**1.1. Robust security network association**

The IEEE 802.11i standard defines two classes of security framework for IEEE 802.11 WLANs: RSN and pre-RSN. A station is called RSN-capable equipment if it is capable of creating RSN associations (RSNA). Otherwise, it is a pre-RSN equipment. The network that only allows RSNA with RSN-capable equipments is called an RSN security framework. The major difference between RSNA and pre-RSNA is the 4-way handshake. If the 4-way handshake is not included in the authentication / association procedures, stations are said to use pre-RSNA. The RSN, in addition to enhancing the security in pre-RSN defines a number of key manage‐ ment procedures for IEEE 802.11 networks. It also enhances the authentication and encryption mechanisms from the pre-RSN. The enhanced features of RSN are as follows:

**Authentication Enhancement**: IEEE 802.11i utilizes IEEE 802.1X for its authentication and key management services. The IEEE 802.1X incorporates two components namely, (a) *IEEE 802.1X Port* and (b) *Authentication Server (AS)* into the IEEE 802.11 architecture. The IEEE 802.1X port represents the association between two peers as shown in Figure 1. There is a one-to-one mapping between IEEE 802.1X Port and association.

**Figure 1.** IEEE 802.1X EAP Authentication

can be situations where different types of networks coexist in one geographical area. However, due to the inherent nature of the wireless communications, wireless networks encounter numerous security problems compared to its wired counterpart. The most significant of these is the first time association. Whether it is a WLAN [1], WiMAX [2] or a 4G LTE [3], all wireless networks will have this setback. The lack of physical connectivity (anchor-attachment) from the wireless device to the network makes the wireless network more vulnerable and hard to protect against authenticity, confidentiality, integrity and availability threats [4][5]. Hence, to overcome this first time association problem wireless devices adopt a range of different

The Robust Security Network Association (RSNA) proposed in IEEE 802.11i [6] has emerged as the most popular method to counter the first time association problem. The RSNA technique is widely used in both WLANs and WiMAX. Although IEEE 802.11i security architecture offers sufficient protection to the wireless environment, it is up to the implementer to guarantee that all issues are addressed and the appropriate security measures are implemented for secure operation. A single incorrectly configured station could lead the way for a cowardly attack

Notwithstanding the configuration issues, RSNA is the most preferred first time association method for wireless networks. The use of IEEE 802.1x port based access control [9] makes it more flexible for mutual authentication and key distribution. However, RSNA does not provide options for coordinated authentication in a heterogeneous network environment. This results in the wireless users having to use different credentials to authenticate with different wireless networks. Hence, a wireless device will have to repeatedly authenticate itself as it roams from one network to another operators' network, be it the same type of network or different. Therefore, a Coordinated Robust Authentication (CRA) Mechanism with the ability to use a single set of credentials with any network, wireless or wired would be of immense significance to both network users and administrators. In this chapter we present technical details of CRA together with some experimental results. However, before illustrating the

The IEEE 802.11i standard defines two classes of security framework for IEEE 802.11 WLANs: RSN and pre-RSN. A station is called RSN-capable equipment if it is capable of creating RSN associations (RSNA). Otherwise, it is a pre-RSN equipment. The network that only allows RSNA with RSN-capable equipments is called an RSN security framework. The major difference between RSNA and pre-RSNA is the 4-way handshake. If the 4-way handshake is not included in the authentication / association procedures, stations are said to use pre-RSNA. The RSN, in addition to enhancing the security in pre-RSN defines a number of key manage‐ ment procedures for IEEE 802.11 networks. It also enhances the authentication and encryption

**Authentication Enhancement**: IEEE 802.11i utilizes IEEE 802.1X for its authentication and key management services. The IEEE 802.1X incorporates two components namely, (a) *IEEE 802.1X Port* and (b) *Authentication Server (AS)* into the IEEE 802.11 architecture. The IEEE 802.1X port

mechanisms from the pre-RSN. The enhanced features of RSN are as follows:

and expose the entire organizational network [7][8].

details of CRA, we first present an overview of RSNA.

**1.1. Robust security network association**

techniques.

104 Selected Topics in WiMAX

**Key Management and Establishment**: Two ways to support key distribution are introduced in IEEE 802.11i: *manual key management* and *automatic key management.*Manual key management requires the administrator to manually configure the key. The automatic key management is available only in RSNA. It relies on IEEE 802.1X to support key management services. More specifically, the 4-way handshake is used to establish each transient key for packet transmis‐ sion as in Figure 2.

