This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The nature of mobile communication, characterized by terminals having poor interface and limited processing capacity, as well as complex combination of network protocols, makes the design of security solutions particularly challenging. In wireless networks, authentication can provide secure communications by preventing unauthorized usage and negotiating the credentials for data transmission. Nevertheless, it induces heavy overhead to data transmission, further deteriorating overall system performance. Thus, an analysis of impact of authentication on security and QoS is been realized in this paper.
Keywords: QOS, Wireless Security, Mobile User, Wireless IP Networks, Authentication, Heterogeneous Networks.
The tremendous advance of wireless communication technologies has facilitated the ubiquitous Internet service, whereas inducing more challenges to security due to open medium [l]. In order to provide security services in wireless IP networks, authentication is used as an initial process to authorize a mobile user (MU) for communications through secret credentials . In an authentication process, an MU is required to submit secret materials such as certificates and challenge/response values for verification and encryption/decryption with session keys and algorithms [31-[61. By rejecting unsuccessfully authenticated users, authentication can protect the network resources. The information secrecy and data integrity can also be guaranteed by using the negotiatedÂ credentials or encryption and message authentication.Â Meanwhile, authentication also affects the quality of serviceÂ (QoS) greatly.
When public-key based authenticationÂ mechanism is applied, the computation complexity of encryption/Â decryption consumes more time and power . For secret keyÂ based challenge/response authentication, the credentials ofÂ the MU are encrypted and transmitted for remote verificationÂ hop-by-hop among authentication servers. The transmissionÂ and encryption/decryption of credentials affect manyÂ QoS parameters such as delay; call dropping probability, andÂ throughput. Therefore, in some scenarios, a tradeoff betweenÂ security service and system performance should be consideredÂ because users may have different preferences with respect toÂ security and performance.Â Moreover, authentication requests are closely related toÂ mobility and traffic patterns of MUS because these requestsÂ are generated when an MU either initiates a call, or crosses aÂ boundary of subnets. Therefore, the impact of authenticationÂ on QoS parameters is far more sophisticated when mobilityÂ and traffic patterns are taken into account.Â Since the authentication affects both of security and QoS,Â many authentication schemes are proposed, focusing on theÂ security and efficiency , , -. However, none ofÂ them provide quantitative analysis of security and systemÂ performance, simultaneously, and nor do they show the connectionÂ between security and system performance. Furthermore,Â mobility and traffic patterns are not considered in theÂ evaluation of authentication, which are important features inÂ wireless networks.
II QOS IN WIRELESS COMMUNICATION
Guaranteeing the QoS requirements is a challenging task with wireless communication. One of the key elements in providing QoS is an effective resource allocation policy, which not only ensures meeting QoS of newly arriving calls, if accepted but also not deteriorating the existing on-going services. These enhancements will enable a better mobile user experience and will make more efficient use of the wireless channel.
As the performance of a system with given physical resources (e.g., the available bandwidth of radio spectrum) depends heavily on resource management schemes including multiple access techniques, the call admission control policies and the congestion control schemes, to make efficient use of the available bandwidth while providing high quality of service (QoS) to simultaneous services with different requirements, efficient resource management schemes have to be devised.
Many real-time applications can use different encoding schemes according to their desired quality and generate traffic with different bandwidth requirements. For example, generic video telephony may require more than 40 Kbps, but low-motion video telephony requiring about 25 Kbps may be acceptable. From the standpoint of a system administrator, this property provides an alternative for resource planning, especially for bandwidth allocation in wireless networks. In wireless networks where the bandwidth is a scarce resource, the system may need to block incoming users if all of the bandwidth has been used up to provide the highest QoS to existing users. However, if these users can be degraded to a lower QoS level, it is possible to reduce the blocking probability without degrading the QoS of existing users to an "unacceptable" level. Various approaches and algorithms adopting this idea have been proposed. A graceful degradation mechanism is proposed in to increase bandwidth utilization by adaptively adjusting bandwidth allocation according to user-specified loss profiles. Thus, a system could free some bandwidth for new users by lowering the QoS levels of existing users.
