb/s Medium Low designed for cellular communication network and its
50 up to 300 mechanism specifies enhancements to GSM
IEEE 802.11a 54 Mb/s Medium Low authentication and key agreement whereby multiple
m
IEEE 802.11b
50 up to 300
11 Mb/s Medium Low
authentication triplets can be combined to create
m authentication responses and session keys of greater
Max. 700 strength than the individual GSM triplets. The
Bluetooth 10 m Very low Low
Kb/s
mechanism also includes network authentication, user
anonymity support, result indications, and a fast re-
II. RELATED WORKS authentication procedure.

Enormous increase in service providers and
subscribers in the next generation wireless network needs
for effective authentication protocol to restrict the
subscriber to access valid resources. Extensive researches
are carried out on authentication procedures during and
after handover in heterogeneous wireless network.
EAP [3] is an authentication framework which
provides transport and usage of keying material and
parameters generated by the EAP method. Each protocol
uses EAP defines a way to encapsulate EAP messages
with that protocol message and ability to generate and
exchange keys. It provides a flexible framework for
administering to choose the appropriate method for their
work and able to modify the authentication procedure as
their security requirements.
A privacy preserver fast handover mechanism is
proposed based on pseudonym. In general the pseudonym
is provided by the mobile station in initial authentication.
For every handover authentication process the pseudonym
is changed according to credential ticket generated by
successive base station using multiple base station group
key. It protects the mobile stations privacy in identity and
to be untraceable. It gains less computational cost and
communication overhead.
A fast authentication scheme for vertical handover is
based on key reuse process, which allows the subscriber
to reuse the key for repeated transaction at remote server.
Further it improves handover performance and reduces
packet loss.
A fast iterative localized re-authentication replaces
the existing fast re-authentication of EAP-AKA protocol
in Wireless Heterogeneous Network. EAP-AKA still have
2017 International Conference on Advanced Computing and Communication Systems (ICACCS -2017), Jan. 06 – 07, 2017, Coimbatore, INDIA
high re-authentication delay, its session load and
cryptographic operation load. FIL re-authentication
provides same level of security as EAP-AKA and it
improves the re-authentication speed by localization and
iteration process in eNB.
Fig 1. EAP-TLS protocol
The Tunnel based Secure Authentication Scheme
(TEASE) has been proposed to provide seamless roaming
in wireless network in real-time applications. A tunnel is
used to forward packets between the new access point and
the original reliable access point. The handover security is
achieved without increasing overhead to authentication
server and handover latency is minimized. It also reduces
significant communication interruption time and generates
low packet loss ratio.
Fig 2. Initial Authentication
III. OVERVIEW OF EAP-TLS PROTOCOL
As the requirements of the Heterogeneous Wireless
Network is mainly demand on mutual authentication
between the client and the server. EAP-TLS provides
mutual authentication and highly secured, the description
of this protocol are listed below:
1. EAP-TLS communication begins with client and
server.
2. It uses certificate based on public key infrastructure.
3. The certificate provided to the server and the client
by the certificate authority.
4. The client certificate must be valid to survive in the
network and to establish communication with the
server.
5. The certificate provided by certificate authority is
needed for the server to validate the client certificate.
Fig 3. STAVHO Algorithm
Remarkable features of EAP-TLS are
1. Mutual Authentication
2. Fragmentation and Reassembly
3. Key exchange
4. Fast reconnect
5. Protection against man-in-the-middle and replay
attacks.
The flow of EAP-TLS protocol is shown in
figure 1.
1. User Equipment send the EAPOL request to server
2. Server sends an EAP request for the user identity.
3. User response with an identity to server.
4. Server receives the identity and sends a request with
the EAP-TLS packet type and start bit to the user.
5. User response with user’s hello message with EAP-
TLS packet type, session ID, random number and
cipher message to server.
6. Server send an EAP request with server hello
message, EAP-TLS packet type, version number,
certificate of authentication, return acknowledgement
for the client hello response message with server
parameters and to initiate key exchange.
7. User respond with a signed certificate, already shared
master key and the client key to server for
verification.
8. Server verifies the key send by the user and sends the
finish handshake message.
9. If the verification is successful then the user receive
the finish handshake message then it respond with a
null message.
10. End of the session is given by the server with success
message.
