Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-16-MOBILE] [handoff] [security] Security Issues for fast handover

Title: [STDS-802-16-MOBILE] [Handoff] Minutes from conference call on 6/2/04
Dear Handover adhoc and Security adhoc peoples,
 
Big bottleneck to make fast handover with Level 2 and 3 in handover adhoc's common understanding
is to perform PKM procedure at the target BS.
The full PKM procedure with multiple transactions over the air will take a long time at the target BS
because one transaction(PKM-REQ/RSP)  takes usually 7-8 frames processing time, that is 35-40ms.
Hence, In order to resolve this problem, main approach for resolution is to skip the PKM procedure at the target BS.
 
However, from the security perspective, it's not make sense that the target BS skips to authenticate the MSS entering to itself.
 
Accordingly, there are two requirements for the fast handover.
 
1. The target BS shall skip all PKM procedure or perform at a minimum of PKM procedure.
2. The target BS shall be able to authenticate the MSS before the MSS enters to the target BS.
 
 
For meeting the above two requirements,  there are usually two approaches for the target BS as followings:
In the following approaches, the basic assumption is that the serving BS and the target BS, both trust each other.
 
1. The target BS pre-authenticate the MSS via the serving BS.
    This approach is that the serving BS may be a proxy of MSS to perform the PKM procedure over the backbone with the target BS.
    That is, the security context is negotiated between the serving BS and the target BS.
    Finally, the serving BS can pass new security context to the MSS in the HO-RSP or BSHO-RSP messages.
   
   This approach has an overhead such that the serving BS shall negotiate the security context with all candidate target BSs and
   the target BS shall start the timer to retain the MSS's security context till the MSS successfully enters into the target BS itself.
 
2. The target BS shall reuse the authentication of the serving BS.
    This approach is that the target BS reuse the authenticated result and its Authorization key again came from the serving BS.
    If the target BS wants to renew the security context of the MSS, then the target BS shall perform the PKM procedure after the release of connection handed over.
 
Basically, I think that the approach 2 is better.
 
Any opinion ?
 
Sincerely yours,
 
Yong Chang/Ph.D
Samsung Electronics.