III REQUIREMENTS FOR COMMUNICATION SECURITY
Communication security is often described in terms of confidentiality, integrity, authentication and non-repudiationÂ of transmitted data. These security servicesÂ are in turn implemented by various mechanisms that areÂ usually cryptographic in nature. In addition there isÂ confidentiality of traffic (i.e. whether or not communicationÂ is taking place), of location (where the communicatingÂ parties are located) and of the communicating parties'Â address, all of which are important for privacy. AÂ casual level of security is usually provided implicitly evenÂ without taking any extra measures. For example in orderÂ to eavesdrop on a particular person's mobile phone conversationsÂ the eavesdropper has to be located in physicalÂ proximity to the person and carry special radio equipmentÂ which in itself represents a certain level of protection. CasualÂ authentication between mobile phone users is indirectlyÂ provided by the calling and called party numbers.Â In case of voice telephony, authentication results fromÂ recognizing the other person's voice.Â Cryptography on the other hand gives the possibility ofÂ designing strong security services but often creates inconveniencesÂ when using the application. The use of cryptographyÂ therefore makes most sense in case of sensitive applications. When strong cryptographic security mechanismsÂ are in place the remaining vulnerabilities are usuallyÂ due to poor management and operation and not by weaknessesÂ in the cryptographic algorithms themselves.Â Confidentiality of transmitted data can be provided byÂ encrypting the information flow between the communicatingÂ parties, and the encryption can take place end-to-endÂ between the communicating parties or alternativelyÂ on separate legs in the communication path. In GSM networksÂ for example, only the radio link between the mobileÂ terminal and the base station is encrypted whereas the restÂ of the network transmits data in clear-text. Radio link confidentialityÂ in GSM is totally transparent from the user'sÂ point of view. Mechanisms for implementing confidentialityÂ of traffic, location and addresses will depend on theÂ technology used in a particular mobile network.Â Authentication of transmitted data is an asymmetricÂ service, meaning for example that when A and B are communicating, the authentication of B 's data by
A is independent from the authentication of B's data by A. The types of authentication available will depend on the security protocol used. In the Internet for example, SSL allows encryption with four different authentication options:
Client authentication, or
Both server and client authentication or
No authentication, i.e. providing confidentiality only.
Non-repudiation is similar to authentication in that it is an asymmetric security service. A simple way to describe the difference between authentication and non-repudiation is that with authentication the recipient himself is confident about the origin of a message but would not necessarily be able to convince anybody else about it, whereas for non-repudiation the recipient is also able to convince third parties. Digital signature is the mechanism used for non-repudiation.
Cryptographically seen a message's authentication code and non-repudiation code can be identical, and the difference between the two services might only depend on the key distribution. In general, if a signature verification key has been certified by a trusted third party the corresponding digital signature will provide non repudiation, whereas it can only provide authentication if the key has simply been exchanged between the two communicating parties.
Different parties will have different interests regarding authentication and non-repudiation services. Network operators are interested in authenticating the users for billing purposes and to avoid fraud. Users and content service providers are interested in authenticating each other and might also be interested in authenticating the network service provider. How and where in the network authentication services are implemented will depend on the technology used and the business models involved.
IV SECURITY ACROSS HETEROGENEOUS NETWORKS
Network architectures are based on protocol layers that represent an abstract way of modeling and implementing data transmission between communicating parties. The usual protocol architecture consists of 5 layers as illustrated in Figure 1 below.
Figure 1: Communication protocol layers
In reality, no data are directly transferred between adjacent layers on opposite sides. Instead, data and control information are passed down through the interfaces between the protocol layers on one side and up through the interfaces between the protocol layers on the other side. The physical data transmission actually takes place through a physical medium underneath the physical protocol layer.
V IMPACT OF AUTHENTICATION ON SECURITY AND QOS
The authentication in wireless networks is a process toÂ identify MUs and to negotiate credentials for communications.Â In a challenge/response-based authentication, a user is identifiedÂ with a shared security association (SA), which is aÂ trust relationship with many parameters such as keys andÂ algorithms for secure services, between an authenticationÂ server. During the process, the server sends a challenge value,Â a random number, to the user for encryption, and verifiesÂ the returned value, called response value, with decryption.Â In a foreign network, a visiting MLJ sends an authenticationÂ request to an access point (AP). The AP relays the request toÂ a local authentication server (LAS), which only takes chargeÂ of authentication for visiting MU's from foreign networks. IfÂ the LAS have no information to verify the MU, it contactsÂ the home authentication server (HAS) of the MU through authentication architecture. An HAS is an authenticationÂ server to identify the MUS who subscribe the service in itsÂ network. And, an authentication architecture is composed ofÂ many authentication servers that share SAS with the LAS andÂ HAS. If the request is an inter-domain authentication request,Â the HAS sends a registration request to the MU's home agentÂ (HA): which maintains the current location of the MU, toÂ update the MU's location. Shared SA with the LAS and replies the response value to the LAS. After decrypting the replied value and comparing it with original challenge value, the LAS can authenticate the MU when the decrypted value matches original challenge value.
