KR20190070780A - Method of managing secure and fault-tolerant distributed location for intelligent 5g wileless network - Google Patents

Abstract

The present invention relates to a security and fault-tolerate distributed location management method for an intelligent fifth-generation (5G) wireless network. More particularly, the present invention relates to a security and fault-tolerate distributed location management method for an intelligent fifth-generation (5G) wireless network which uses a distributed hash table of access node for distributed location management and adopts a ticket reuse method to improve authentication performance while providing secure authentication of a mobile node (MN).

Description

METHOD OF MANAGING SECURITY AND FAULT-TOLERANT DISTRIBUTED LOCATION FOR INTELLIGENT 5G WILELESS NETWORK FOR INTEGRATED 5G WIRELESS NETWORK

The present invention relates to a security and fault tolerant distributed location management method for an intelligent 5G (fifth-generation) wireless network. More particularly, the present invention relates to a secure and fault- And to a security and fault tolerant distributed location management method for an intelligent 5G wireless network employing a ticket reuse method to improve authentication performance.

Conventional mobility management protocols such as Mobile IPv6 (MIPv6) [Non-Patent Document 1] and Proxy Mobile IPv6 (PMIPv6) [Non-Patent Document 2] have been developed on the premise that the cellular network architecture is centralized. But the premise is changing. While cellular network architectures have been flattened to improve performance and scalability, convergent network architectures and mobility management protocols have led to network bottlenecks and a single point of failure. In order to solve the problem of the converged mobility management protocol, an IETF distributed mobility management (DMM) working group has been proposed to develop a DMM protocol designed to operate a distributed cellular network architecture [Non-Patent Document 3]. In the DMM, the data plane and control plane are separated, and the data plane is distributed to provide better performance and scalability of the network architecture.

However, in order to facilitate position management, the control plane can be distributed (i.e., fully distributed DMM) or centralized (i.e., semi-distributed DMM) [Non Patent Document 4] [Non Patent Document 5]. For example, in [Non-Patent Document 6], it has been proposed that a centralized SIP register is used in a DMM environment. However, the SIP register can be replicated to improve reliability, but does not reach the level of resilience that can be achieved with a fully distributed architecture.

It is therefore necessary to define an architecture that is fully compatible with the DMM. For more information on the background and approach of DMM, please refer to [Non-Patent Document 4] and [Non-Patent Document 5]. Also, as a preliminary study [Non-Patent Document 7], the performance of the DMM technique called Dynamic Mobility Anchoring (DMA) [Non-Patent Document 8] was analyzed in comparison with PMIPv6.

Without ensuring wireless network access, a fraudulent (illegal) mobile node (MN) can access network resources and initiate various attacks. Only authorized and authorized MNs (i.e., legitimate MNs) will have access to network resources, e.g., only a legitimate MN registers and updates its location during secure post-handover. If wireless network access security is not provided, an illegal MN may send malicious location update messages instead of legitimate MNs, or redirect or block location update related data packets. Based authentication mechanism (TALM) for location management using a distributed hash table of the access node for distributed location management while the ticket reuse method is adopted to improve the authentication performance in the MN authentication in order to prevent such attacks in the DMM environment, .

