Security in Third Party Intervened Vertical Handover in Heterogeneous Networks

— The present world is encouraging interconnection of different types of networks intern the internet usage for all purpose applications. This leads to ensure seamless handover and repetitive vertical handovers. The heterogeneous network has handover challenge as well as the network security. In our previous work we have proposed third party Intervention for vertical handover. In this proposed work we have extended the previous work by providing security enhancement. The simulation results show that there is a reduction in leakages and attacks after applying our scheme.


II. SURVEY
In [2], proposed a Media Independent Pre-Authentication handover optimization framework. It provide optimization for inter domain and inter technology handover, and also achieve significant reduction in handover delay for both network and application layer. In [3], a modified version of Kerberos featuring of sequencenumber based service ticket distribution and challenge-response based service access authentication is proposed. It performs Kerberos authentication without relying on time synchronization, which makes authentication between MN and IS more freely. But transport of context multiple times during continuous handover is very time consuming in this process and have to wait for Kerberos setup time.
In [4] authors developed two protocols for authentication and authorization of mobile nodes. Protocol for carrying Authentication for Network Access (PANA) and Extensible Authentication Protocol (EAP) were deployed on IETF architecture to optimize reduction in authentication and authorization latency. In [5] a light weight solution for authentication for seamless handoff was proposed, but the work focused more only privacy preservation and wanted to preserve user anonymity during handover by creating new contexts, but in our solution, we don't want anonymity as UNI-MOB solution cannot bill customers if anonymity is maintained. In [6] analysis of two IEFT protocols for vertical handover CAPWAP and HOKEY is analyzed. HOKEY solution for seam less handover is based on establishing key hierarchies and using it for secure context transfer, however this solution is very cumbersome and not light weight. In [7], author proposed a global authentication protocol in 4G networks. This protocol enables a vertical handover without requiring a prior subscription to the visited network. By using this protocol good security level is achieved without introducing complexity and overhead. In [8], a new authentication mechanism for seamless handover between 802.16e and 3G wireless networks are proposed. According this solution Inter Base Station Protocol (IBSP) message can be transmitted between two heterogeneous networks. Authentication is performed only at initial stage of connecting the user terminal without reauthentication. This approach is good for reducing authentication delay in handover latency but the replay attack can be launched and it can go undetected in the network. In [9] the proposed work presents a multicriteria handoff protocol. This protocol includes the mobility and QoS parameters to trigger handoff. By using evolution prediction model it avoids the pingpong effect in heterogeneous networks. In [10] proposed an AKA protocol for an open access architecture. The AKA protocol was verified by formal methods and Casper/FDR tool and these methods have proved that AKA protocol provide the security in vertical handover. In [11] author proposed seamless handover mechanism between Wi-Fi and Wi-Max networks to reduce authentication process. This mechanism also involves security that guarantee the handover message to be secure. In [12] proposed a new seamless vertical handover scheme to perform fast authentication while guaranteeing the QoS and security to real time communications. This scheme shows better performance in terms of signaling cost and packet loss for the same. In [13] author proposed a broker based architecture for integrated heterogeneous networks and extended handover keying protocol to reduce the user authentication delay. This proposed architecture and protocol lead to significant reduction in Vertical Hand Off (VHO) delay, VHO interruption probability and power consumption. In [14] author proposed two discard information policies for Chipper based Message Authentication Code (CMAC). These policies are Shared Authentication Information (SAI) and Shared Authentication Key (SAK). SAI is vulnerable to DDoS attacks and SAK is reducing the latency for authentication during vertical handover.

III. PROBLEM DEFINITION
In our previous work we had proposed a scheme for third party intervened handover called as UNI-MOB, but it was not secured by the attacks, leakage the register context of UNIMOB and the deficiency in continuous authentication. In present work we have extended these security issues. The security issues in UNI-MOB are  Replay attack by capturing attach message from UE and forging it to login from some other network.  Register context kept at UNI-MOB can be leaked.  There is no continuous authentication

A. Replay Attack
Replay attacks can be launched by capturing the attach message with encrypted token and using it to generate fake attach. So there must be a mechanism in UNI-MOB to authenticate the attach message with less time so it does not affect the handover latency. To achieve this, the encrypted token in attach message is sent to UNI-MOB, it must be able to deduce from the registration context information, what is next expected token and must compare to the encrypted token received now in the attach message and reply pass if both are same or fail if it is different. To reduce the authentication delay, the next expected encrypted token is generated well ahead and kept in registration context at the UNI-MOB platform. From the initial token, a secure Hash Function H is applied to generate the next token and it is encrypted with the user's key and stored as next expected token.
The hash function is specific for the user and it is generated newly when every time user registers. The hash function is created secure so that subsequent keys can be generated but the previous cannot be deduced. Hash function is replaced for every new session, so even if attacker captures the hash function it is not useful for the next session. The procedure on Register is invoked whenever the user registers Proc: onRegister Input: userid HGenerateHash(userid); Tk getLastUsedToken(userid); EtE(H(Tk))

