5.1. Security Analysis
Compared with the original EAP framework, our proposed framework differs in that the three layers of the EAP framework do not resident in one entity: in our framework, the Authentication Layer and the EAP Layer reside in USIM, while Data-Link Layer in TE. The function of the Data-Link Layer is to encapsulate and decapsulate EAP messages which does not involve security-sensitive operations (e.g., encryption or decryption), therefore, this difference will not result in the security compromise of the EAP framework.
Just as the 802.11i, our scheme just provides a framework for authentication protocols. In the proposed framework, the authentication protocols does not need any change and their security is maintained.
Therefore, the security of the proposed framework mainly lies in the defense of the attacks against USIM because there will be security-sensitive information and operations in it, such as the shared key, as well as the encryption and decryption. The attacks are divided into two classes which are invasive attacks and noninvasive attacks [
19].
(1)
Invasive attacks mainly include removing the chip from the card, reverse engineering the chipset, and microprobing. To counteract the reverse engineering, a number of copy trap features can be incorporated into the chip designs and to introduce complexity into the chip layout and to use nonstandard cell libraries. To counteract the microprobing, a simple self-test procedure can be added to the smart card that takes an arbitrary input, encrypts and decrypts under an arbitrary key, and compares the result with the original block. Another solution involves disconnecting almost all of the CPU from the bus, leaving only the EEPROM and a CPU component that can generate read accesses [
19].
(2)
For noninvasive attacks, four major classes can be distinguished [
19].
Timing Attacks or Chosen-Plaintext Attack
In order to countermeasure this attack, chosen-plaintext attack-resilient cryptography algorithms should be employed. Or, the maximum times of retrying of PIN should be limited [
19].
Software Attacks
For example, a Trojan horse application could be used to transport an attack. A countermeasure to prevent this attack is to use a unique-access device driver architecture. Another way to prevent the attack is by using a smart card that enforces a "one private key usage per PIN entry" policy model [
19].
Power and Electromagnetic Analysis Attacks
Simple Power Analysis, differential power analysis (DPA) [
20,
21] and electro magnetic analysis (EMA) [
22] all belong to this attack. These techniques for preventing DPA and related attacks fall roughly into three categories. Firstly, signal size can be reduced. Secondly, noise may be introduced into power consumption measurements. Another technique involves the use of nonlinear key update procedures [
19].
Fault Generation Attacks
These attacks rely on stressing a smart card processor in order to make it perform illegal operations or give faulty results. Power and clock transients can be used to affect the decoding and execution of individual instructions. A possible countermeasure would be to remove completely the clock, transforming the smart card processors in self-timed asynchronous circuits [
19].
Here, we mainly concern the influence of the proposed framework on existing authentication methods in the latency aspect. The authentication latency is made up of three parts which are (1) propagation latency, (2) transmission latency and (3) computation latency. In the following, we will analyze the influence resulting from the authentication framework in those three parts.
Propagation Latency
Comparing with 802.11i [
13], the four-way handshake is unnecessary in our framework, because in order to be compatible with the existing message protection method for the air interface, we employ the keys of the original authentication protocol (such as the CK and IK of UMTS-AKA) rather than the keys derived from the four-way handshake. In addition, the original authentication protocol remains unchanged in the proposed framework and only three EAP messages are added that are EAPOL-Start, EAP-Request/Identity and EAP-Success, which can be shown by comparing UMTS-AKA (shown in Figure
3) with EAP-AKA (shown in Figure
5).
Transmission Latency
In the proposed framework, the message length will become longer because the EAP encapsulation is introduced. EAP header includes Code, Identifier, Length, and Type fields which length is 40 bits [
23]. The bandwidth of UMTS is below 2 Mbps, such as 56 kbps, 64 kbps [
24], therefore, the introduction of new transmission delay for each message is more than 0.02 ms. But for the LTE and 4G, their bandwidth is over 20 Mbps [
25] and the resulting transmission latency can be neglected.
Computation Latency
In the new framework the computation of the protocol also retains unchanged, for example, the computation of EAP-AKA is same as that of UMTS-AKA. Therefore, the new framework does not introduce extra computation delay.
As a whole, for LTE and 4G, the extra authentication delay resulting from the new framework is the propagation delay of the three EAP messages (EAPOL-Start, EAP-Request/Identity and EAP-Success). While for UMTS, it should plus the extra transmission delays resulting from EAP header which is more than 0.02 ms for each EAP message.
To be more specific, in the following UMTS AKA is taken as an example to show this influence. Without the proposed framework, in UMTS UE has to run the UMTS AKA to authenticate with the core networks. While in our framework, UE will take use of the EAP-AKA to perform the authentication. In the following, we will compute the latency of EAP-AKA and UMTS AKA in the UMTS environment and compare them.
From [
26], we can get that in 3G-WLAN interworking the authentication latency of EAP-AKA in nonroaming case is
, among which the calculation delay of AKA algorithm on the USIM is 78.46 ms where the USIM CPU is 3.25 MHz [
27]. From this value, we can derive the latency of EAP-AKA in UMTS. The difference resulting from the communication environment will just affects the propagation latency and transmission latency. We think in propagation latency their difference can be neglected, because in the wired part (core network) they are same and in the air part the speed of the electromagnetic wave is so fast (almost
m/s) that the propagation latency in this part can be neglected. Consequently, their only difference lies in the transmission latency in the air part where the total message amount is 2984 bits in EAP-AKA. In the 3G-WLAN interworking the bandwidth of WLAN is 11 Mbps, so the transmission latency is 0.271 ms. While in UMTS, its bandwidth is set as 2 Mbps, therefore, the transmission latency is 1.492 ms. Thus, the authentication latency of EAP-AKA in UMTS is
. That is, with our proposed scheme, the latency of EAP-AKA in UMTS is 504.204 ms.
From the analysis above, we get that the latency of UMTS AKA should be
, because there are 6 EAP messages in EAP-AKA.
From the results above, we can get that for the UMTS AKA, with our framework its authentication latency is almost same as the original one. These results are given in Table
1. For other authentication methods (such as the EPS AKA), their latencies are bigger and the influence of our framework can be neglected.
Table 1
Latency influence of the framework: UMTS AKA as an example.