 Johnson, D., Perkins, C., Arkko, J. (2004). Mobility Support for IPv6. IETF RFC 3775. http://www.ietf.org/rfc/rfc3775.txt. Accessed 22 August 2016.  Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., Patil, B. (2008). Proxy Mobile IPv6. IETF RFC 5213. http://www.ietf.org/rfc/rfc5213.txt. Accessed 22 August 2016.  http://datatracker.ietf.org/wg/dmm/. Accessed 22 August 2016.  Chan, H.-A., Yokota, H., Xie, J., Seite, P., Liu, D. (2011). Distributed and Dynamic Mobility Management in Mobile Internet: Current Approaches and Issues. Journal of Communications. 6 (1). 4-15.  J.-H. Lee, J.-M. Bonnin, P. Seite, and H. Anthony Chan, "Distributed IP Mobility Management from the Perspective of the IETF: Motivations, Requirements, Approaches, Comparison, and Challenges," IEEE Wireless Communications Magazine, vol. 20, no. 5, pp. 159-168, October 2013.  Ali-Ahmad, Hassan, Kashif Munir, Philippe Bertin, Karine Guillouard, Mary Ouzzif, and Xavier Lagrange (2016). Processing loads analysis of distributed mobility management and SIP-based reachability. Springer Telecommunication Systems: 1-16.  Munir, K., Lagrange, X., Bertin, P., Guillouard, K., Ouzzif, M. (2015). Performance analysis of mobility management architectures in cellular networks. Springer Telecommunication Systems, 59 (2). 211-227.  Bertin, P., Bonjour, S., Bonnin, J.-M. (2008). A distributed dynamic mobility management scheme designed for flat IP architectures. In Proceedings of the Third International Conference on New Technologies, Mobility and Security (NTMS 2008).  Xie, J., Akyildiz, I.F. (2002). A novel distributed dynamic location management scheme for minimizing signaling costs in mobile IP. IEEE Trans. Mobile Computing. 1 (3). 163-175.  Zhai, YuJia, XinYu Mao, Yue Wang, Jian Yuan, and Yong Ren (2013). A DHT-based fast handover management scheme for mobile identifier / locator separation networks. Science China Information Sciences. 56 (12). 1-15.  Bezahaf, Mehdi, Luigi Iannone, Marcelo Dias De Amorim, and Serge Fdida (2009). Transparent and distributed localization of mobile users in wireless mesh networks. In International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness. Springer Berlin Heidelberg. 513-529.  Stoica, I., Morris, R., Karger, D., Kaashoek, M. F., Balakrishnan, H. (2001). Chord: A scalable peer-to-peer lookup service for internet applications. In Proceedings of the 2001 Conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM '01). ACM, New York, NY, USA, 149-160.  Imtiaz, Waqas Ahmed, Muhammad Afaq, and Muhammad Asmatullah Khan Babar (2011). mSCTP Based Decentralized Mobility Framework. International Journal of Advanced Computer Science and Applications. 2 (9). 106-112.  Imtiaz, Waqasa (2013). Two-Tier CHORD for Decentralized Location Management. International Journal of Computer Applications. 69 (4).  D. Simon, B. Aboba, R. Hurst (2008). The EAP-TLS Authentication Protocol, RFC 5216 (Proposed Standard), March 2008.  H. Zhou, H. Zhang, Y. Qin (2009). An authentication method for Proxy Mobile IPv6 and performance analysis. Security and Communication Networks 2 (5). 445-454.  Lee, J.-H., Bonnin, J.-M. (2013). HOTA: Handover optimized ticketbased authentication in network-based mobility management. Elsevier Information Sciences. Volume 230. 64-77.  Steinmetz, Ralf, and Klaus Wehrle (2005). P2P Systems and Applications, LNCS 3485. Springer Berlin Heidelberg. pp. 95-117.  Akl, R. G., Hegde, M. V., Naraghi-Pour, M. (2005). Mobility-Based CAC Algorithm for Arbitrary Call-Arrival Rates in CDMA Cellular Systems. IEEE Transactions on Vehicular Technology. 54 (2). 639-651.  Hong, Rappaport, S.-S. (1986). Traffic Model and Performance Analysis for Cellular Mobile Radio Telephone Systems with Prioritized and Non-Prioritized Handoff Procedures. IEEE Transactions on Vehicular Technology. 35 (3). 77-92.  Thomas, R., Gilbert, H., Maziotto, G. (1988). Influence of the Mobile Stations on the Performance of a Radio Mobile Cellular Network. Proc of the 3rd Nordic Seminar on Digital Land Mobile Radio Communications.

It is therefore an object of the present invention to provide a security and fault tolerant distributed location for an intelligent 5G wireless network in which the average authentication latency is low and the average number of authentication messages per location update can be reduced. And to provide a management method.

In order to accomplish the above object, a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention comprises the steps of: K (hash of a unique ID (ID _MN ) of a mobile node (MN) Adding or updating a main copy of V [current IP address of MN] pair; Adding or updating a backup copy of the KV pair at the distributed location server; And a ticket-based authentication mechanism (TALM) protocol.

In the security and fault tolerant distributed location management method for the intelligent 5G wireless network according to the above embodiment, the step of adding or updating the main copy of the KV pair may be performed by the mobile node in the code circle Connecting to an access node connected by a line; Requesting the access node to register or update the mobile node location with its location register; The access node identifying the finger table and searching for the closest subsequent K on the code circle; The access node transmitting a registration query or an update query of the location to the subsequent person; The location register of the succeeding entity storing or updating location binding information of the mobile node; And the location register of the succeeding entity returning a registration response to the mobile node in the reverse query path.

In the security and fault tolerant distributed location management method for the intelligent 5G wireless network according to the embodiment, the step of adding or updating the backup copy of the KV pair may be the same as the addition or update of the main copy of the KV pair .

In the security and fault tolerant distributed location management method for an intelligent 5G wireless network according to the above embodiment, the step of performing the TALM protocol may include a step of generating and expiring a ticket and a step of collecting a ticket in a previous access router have.

In the secure and fault-tolerant distributed location management method for an intelligent 5G wireless network according to the above-described embodiment, when generating and terminating the ticket, when it is necessary to register an access router immediately after the mobile node is turned on, Transmitting an initial message to the access router; When the access router receives the initial message, generating a message by adding a random number of the access router to the authentication server, the access router generating a ticket encrypted by the key; The authentication server sending a message to the access router to transmit a key shared by the mobile node and the access router; Causing the access router to use K and a mobile node to communicate using the message; And the mobile node sending a last message with the location update message to the access router.