B. Securing Register Context
Register context is the important information in the UNI-MOB platform. User hash functions, keys, token and the next expected tokens are all stored in the registration context. To secure this information, hardware solutions like tamper proof storage is available, but it is costly and the user base increases, the solution is not scalable.
To provide security at a low cost and scalable way we propose a solution based on anonymity. The user id is hashed to a location in memory and the hashing operation is conducted in tamper proof storage and in hashed location the registration context is kept. By watching the registration context, no information about user is revealed and it is anonymous. For breaking the anonymity the hashing operation kept at tamper proof storage must be hacked, but it cannot be done as it is secure. Since the registration context is anonymous, the attacker will find it difficult to hack the registration context for a particular user.

C. Continuous Authentication
Due to unlimited packages in call and internet, the session last for even hours in India. In such situations, authentication only during session startup, handover alone is not sufficient, continuous authentication during session is needed.
To ensure continuous authentication, at registration context timer must be kept for a configurable time period and every time period once a attach request is expected from the user end with encrypted token and it is authenticated the same way for handover. But the hash function has to be updated for better security for the case of continuous authentication instead of using same hash function. But the new hash function must be derived from old hash function by a deviation value sent in attach register. Piggy bagging can also be done for continuous authentication. The secure hashed token for authentication can be sent attached in data packet so that extra packet need for continuous authentication can be avoid and this will increase the throughput of the system. In Figure 1 shows the block diagram for third party intervened handover in heterogeneous networks with security. The security block resides inside the UNIMOB system. In over previous work we have presented how UNIMOB takes responsibility of handover by bypassing the authentication from wireless network components. This is the reason, the security is not assured completely. To overcome this drawback, we have introduced security block into UNIMOB. UNIMOB security block assures three types of security such as replay attack, securing resister context, continuous authentication. The data whenever are tried to exchange between dynamic base stations, the security block will check for their authentication using the three schemes explained above.  V. RESULT ANALYSIS Seamless handover across Wi-Fi, WLAN and UMTS is simulated using Java NetBeans IDE 7.2. We measured the handover delay due to proposed authentication mechanism. We compared our solution with our previous work and Gamal work [9]. We varied the number of hosts in steps of 10 for a constant speed of 10 m/s and measured the handover delay as shown in Fig. 2. From the results we find the proposed solution is adding only little overhead to the paper [1] for security, but it is very less compared to Gamal's work [9]. We varied the number of hosts and measured the network overhead messages in terms of number of messages exchanged between network elements for secure handover and the result is shown in Figure 3. From the result we see that the message overhead in secure handover and paper [1] is almost same but very less compared to Gamal's work [9]. We varied the speed of a Mobile Station (MS) in a step of 1 m/s and measured the handover delay, the result is shown in Fig.4, From the result we see that delay in proposed is only slightly higher than paper [1] but comparatively very less than Gammal's work [9].  Fig. 5 shows the percentage of packet loss by varying the speed of mobile station, from the result we see that percentage of packet loss is comparatively less than both Paper [1] and Gamal's work [9]. Percentage of Handover failure rate is measured by varying the speed of mobile station, and the result is shown in Fig. 6. From the result, we see that the handover failure rate is comparatively less than both paper [1] and Gamal's work [9]. Throughput of the system is measured by varying the speed of mobile station, the result is shown in Fig. 7, From the result we see that the percentage of throughput is higher than paper [1] and Gamal's work [9]. We measured the effect of replay attack against the number of handover. The effect of replay attack is measured in terms of session drops due to replay attack and the result is shown in Fig. 8. From the result it can seen that proposed security solution has less affect compared to paper [1] and Gamal's work [9]. We measured the capacity in terms of number of sessions handled by varying the intensity of the attack and the result is shown in Fig. 9. From the result, the number of session handled is high compared to paper [1] and Gamal's work [9]. We measured the data leakage percentage by varying the number of registration and the result is shown in Fig.  10. From the result, we see that the leakage is less in proposed work compared to both paper [1] and Gamal's work [9].

VI. CONCLUSIONS AND ENHANCEMENT
In this paper, we have given security provision for our previous work, which was third party intervention. After upgrading the third party intervention with security these will overhead and delay issues. Our work has successfully reduced the delay and overhead. Also we have shown at different speeds there is increase in the throughput and decrease in packet loss and handover failure. Overall we have proposed secured third party intervention for present heterogeneous networks.