**Encryption Enhancement**: In order to enhance confidentiality, two advanced cryptographic algorithms are developed: Counter-Mode/CBC-MAC Protocol (CCMP) and Temporal Key Integrity Protocol (TKIP). In RSN, CCMP is mandatory. TKIP is optional and is recommended only to patch any pre-RSN equipment.

During the initial security association between a station (STA) and an access point (AP), the STA selects an authorized Extended Service Set (ESS) by selecting among APs that advertise an appropriate Service Set ID (SSID). The STA then uses IEEE 802.11 Open System authenti‐ cation followed by association to the chosen AP. Negotiation of security parameters takes place during association. Next, the AP's Authenticator or the STA's Supplicant initiates IEEE 802.1X authentication. The Extensible Authentication Protocol (EAP) used by IEEE 802.1X will support mutual authentication, as the STA needs assurance that the AP is a legitimate Access Point.

The last step is the key management. The authentication process creates cryptographic keys shared between the IEEE 802.1X AS and the STA. The AS transfers these keys to the AP, and the AP and STA use one key confirmation handshake, called the 4-Way Handshake, to com‐ plete security association establishment. The key confirmation handshake indicates when the link has been secured by the keys and is ready to allow normal data traffic.

function inside WLAN access point maps all 802.11 events to the WiMAX events. For example

EAP-CRA for WiMAX, WLAN and 4G LTE Interoperability

http://dx.doi.org/10.5772/54837

107

In their architecture the problem of handling mobility across WLAN and WiMAX boils down to the problem of handling mobility across WiMAX base stations that already have concrete solutions. Also, the mapping function consumes 1.82 seconds for EAP-TLS authentication in comparison to few milliseconds in CRA. Further, their proposed architecture enables the same IP address to be used across both the WLAN and the WiMAX network interfaces, and keeps

Distributed authentication scheme proposed by Machiraju et al. [11] relies on Base Stations (BS) to collectively store authentication information. To achieve the goal of single point of access they introduce the notion of tokens. The token contains the identity and other informa‐ tion regarding the user. Each mobile user has exactly one token that is stored at the base station where the mobile user is receiving service. When the mobile user moves between base stations, its token moves along with the user, thus, eliminating the need to maintain costly infrastructure required by traditional centralized scheme. They assert two main disadvantages of centralized authentication methods. Firstly, a server must be available. Without a server the authentication process cannot be completed. Secondly, there must be a highly reliable backhaul. The latter is due to the authentication process creating a large volume of traffic, usually of a higher priority than normal traffic. They further emphasize that their scheme is optimized for mobilityinduced handover re-authentication and, thereby reducing the authentication overheads. This study however, does not clarify how the base stations will initiate contact with each other. The security approach to establish a secure connection between the BS is not determined. Moreover the details to establish trust between base stations and actions taken in case of base stations being compromised are not provided. The capabilities required to perform the expected

The EAP-FAMOS authentication method developed by Almus et at. [12] use the Kerberos based authentication in the existing EAP framework. It allows secure and true session mobility and requires the use of another EAP method, only for the initial authentication. It uses the keying material delivered by the other EAP method during the initial authentication for its Kerberos-based solution for fast re-authentication. Mobility is based on Mobile IPv4 and a sophisticated handover supported by a so-called Residential Gateway together with a Mobility Broker located in the ISP's backend network. Their performance studies show that Wi-Fi technology can be used in mobile scenarios where moving objects are limited to speeds below 15kmh. Further, they state that applications requiring very low delay and allowing only very

OSNP is another EAP method based on Kerberos proposed by Huang et al. [13]. The protocol provides intra-domain and inter-domain authentication to a peer that already has its security association with the home network. The authors have proposed a hierarchal design for KDC servers with the Root KDC responsible for providing directory service to other KDC servers. In case of a request to a particular network other than the peer's Home network, the authen‐ tication server in the new network will obtain the authenticity of the peer from the home KDC. Although the authors suggest a quick password based authentication and roaming mecha‐

the event association request will be mapped to WIMAX pre-attachment request.

it seamless from an application perspective.

functionality of a BS are not addressed.

short service interruptions can be supported by their technique.

**Figure 2.** Establishing pairwise & group keys [6]

In the case of roaming, an STA requesting (re)association followed by IEEE 802.1X or preshared key authentication, the STA repeats the same actions as for an initial contact association, but its Supplicant also deletes the PTK when it roams from the old AP. The STA's Supplicant also deletes the PTKSA when it disassociates / de-authenticates from all basic service set identifiers in the ESS. An STA already associated with the ESS can request its IEEE 802.1X Supplicant to authenticate with a new AP before associating to that new AP. The normal operation of the DS via the old AP provides communication between the STA and the new AP.