In the secure and fault-tolerant distributed location management method for an intelligent 5G wireless network according to the above-described embodiment, the ticket collection step may include: a step in which the mobile node transmits a message to a nAR (newly attached access router of the mobile node); Receiving the message from the nAR and transmitting a message to a pAR [the access router of a previously attached mobile node]; And transmitting the message to the nAR by adding the information on the ticket valid time and the key to the pAR.

According to the security and fault tolerant distributed location management method for the intelligent 5G wireless network according to the embodiment of the present invention, K [hash of unique ID (ID _MN ) of mobile node (MN)] - V Adding or updating a main copy of the current IP address pair; Adding or updating a backup copy of the KV pair at the distributed location server; And a ticket-based authentication mechanism (TALM) protocol, thereby reducing the average authentication latency and reducing the average number of authentication messages per location update.

More specifically,

First, since the authentication ticket is reused in TALM, the average authentication latency is significantly lower than that of the conventional EAP-TLS protocol.

Second, as the area of the access node (AN) increases, the mobile node (MN) performs a smaller number of handover authentication, and as a result, the average number of authentication messages decreases.

FIG. 1 is a flowchart illustrating a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention, in which a main copy of a KV pair is added or updated.
FIG. 2 is a flowchart illustrating a method of generating and expiring a ticket during a step of performing a TALM protocol in a secure and fault-tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
3 is a flowchart illustrating a ticket collection step of performing a TALM protocol in a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
4 is a diagram illustrating a 6-bit code identifier space applied to a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
5 is a view for explaining fault tolerance in distributed location management applied to a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
FIG. 6 is a diagram for explaining addition / update of a main copy of a KV pair in a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
FIG. 7 is a message flow diagram for explaining a ticket creation and expiration step during a step of performing a TALM protocol in a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
FIG. 8 is a message flow diagram for explaining a ticket collection step of performing a TALM protocol in a secure and fault-tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention.
9 is a cell network topology used in the simulation of an embodiment of the present invention.
FIG. 10 is a diagram illustrating an average authentication wait time of the TALM protocol and the conventional EAP-TLS protocol according to an embodiment of the present invention.
11 is a diagram showing the average number of authentication messages per location update of the TALM protocol according to an embodiment of the present invention whenever the valid period of a ticket is changed.
12 is a diagram illustrating the average number of authentication messages per location update in the TALM protocol according to the embodiment of the present invention when the speed of the mobile node MN changes.
13 is a diagram illustrating the average number of authentication messages per location update of the TALM protocol according to the embodiment of the present invention when the AN area is changed.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a flowchart illustrating a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention, wherein a main copy of a KV pair is added or updated. FIG. FIG. 3 is a flow chart for explaining a step of generating and expiring a ticket during a step of performing a TALM protocol in a secure and fault-tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention. FIG. 4 is a flow chart for explaining a ticket collecting step during a step of performing a TALM protocol in a security and fault tolerant distributed location management method for an intelligent 5G wireless network by an intelligent 5G wireless network according to an embodiment of the present invention. A 6-bit code identifier space for security and fault-tolerant distributed location management methods FIG. 5 is a view for explaining fault tolerance in distributed location management applied to a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention. FIG. FIG. 7 is a diagram illustrating a security and fault-tolerant distributed location management method for an intelligent 5G wireless network according to an exemplary embodiment of the present invention, FIG. 8 is a flowchart illustrating a security and fault-tolerant distributed location management method according to an exemplary embodiment of the present invention; FIG. 8 is a flowchart illustrating a security and fault- In the distributed location management method, the ticket collection step of performing the TALM protocol A message flow diagram for patients.

First, the operation related to the embodiment of the present invention will be described.

[Mobility management and handover authentication]

The distributed and dynamic location management scheme proposed in [Non-Patent Document 9] reduces signal traffic and signal delay compared with IETF Mobile IP. The authors proposed a method to dynamically adjust the network boundary of each mobile node (MN) according to the latest mobility and traffic load to distribute the signal load.

DHT based mechanisms have been extensively proposed to solve other problems in wireless networks. In [Non-Patent Document 10], an improved handover management mechanism based on DHT has been proposed. [Non-Patent Document 11] also proposed a DHT-based distributed localization service for a wireless mesh network. A mechanism using a mobile stream control transmission protocol (mSCTP) for improved transmission and a chord DHT (proposed in non-patent document 12) for location management to reduce packet loss due to IP handover [Non-Patent Document 13 ]. [Non-Patent Document 14] introduces a two-layer code DHT for distributed location management using nodes having high computation capability and stability as a location server.