2017 International Conference on Advanced Computing and Communication Systems (ICACCS -2017), Jan. 06 – 07, 2017, Coimbatore, INDIA

IV. SIGNED TRUSTED AUTHENTICATION FOR Total transmission delay is given by TSUM= TUE-
VERTICAL HANDOVER (STAVHO) FeNB+ TUE-ID verif
PROTOCOL Total processing delay is given by PSUM = PUE +
PFeNB + SUE-ENC + SFeNB-DEC
A robust handover authentication protocol STAVHO Total system delay given by T = TSUM + PSUM
which satisfies all the requirements of the Heterogeneous
wireless network. It is based on the EAP-TLS Passive attack: In this type of attack an intruder sniff
specifications for authentication as well as for key a valid request packet and it is unable to decrypt without
exchange too. Initially a certificate sharing scheme based the private key, because the message is encrypted with the
on a symmetric key is proposed, which is used by the user corresponding public key. Key generation is based on
equipment to obtain the certificate from the foreign SHA-1 hash function so it is tamper proof to decrypt
network for successful authentication in vertical handover. without the corresponding private key. Hence the
STAVHO protocol is resistance to passive attack.
The main feature of the proposed protocol is instead
of sending the certificate user equipment has to request for Man-in-the-middle attack: An attacker can mislead
the certificate to the foreign network. With this the client to authenticate to fake server and forward the
authentication has carried out is illustrated in figure 2 and verification. In STAVHO the UE generates a temporary
3. It preserves the identity of the user equipment. public key pair it only known to UE and it is resistance to
passive attack. Hence unable to get the key, so the key is
Let’s assume that the user equipment with SIM is unknown to other entities.
legally registered with the cellular network (home
network). After the home network registration it never Table 2 Comparison of Authentication Protocols
moved to foreign network for handover and the foreign Parameters STAVHO EAP-TLS EAP-TTLS PEAS
network may be different 802.11 networks. Here is a Server PKI PKI PKI PKI
scenario that the user equipment moves between the home Authentication Certificate Certificate Certificate Certificate
network and foreign network and need access to the Mutual
YES YES YES YES
foreign network. In this scenario home network has Authentication
UE Yes by
signed roaming agreement with foreign networks. As per Yes by PKI Yes by PKI Yes by PKI
Authentication certificate
the agreement both the home and foreign network User Identity YES No No No
authenticate each other and shared the public keys. The Roaming
certificate authority service issues certificate to both the YES No No No
Capability
networks. A symmetric key is shared and stored between Man-in-the-
No No Rare case Rare case
user equipment and the home network. The public key is middle
known by all the entities in the network such as user Replay No No No No
DOS No No No No
equipment, home network and foreign network.
Dictionary
No No No No
attack
V. PERFORMANCE ANALYSIS OF STAVHO Fast
High High Low Low
Reconnect
This section gives an investigation of the proposed
STAVHO protocol for heterogeneous wireless network. VI. COMPARISON
As the distribution of new certificate scheme and the time
variable and the random variable the location of the user Existing protocols provide mutual authentication
is hidden and untraceable. Because with the generated hence the communication is secure, in the client side the
random variable a temporary Id is created of each UE, certificate generation increases security. But the certificate
with the changing temporary ID the UE is untraceable. generation and the management provides overhead to the
STAVHO provides protection against various attacks is system. The existing protocols didn’t provide the user
listed below: identity protection hence the user is traceable. Detailed
Table 1. Parameters comparison is shown in table 2.
Parameters Description
TUE-FeNB Transmission delay between UE and FeNB
TUE-ID verif UE identity verification process
V. CONCLUSION:
SUE-ENC Encryption time of UE key
SFeNB-DEC Decryption of UE message in FeNB STAVHO protocol provides ease and fast re-
PUE Delay in processing message from UE authentication in handover process for foreign network. It
PFeNB Delay of processing message from FeNB in eNB provides symmetric key based certificate scheme with
PSUM Total system delay for processing EAP-TLS. It provide higher standard of authentication
TSUM Total system delay for transmission than EAP-TLS. STAVHO provides user identity
T Total system delay protection, roaming capability; maintain integrity and
Table 1 list the parameters to calculate the confidentiality of data during the communication session.
transmission delay, processing delay and the total It also capable to resist against man-in-the-middle, replay,
system delay.
2017 International Conference on Advanced Computing and Communication Systems (ICACCS -2017), Jan. 06 – 07, 2017, Coimbatore, INDIA

DOS, Dictionary attacks and reduce the overhead of the [16]. Mohanty S, Akyildiz IF. A Cross-Layer (Layer 2 + 3)
system. Handoff Management Protocol for Next-Generation
Wireless Systems. IEEE Transactions on Mobile
Computing 2006; 5(10):1347–1360.