A) Intra-domain handoff authentication: When an MU crosses the boundary of subnets in the foreign network domain with an on-going service, an intra-domain handoff authentication is initiated, since there is an on-going communication session between the MU and an AP, one session SA exists between the MU and the LAS in the visiting network domain. The MU encrypts the challenge value using shared SA with the LAS and replies the response value to the LAS. After decrypting the replied value and comparing it with original challenge value, the LAS can authenticate the MU when the decrypted value matches original challenge value
B) Session authentication: When an MU starts a communication session in a subnet of a foreign network, a session authentication is initiated. At this time, session SA does not exist between the MU and the AP. Thus, it is necessary to contact the HAS of the MU for authentication. As shown in Fig.2.B, when an LAS receives the authentication request, it sends a challenge value to the MU. The MU encrypts the challenge value with the SA shared with the HAS, and replies the response value to the LAS, which relays the challenge and response values to the HAS of the MU for verification due to lack of SA to decrypt the response value. After authentication at the HAS, the secret credentials such as keys to protect the communication may be generated and sent to the LAS.
C) Inter-domain handoff authentication: When an MU is crossing the boundaries of different foreign network domains with an on-going service, an inter-domain handoff authentication occurs. Without an existed SA between the MU and the LAS, the signaling diagram shown in Fig 2. C is similar with that in the case of session authentication, except that the MU needs registration to its HA via the HAS because we assume that the MU needs registration when it is crossing the boundaries of different network domains.
A. Loss-domain Handoff Authentication
B. Session Authentication
C. Inter-domain Handoff Authentication
Figure 2 Challenge/Response Authentication in Public Wireless Access Networks.
Authentication; Impact QoS Metrics
Besides the effect on the security, authentication also influences QoS metrics, such as authentication delay, cal1 dropping probability and throughput of communications. The authentication delay is defined as the time from when the MU sends out an authentication request 10 when the MU receives the authentication reply. During this authentication delay, no data for on-going service can be transmitted, which may interrupt the connections. Therefore, the call dropping probability may be increased because of the extended authentication delay.
Figure 3. Architecture of Authentication in Wireless Networks.
Authentication in wireless networks has great effects on both security and quality of service such as authentication delay, call dropping probability, and throughput. In order lo improve the security and performance of wireless networks; it is necessary to analyze the authentication effects on both security and QoS metrics by taking into account mobility and traffic patterns.
VI SYSTEM ARCHITECTURE
A scenario is assumed where there is a MU and is roaming into foreign network domains. Then, the intra-domain handoff authentication, session authentication, and inter-domain handoff authentication in foreign networks are illustrated in Fig. 2 .A, 2 .B, and 2,C, respectively.
1) Mobility pattern:
The mobility pattern of an Mu is represented by the residence time of the MU in one subnet, denoted as T. Tr is a random variable and the probability density function (PDF) of Tr, denoted as fTr(t), is Gamma distribution with mean l / Î¼r and variance V. Then, the Laplace transform of fTr(t), Fr(s), is:
Fr(s) = (Î¼rÎ³/s + Î¼rÎ³) Î³, where Î³ = 1/VÎ¼r2 eq.1
the PDF of the residence time in a network domain, denoted as FÎ³m (t), can be expressed with a Laplace transform FM(s) as:
the mean value of residence time in this network domain, denoted as TM, can be expressed as:
TM = -âˆ‚FM(s)/ âˆ‚s|s=0 = M+1/2Î¼r eq.3
2) Traffic pattern:
Call arrival rate and call duration time is used to indicate traffic patterns. The PDFs of the call inter-arrival time and call duration time, denoted as fTA(t) and fTd(t). Respectively, become:
VII. PERFORMANCE EVALUATION
1) Computing Average Authentication Delay:
Authentication delay as the time from when an MU sends an authentication request to when the MU receives the authentication reply.