EAP-TLS (proposed in non-patent document 15) is a general authentication method widely used in existing wireless mobile networks. It performs an initial and full EAP exchange for the mobile node (MN) for handover authentication. EAP-TLS has been introduced and analyzed as a basic authentication method, but performance optimization has not been achieved with this method. For example, when a mobile node (MN) changes its connection point, the quality of the user experience deteriorates because the mobile node (MN) must perform a full EAP exchange that causes a long waiting time. In order to solve this problem, the performance optimization of handover authentication has been studied. For example, when a mobile node (MN) performs a handover authentication with another access router in a PMIPv6 environment, the authentication scheme presented in the non-patent document 16 is a local Use a certificate. In [Non-Patent Document 17], a Handover Optimized Ticket-based Authentication (HOTA) in which a mobile node (MN) reuses a credential issued by an authentication server in a PMIPv6 environment to secure handover authentication in another access network has been proposed.

Since the proposed scheme considers a fixed size access network area (ie, the area covered by the access router), the work of this paper differs from the distributed and dynamic management approach of [Non-Patent Document 9]. In addition, the proposed scheme introduces replication strategy for secure location management based on DHT. Our study suggests that previous DHT-based mechanisms [Non-Patent Document 10], [Non-Patent Document 11], and the like have been proposed since the proposed scheme extends all DHTs to provide fault tolerance of location management, , [Non-Patent Document 13], and [Non-Patent Document 14]. Compared to traditional authentication methods, it focuses on providing application-level security developed for DMM

[Chord DHT]

Code is a protocol and algorithm for peer-to-peer DHT. The center column of the DHT is an identifier of n bits in the range [0, 2n-1]. The identifier of the node is its ID. The identifier of the data item is its key. Both the node and the data item are mapped to the same n-bit code identifier space. The key and value pair (K, V) is hosted on a node whose ID is K or greater. The node in the code circle is responsible for all the keys that are in the counterclockwise direction to the previous node [proposed in non-patent document 18].

Figure 4 shows a 6-bit code identifier circle with 10 nodes and 7 data items. N8 is a succeeding node in the clockwise direction of K5, and the succeeding node of K43 is N43 whose identifier is the same. Every node maintains a routing table called a finger table that points to another node in the identifier circle. The finger table has n entries in a circle with an identifier of n bits. The finger table entry of row i at node p identifies the first node, p + 2 ^{i- 1} , that follows at least by 2 ^i-1 , p. Where 1? I? N. For example, the third finger (8 + 2 ² = 12) is N15. The i-th finger of the node in the finger table is always immediately after the identifier circle. For routing purposes, each finger entry consists of a node ID, an IP address, and a pair of ports. If the query reaches node p in such a way that K is placed between the numerically closest subsequent values in the finger tables of p and p, then node p reports to the successor in response to the query.

Hereinafter, a security and fault tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention will be described.

To implement Fault Tolerant Distributed Location Management, we choose a fingerprint table based code DHT. The chord is desirable because it is a simple and efficient protocol for storing, updating and retrieving location bindings of the MN at O (logm) time. Where m is the total number of access networks in the cellular network.

In an embodiment of the invention, all mobile nodes (MNs) are uniquely identified by an ID (identifier) (e.g. URI SIP: MN0@abc.com) or a fixed IP address of the MN. This ID is not changed. The mobile network is composed of an access node (AN). In a centralized network, the location register (LR) is an independent entity. You can distribute the LR functions to all ANs. That is, the AN has both the AR (access router) function and the LR function. The MN can access the Internet through the AN's AR. The IP prefix is connected to the AR. That is, if the MN is managed by an AN, the MN obtains the IP address to which the prefix is attached to the AR of the AN j. The location of the MN is managed by the LR, and the LR knows the relationship between the MN's identity and the prefix. Knowing the location of the MN is therefore like knowing its IP address.

The data item is the ID of the MN and the node is the AN of the mobile network. Maps the key and AN to the code circle using the hash value generated by the MN's identity and the network prefix of the AN. Each MN has an ID _MN which is a unique ID used to generate K. [ The hash value of the AN network prefix and the hash value of the MN ID are mapped to the same address space. The LR maintains the location binding information of the MN in the cellular network. Each entry in the LR maintains a KV pair. In the proposed scenario, K is the hash of the ID _MN and V is the current IP address of the MN

The secure and fault-tolerant distributed location management method for an intelligent 5G wireless network according to an embodiment of the present invention includes the steps of: K [hash of unique ID (ID _MN ) of mobile node (MN)] -V [ Adding or updating a main copy of the address pair; Adding or updating a backup copy of the KV pair at the distributed location server; And a ticket-based authentication mechanism (TALM) protocol.

[Addition or update step of K-V pair in distributed location server]

In the embodiment of the present invention, a fault-tolerant distributed location server has been proposed. Fault tolerance is achieved through a single level of replication of the location binding of the mobile node (MN). The probability that two peers (i.e., the access node (AN)) that maintains the main and backup copies of the location binding of the mobile node (MN) will collapse simultaneously is close to zero. It is therefore reasonable to consider only a single level of replication as shown in FIG. 5 shows a code circle in which eight access nodes (AN) are mapped. This figure shows that the backup copy of the K-V pair maintained at AN7 is accessed by the Correspondent Node (CN) if it is a failure of the main copy maintained at AN3.