REFERENCES
[17]. Marquez-Barja J, Calafate CT, Cano J-C, Manzoni P. An
overview of vertical handover techniques: Algorithms,
[1]. Faouzi Zarai, Noureddine Boudriga, Mohammad S. protocols and tools. Computer Communications 2011;
Obaidat. WLAN–UMTS Integration: Architecture, 34(8):985–997.
Seamless Handoff, and Simulation Analysis.
[18]. H. H. Choi, O. Song and D. H. Cho. A Seamless Handoff
SIMULATION, International Transactions of The Society
for Modelling and Simulation 2006; 82(6): 413- 424, DOI: Scheme for UMTS-WLAN Interworking. Proceedings of
10.1177/0037549706070275. IEEE Globalcom 2004; 3:1559-1564.
[19]. Mojtaba Matinkhah s, Siavash Khorsandi and Shantia
[2]. Simon D, Aboba B, and Hurst R. RFC 5216: The EAP-TLS
authentication protocol 2008. Yarahmadian. A New Handoff Management System for
Heterogeneous Wireless Access Networks. Wiley
[3]. Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., & International Journal of Communication Systems 2012,
Levkowetz, H. (2004). Extensible authentication protocol DOI: 10.1002/dac.2393.
(EAP), RFC 3748, IETF Network Working Group.
[20]. Palekar A, Simon D, Josefsson S, Zhou H, Zorn G.
[4]. Funk P, Blake-Wilson S. EAP Tunneled TLS Protected EAP Protocol (PEAP) Version 2, draft-josefsson-
Authentication Protocol, draft-ietf-pppext-eap-ttls-05. pppext-eap-tls-eap-10.txt. IETF, October 2004.
IETF, February 2005.
[21]. NIST, Digital Signature Standard (DSS), FIPS Publication
[5]. Yuh-Ren Tsai , Cheng-Ju Chang. SIM-based subscriber 186-2, January 2000.
authentication mechanism for wireless local area networks.
[22]. Modern Cryptography-Theory and practise, Pearson
Elsevier Computer Communications 2006; 29: 1744–1753.
education, 2004; 358.
[6]. Sun, H.-M., Chen, S.-M., & Liu, I.-H. (2008). Secure and
[23]. Nyberg K, Rueppel R A. Message Recovery for Signature
efficient handover schemes for heterogeneous networks. In
Proceedings of the Asia-Pacific satellite communications, Schemes Based on the Discrete Logarithm.
broadcasting and space conference 2008 (pp. 205–210). EUROCRYPT'94, Springer-Verlag, Berlin 1994; 175–190.
[7]. Narayanan, V., & Dondeti, L. (2008). EAP extensions for
EAP re-authentication protocol (ERP). RFC 5296, IETF
Network Working Group.
[8]. Fernandes, S., & Karmouch, A. (2012). Vertical mobility
management architectures in wireless networks: A
comprehensive survey and future directions. IEEE
Communications Surveys & Tutorials, 14(1), 45–63.
[9]. Moon, J. S., Park, J. H., Lee, D. G., & Lee, I.-Y. (2010).
Authentication and ID-based key management protocol in
pervasive environment. Wireless Personal
Communications, 55(1), 91–103.
[10]. Das, A., Shah, H. A. K., & Srinivasan, K. (2012). A proxy
based approach for pre-authentication in media independent
vertical handover. In Proceedings of the IEEE wireless
communications and networking conference 2012 (pp.
2835–2840).
[11]. Lin, S.-H., Chiu, J.-H., & Shen, S.-S. (2010). The iterative
distributed re-authentication scheme based on EAP-AKA in
3G/UMTS-WLAN heterogeneous mobile networks. In
Proceedings of the international conference on broadband,
wireless computing, communication and applications 2010
(pp. 429–434).
[12]. Arkko, J., & Haverinen, H. (2006). Extensible
authentication protocol method for 3rd generation
authentication and key agreement (EAP-AKA). RFC 4187,
IETF Network Working Group.
[13]. Taniuchi K, Ohba Y, Fajardo V, Das S, Tauil M, Cheng Y-
H, Dutta A, Baker D, Yajnik M, Famolari D. IEEE 802.21:
media independent handover: features, applicability, and
realization. IEEE Communications Magazine 2009;
47(1):112–120.
[14]. Nasser N, Hasswa A, Hassanein H. Handoffs in fourth
generation heterogeneous networks. IEEE Communications
Magazine 2006; 44(10):96–103.
[15]. Hongyang B, Chen H, Lingge J. Performance analysis of
vertical handover in a UMTS-WLAN integrated network.
14th IEEE Proceedings on Personal, Indoor and Mobile
Radio Communications, Beijing, China, 2003; 187– 191.