2) Average Call Dropping Probability during Authentication:
When an extended waiting time for authentication is induced and greater than a threshold time, the connection will be broken. On the other hand, even though the authentication delay is small and the MU is a valid user, an authentication failure may happen regardless of security level because of damaged credentials caused by transmission error, packet drop at queues, attack of intruders and software application failure. Therefore, the call dropping probability is defined as the probability that the service of an MU is dropped during one authentication operation because of either extended authentication delay, or an authentication failure.
Let P(i) denote the average call dropping probability at security level i, it can be written as:
VIII RESULTS ANALYSIS AND CONCLUSION
The effects of mobility pattern on the authentication delay and call dropping probability are shown in Figures below:
Figure 4. Authentication Time vs. Residence Time in a Subnet.
The effect of call dropping probability in authentication is shown in Fig. 4. The call dropping probability increases with the increase of the residence time of an MU in a subnet. When the residence time of an MU in a subnet increases, the arrival rate of intra-domain handoff authentication requests will decrease.
Figure 5. Call Dropping Probability vs. Residence Time in a Subnet.
It is observed that the aspects of mobile networks can make it both harder and easier to implement communication security as compared to for example the Internet. Communication between mobile and fixed networks creates particular problems regarding security protocol design. Mobile devices usually have a poor user interface thereby creating problems for the usability of security. The observation made reveals the impact of authentication on security and quality of service (QOS) in combination of mobility and traffic patterns, which are critical to deliver secure and efficient services in wireless IP networks. A quantitative analysis of the security and quality of service, which is of extreme importance to the adaptation of new security solutions to various mobile environments, is also realized.
 A. Arumugam, A. Dwfexi. A. Nix, and P. Fletcher, "of the Coexistence of 802.11g WLAN An Investigation and High Data Rate Bluetooth Enabled Consumer Electronic Devices in Indm Home and Office Environments," IEEE Transaction and Consumer Electronics, vol. 49, pp. 587-596, August 2003.
 L. Salgarelli. M. Buddhikot. J. Garay, S. Patel. and S. Miller, "The Evolution of Wireless LANs and PANS Efficient Authentication and Key Distribution in Wireless IP Networks," IEEE Personal Communications on Wireless Communications, vol. 10, pp. 32-61, December 2003.
 P. Calhoun, 1. Loughney, E. Guttman. G. Zorn and J. Arkko, "Diameter 3ase Protocol," draft-ietf-aan-diameteer-17.txt, December 3002.
 S. Jacobs, "Mobile IF Public Key Based Authentication:'1999.
 C. Perkins and P. Calhoun, "Mobile lPv4 Challenge/Response Extensions," RFC3012. November 2000.
 Andersen, R. (2001), Security Engineering,Wiley.
 Dierks, T.& Allen, C. (1999), RFC2246 - The TLS (Transport Layer Security) protocol, Version 1.0, IETF. URL: http://www.ietf.org/rfc/rfc2246.txt
Diffie, W. & Hellman, M. E. (1976), 'New directions in cryptography', IEEE Transactions on Information Theory 22(6), 644-654.
 H. Kim and H. Afifi. "Improving Mobile Authentication with New AAA Protocols." in IEEE international Conference on Communications. vol. 1, pp. 497-501, 2003.
 W. Simpson, "PPP Challenge Handshake Authentication Protocol (CHAP)," RFC1334. August 1996.
 S. Shieh, E Ho. and Y. Huang, "An Efficient Authentication Protocol for Mobile Networks," Journal of Information Science and Engineering.
 W. Liang and W. Wang. "A Cost-Aware Control Scheme for Efficient Authentication in Wireless Networks." in 15th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, PIMARC'04. December 2004.
 B. Aboba and D. Simon, "PPP EAP TLS Authentication Protocol." RFC2716, October 1999.
 L. Dell'Uomo and E. Scarrone, "The Mobility Management and Authentication/ Authorization Mechanisms in Mobile Networks beyond 3'3.'' in Personal, Indoor and Mobile Radio Communications. 2001 12th IEEE International symposium on, vol. 1, pp. c44-c48, September 7001.
 S. Glass. T. Hiller, S. Jacobs, and C. Perkins. "Mobile IP Authenticahon. Authorization and Accounting Requirements." RFC2977. October 2000.
 W. Stallings, "Network Security Essentials." Applications and Standards, 2000.
 W. Wang and I. Akyildiz. "Intersystem Location Update and Paging Schemes for Multitier Wireless Networks," in Proc. of ACWIEEE Mobi-Com'2000. pp. 99-109. August 2000.