The addition or update step of the K-V pair in the distributed location server will be described separately in the step of adding or updating the main copy of the K-V pair and the step of adding or updating the backup copy of the K-V pair.

Add or update main copy of K-V pair

The step-by-step procedure of adding or updating the main copy of the K-V pair will now be described with reference to FIGS.

Upon addition or update of the main copy of the KV pair, the pair is assigned to a peer that is the first succeeding K = hash (ID _MN ) in the code circle.

Through the currently connected AN (i.e., peer), the mobile node (MN) sends a registration or update of the location to its underlying LR. The location information stored with the key is the current IP address of the MN.

When a mobile node (MN) receives a location registration query or an update query, the peer confirms whether or not K is included in the address space managed by the mobile node (MN). Registers or updates the location if K is included, and notifies the mobile node MN of the acknowledgment. If K is not included, check its finger table to find the nearest successor of K in the code circle and send the query to its next node. This process continues until the target node managing the relevant K is found. The process of adding or updating a K-V pair in the distributed location server of an embodiment of the present invention is described with the aid of a simple example where ten ANs are mapped to a six bit code circle. 6 shows a process of adding or updating a K-V pair.

First, the mobile node MN connects to the access node AN (AN8 in FIG. 6) connected to the current line in the code circle to register or update its position (S110).

Subsequently, in step S120, the access node AN8 requests the location register or update of the mobile node MN to its location register LR.

In step S130, the access node AN8 identifies the finger table and searches for the closest subsequent K (AN43) on the code circle.

More specifically, the location register LR of the access node AN8 calculates K = hash (ID _MN ). The default location register (LR of AN8) checks whether the address space managed by it contains K. LR does not find K. Therefore, the access node AN8 identifies the finger table to search for the closest subsequent K on the code circle. As shown in Figure 6, the closest subsequent to K is AN43.

In step S140, the access node AN8 transmits the registration query or the update query of the position to the succeeding node AN43.

In step S150, the location register LR of the access node AN43 stores / updates the location binding information of the mobile node MN.

In step S160, the location register LR of the succeeding client AN43 returns a registration response in the reverse query path to the mobile node MN.

A location search query from a CN (Correspondent Node) is processed in the same manner as described above. As a result of the location query, the CN obtains the current IP address of the mobile node (MN) when providing the ID _MN .

Steps to Add or Update Backup Copies of K-V Pairs

Upon addition or update of a backup copy of a K-V pair, the pair is assigned to the peer which is the first successor of K '= succeeding party (hash (ID _MN )) + (2 ⁿ / 2) on the code circle. The steps to add or update a backup copy of a KV pair are the same as those described for adding or updating a main copy. It is emphasized that the failure of the AN (peer) in the proposed mechanism is a rare case as opposed to the typical P2P system.

[TALM (ticket-based authentication mechanism) protocol step]

In the embodiment of the present invention, a TALM protocol for providing security to the distributed location management method is proposed. The authentication process can be divided into two parts:

First, authentication (ticket creation and expiration) when the security certificate (performing authentication) of the mobile node (MN) expires or when the mobile node (MN) is first turned on.

Second, authentication (previous ticket collection in the AR) in the IP handover of the mobile node (MN) in which the mobile node (MN) needs to acquire the necessary security certificate in the previous access router (AR).

AN = AR + LR. That is, the access node AN has both an AR (access router) and an LR (location register) function.

The symbols used extensively in the protocol are listed in [Table 1] below.

symbol  meaning Symbols used for MN X message AS Authentication server MN Mobile node A∥B Combination of Messages A and B K _AB Key shared between A and B E (K, X) Message X encrypted with key K N _A A random number generated by A (random number) ID _MN MN's unique ID AR Access router ID _AR Unique ID of AR TK ticket TT Start time and end time

It is assumed that K _AS-MN, which is a key shared between the authentication server AS and the mobile node _MN, and K _{AS-AR, which} is a key shared between AR and AS, already exist. The authentication server AS only needs to provide the session key K _{MN-AR that} is shared with the mobile node MN and the access router AR.

Ticket creation and expiration

The TALM step for ticket creation and expiration will be described with reference to FIGS. 2 and 7. FIG.

First, when it is necessary to register the access router (AR) immediately after the mobile node (MN) is turned on, the mobile node (MN) transmits an initial message (MN _Reg ) to the access router (AR) The node MN creates a new ticket due to the expiration of the previous ticket (S210).

MN -> AR: MN _Reg (ID _MN ∥ID _AR ∥N _MN )

N _MN is a complement (random number) generated by the mobile node (MN).

Subsequently, in step S220, when the access router AR receives the initial message (MN _Reg ), it adds its own random number to generate a message (MN _Reg AS _Msg ) and transmits it to the authentication server AS.

AR-> AS: MN _Reg AS _Msg (E (K _AR-AS, ID _MN ∥ID _AR ∥N _MN ∥N _AR ))

The Access Router (AR) encrypts this message before sending it to the AS using a key shared with the Authentication Server (AS).

In step S230, the authentication server AS generates the next ticket.

TK = E (K _TK , K _MN-AR ∥ID _MN ∥TT)

This ticket is encrypted using a different key (K _TK ). Within this ticket there are K _MN-AR (shared between MN and AR) and time (TT) when this ticket is valid. The authentication server AS wants to transmit the K _MN-AR to both the mobile node MN and the access router AR.

In step S240, the authentication server AS sends a message (AS _Res ) to the access router _AR to transmit the key K _MN-AR shared by the mobile node MN and the access router AR.

AS -> AR: AS _Res (ID _MN ∥TK∥E (K _MN-AS, K _MN-AR ∥ID _AR ∥TN _MN )

E (K _AR-AS ; K _TK? T T? N _AR )

The access router AR can extract only the E (K _AR-AS , K _TK ∥TT∥N _AR ) portion of the message. When the AR obtains the K _TK , the T K can be decoded to extract the K _MN-AR .

In step S250, the access router AR makes a communication between K and the mobile node MN using the message RegRes.

AR-> MN: RegRes (ID _MN ∥TK∥E (K _MN-AS, K _MN-AR ∥ID _AR ∥TN _MN )

When using the AS and its key, the MN can extract the K _MN-AR .

In step S260, the mobile node MN transmits the last message (AuthMsg) together with the location update message to the access router AR to authenticate itself.

Both the access router (AR) and the mobile node (MN) have a K _MN-AR and know the expiration of the ticket.

MN → AR: AuthMsg (ID _AR ∥TK∥E (K _MN-AR ; ID _MN ∥IP-Addr∥ (N + 1) MN))

If the access router (AR) successfully decodes the message, the mobile node (MN) has successfully authenticated itself. IP-Addr is the current IP address of the securely-transferred mobile node (MN). Random numbers are used in messages to prevent man-in-the-middle replay attacks. The flow of the message is shown in Fig.

Retrieval of Tickets on the Previous Access Router (AR)

The ticket collection step in the previous access router AR will be described with reference to FIGS. 3 and 8. FIG.

First, the mobile node (MN) transmits a message (nAR _Reg ) to an nAR (newly attached access router (AR) of the mobile node (MN)) unknown to the K _MN-AR (S310).

MN - nAR: nAR _Reg (TK∥ID _MN ∥N _MN + 1)

Here, N _MN is a random number generated by the MN.

Subsequently, in step S320, the nAR receives the message (nAR _Reg ) and transmits the message (MN _Reg-pAR ) to the _pAR having the K _MN-AR (the _AR of the previously attached MN).

nAR? pAR: MN _Reg-pAR (E (K _pAR-nAR , ID _MN? MNN + 1)

In step S330, the pAR adds information on the ticket valid time and the key (K _TK ), and sends the message (MN _RegRes ) back to the nAR. The pAR encrypts this using a key shared with the nAR.

pAR nAR: MN _RegRes (E (K _pAR-nAR , ID _MN? TTK _TK ))

The nAR decrypts the message (MN _RegRes ) to obtain a ticket using the key shared with the _pAR . When K _TK is acquired, TK is decrypted and K _{MN -AR} is extracted. The flow of the message is shown in Fig.

This section proposes a protocol (TALM) that makes the proposed location management secure. How the mobile node (MN) interacts with the access router (AR), and how the ticket is generated by the authentication server (AS) for the user session. We also showed how to reuse tickets to shorten authentication latency.

The next section evaluates the performance of TALM.

[Performance evaluation]

Compare TALM with EAP-TLS. EAP-TLS-based authentication performs an EAP exchange between the mobile node (MN) and its authentication server (AS); There is no concept of ticket reuse in EAP TLS. In general, successful EAP-TLS authentication has four stages of the authentication process (disclosed in non-patent document 17).

Performance Metrics

Evaluating the protocol according to an embodiment of the present invention by calculating the performance metric, and comparing the result with EAP-TLS results. The simulation program is written in C ++. The simulation time is one year.

Authentication latency: The authentication latency can be determined by generating a ticket or by renewing a ticket when it expires, [generated by a mobile node (MN) authenticating itself to the access router (AR) for the first time) It is the waiting time to get the ticket back from the previous AR. The IP handover occurs when the mobile node (MN) changes its network access point. The average authentication wait time is calculated by dividing the accumulated authentication wait time in a certain period by the total number of location update messages in that period.

Number of Authentication Messages per Location Update Message: If a TALM protocol step is required, the number of authentication messages for a certain period of time can be used as the number of authentication messages for the mobile node (" MN) authenticates itself to the AR. The number of authentication messages per location update message is calculated by dividing the total number of authentications performed by the mobile node (MN) by the total number of location update messages sent by the MN within a certain period of time.

Calculation of TALM authentication latency

The number of hops between the access router AR and the authentication server AS is set to nhops and the message transmission delay in one hop is set as T _MN-AR and the number of hops from the mobile node MN to the authentication server AS Let T _MN-AS the message transmission delay.

The same parameter setting as that defined in [Non-Patent Document 17] is used. In the interval [5,9] (i.e., _MN-AR T = 20ms) select nhops value, and in the interval [10, 40] in m / s are taken, the speed of the MN, the interval [100, 200] MN in m The radius of the AR-area is taken.

There may be n hops between the access router (AR) and the authentication server (AS). Therefore, the message transmission delay from the access router (AR) to the authentication server (AS) is T _AR-AS = nhops ㅧ T _MN-AR .

In the message transmission from the mobile node (MN) to the authentication server (AS), the delay is divided into two parts. First, a message is sent from the mobile node (MN) to the access router (AR), and second, a message is sent from the access router (AR) to the authentication server (AS). This transmission delay is T _MN-AS = T _MN-AR + T _AR-AS = 20 ms + (nhops × T _MN-AR ).

The order of the ticket creation message is as follows.

1) MN-> AR; 1 hop, 0.02s

2) AR-> AS; n hops, n x 0.02 s

3) AS-> AR; n hops, n x 0.02 s

4) AR-> MN; 1 hop, 0.02s

5) MN-> AR; 1 hop, 0.02s

Since the number of hops between the mobile node MN and the access router AR is 1 and the number of hops between the access router AR and the authentication server AS is nhops since the message transmission delay per hop is 0.02s, The total authentication process time = T (MN? AR) + T (AR? AS) + T (AS? AR) + T (AR? MN) + T (MN? AR) = 0.02 + (nhops x 0.02) × 0.02) + 0.02 + 0.02s.

The sequence of ticket creation messages is as follows.

1) MN-> nAR; 1 hop, 0.02s

2) nAR-> pAR; 1 hop, 0.02s

3) pAR-> nAR; 1 hop, 0.02s

(NAR- > pAR) + T (pAR- > nAR) = 0.02 + 0.02 + 0.02s.

Calculation of authentication latency for EAP-TLS

The initial authentication delay is an authentication delay when the mobile node (MN) creates or updates a ticket upon its expiration. As calculated in the Non-Patent Document 17], it is _{3T MN-AR + T AR-} AS + T (m, T MN-AS), where T _MN-AR is a transmission delay between MN and the AR, T _AR-AS is the transmission delay between AR and AS, T (m, T _MN-AS ) is a function of T when m = 4, and the transmission delay between MN and AS is T _MN-AR + T _AR-AS to be.

As calculated in [Non-Patent Document 17], the handover authentication delay in EAP-TLS = L ₁₂ + initial authentication delay + D _SA + D _RS + D _REG + D _PLMA . In this case, L ₁₂ = 0.04535, D _SA = 4T _MN-AR , D _RS is the transmission delay between the MN and the AR, and D _REG = 2T _AR-LMA and D _PLMA = T _{AR -AS} + T _MN-AR .

Discussion with results

Hereinafter, network topology, parameter settings, simulation results, and result discussions are provided.

In the situation shown in FIG. 9, a rap-around cell network topology of 19 hexagonal ANs was used.

For the simulation, the residence time α of the AN-region to be a random variable of the exponential distribution selected in [Non-Patent Document 7], [Non-Patent Document 19] - [Non-Patent Document 21] is selected. The results of the seven scenarios in Table 2 are presented and discussed in the next section.

S. # Performance Metrics Variable parameter Parameter value One Authentication latency nhops Ticket lifetime = 24 hrs, nhops ∈ {5,6,7,8,9},
Speed = 1 m / s,
AN-Area = 10 ⁴ km ² 2 Number of authentication messages per location update Ticket life Ticket lifetime ∈ {12,24,48,72} hrs,
nhops = random {5,9},
Speed = 1 m / s,
AN-Area = 10 ⁴ km ² 3 Number of authentication messages per location update Average speed of MN Ticket life = 24hr,
nhops = random {5,9},
The velocity ε1, 5, 10 m / s,
AN-Area = 10 ⁴ km ² 4 Number of authentication messages per location update AN-AREA Ticket life = 24hr,
nhops = random {5,9},
Speed = 1 m / s,
AN-area ∈
10 ⁴ , 10 ³ , 10 ² , 10.1 km ²

Average authentication latency

Compare the average authentication latency of TALM with the EAP-TLS time. The variable parameter for this experiment is nhops. The results of this experiment are shown in Fig. As nhop increases, the average authentication latency of both protocols increases. The results show that TALM outperforms EAP-TLS. As shown in FIG. 10, the simulation result of TALM is calculated in the 95% confidence interval. The reduction rate of authentication latency by TALM is almost close to 99%. This is mainly due to the reuse of authentication tickets in TALM.

The average number of authentication messages per TALM's location update

Figure 11 shows the average number of authentication messages per location update whenever the validity period of a ticket is changed. The average number of authentication messages per location update decreases as the ticket validity period increases. For a longer lifetime of the ticket, the MN will face an expiration of the authentication ticket fewer times than the expiration time if the lifetime is shorter.

FIG. 12 shows the effect on the number of average authentication messages per location update when the speed of the mobile node (MN) changes. It can be seen that the average number of authentication messages increases with increasing speed. This is because the mobile node (MN) experiences more IP handover as the speed increases. Therefore, the mobile node (MN) performs more handover authentication and as a result, the average number of authentication messages increases.

13 shows the effect on the average number of authentication messages per location update when the access AN-area is changed. As the AN-area increases, the average number of authentication messages decreases. This is because the mobile node (MN) receives less IP handover as the AN-area increases. Therefore, the mobile node (MN) performs a smaller number of handover authentication, and as a result, the average number of authentication messages decreases

According to the security and fault tolerant distributed location management method for the intelligent 5G wireless network according to the embodiment of the present invention, K [hash of unique ID (ID _MN ) of mobile node (MN)] -V [MN Adding or updating a main copy of the current IP address pair; Adding or updating a backup copy of the KV pair at the distributed location server; And a ticket-based authentication mechanism (TALM) protocol, thereby reducing the average authentication latency and decreasing the average number of authentication messages per location update.

More specifically,

First, since the authentication ticket is reused in TALM, the average authentication latency is significantly lower than that of the conventional EAP-TLS protocol.

Second, as the area of the access node (AN) increases, the mobile node (MN) performs a smaller number of handover authentication, and as a result, the average number of authentication messages decreases.

Although the best mode has been shown and described in the drawings and specification, certain terminology has been used for the purpose of describing the embodiments of the invention and is not intended to be limiting or to limit the scope of the invention described in the claims. It is not. Therefore, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the scope of the present invention. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

MN: mobile node
AS: Authentication Server
AR: Access Router
AN: access node
LR: Position register

Claims (6)

Adding or updating a main copy of K [hash of unique ID (ID _MN ) of mobile node (MN)] -V [current IP address of MN] at the distributed location server;
Adding or updating a backup copy of the KV pair at the distributed location server; And
And performing a ticket-based authentication mechanism (TALM) protocol for the intelligent 5G wireless network. The method according to claim 1,
The step of adding or updating the main copy of the KV pair comprises:
Connecting to an access node (AN8) connected in a line within the code circle for the mobile node (MN) to register or update its location;
The access node AN8 requesting registration or update of the location of the mobile node (MN) with its location register (LR);
The access node AN8 verifying the finger table and searching for the closest K of the closest K on the code circle;
The access node AN8 transmitting a registration query or an update query of the location to the succeeding party AN43;
The location register (LR) of the succeeding node (AN43) storing or updating location binding information of the mobile node (MN); And
And wherein the location register (LR) of the succeeding client (AN43) returns a registration response in the reverse query path to the mobile node (MN). 3. The method of claim 2,
Wherein adding or updating the backup copy of the KV pair is the same as adding or updating the main copy of the KV pair. The method according to claim 1,
Wherein performing the TALM protocol comprises generating and expiring a ticket and collecting a ticket at a previous access router (AR). ≪ Desc / Clms Page number 19 > 5. The method of claim 4,
Wherein the generating and expiring of the ticket comprises:
(MN _Reg ) from the mobile node (MN) to the access router (AR) when it is necessary to register the access router (AR) immediately after the mobile node (MN) ;
When the access router (AR) receives the initial message (MN _Reg ), generating a message (MN _Reg AS _Msg ) by adding its random number and transmitting it to the authentication server (AS)
The authentication server (AS) generating a ticket encrypted by a key (K _TK );
Sending a message (AS _Res ) to the authentication server (AS) to the access router ( _AR ) to transmit a key (K _MN-AR ) shared by the mobile node (MN) and the access router (AR);
Causing the access router (AR) to communicate with K and the mobile node (MN) using a message (RegRes); And
Wherein the mobile node (MN) sends a last message (AuthMsg) with a location update message to the access router (AR). 5. The method of claim 4,
Wherein the ticket collection step comprises:
The mobile node (MN) sending a message (nAR _Reg ) to an nAR (newly attached access router of the mobile node (MN));
Receiving the message and sending a message (MN _Reg-pAR ) to a _pAR (an access router of a previously attached mobile node (MN)); And
And sending the message (MN _RegRes ) to the nAR by adding information about the ticket valid time and key (K _TK ) to the _pAR .

Images