Research ArticleSecurity Enhancement Using Cache Based Reauthentication inWiMAX Based E-Learning System
Chithra Rajagopal1 and Kalaavathi Bhuvaneshwaran2
1Department of Information Technology, K. S. Rangasamy College of Technology, Thiruchengode, Namakkal,Tamil Nadu 637 215, India2Department of Computer Science and Engineering, KSR Institute for Engineering and Technology, Thiruchengode, Namakkal,Tamil Nadu 637 215, India
Correspondence should be addressed to Chithra Rajagopal; [email protected]
Received 17 April 2015; Revised 17 July 2015; Accepted 28 July 2015
WiMAXnetworks are themost suitable for E-Learning through their Broadcast andMulticast Services at rural areas. Authenticationof users is carried out by AAA server in WiMAX. In E-Learning systems the users must be forced to perform reauthentication toovercome the session hijacking problem.The reauthentication of users introduces frequent delay in the data access which is crucialin delaying sensitive applications such as E-Learning. In order to perform fast reauthentication caching mechanism known as KeyCaching Based Authentication scheme is introduced in this paper. Even though the cachemechanism requires extra storage to keepthe user credentials, this type of mechanism reduces the 50% of the delay occurring during reauthentication.
1. Introduction
WiMAX networks provide broadband wireless access over adistance of 50KM with fixed subscriber station and over aradius of 5 KM to 15 KM with mobile station [1, 2]. Multicastand Broadcast Services of WiMAX make it suitable for E-Learning applications.
In the WiMAX based E-Learning system, the users canuse the system anywhere and anytime. The E-Learningusers are connected with the Base Station. The AccessService Network which comprises a group of base stationsis interconnected and controlled by Access Service NetworkGateway.The functions of the Access Service Network (ASN)Gateway include caching of E-Learning user profiles [2] androuting of data to the selected Connectivity Service Network(CSN).TheASN gateway also enables the E-Learning users toconnect with the E-Learning server through the ConnectivityServiceNetwork.TheConnectivity ServiceNetwork providesInternet connectivity to manage the sessions of E-Learningusers through multicast group management functionality.Authentication, Authorization, and Accounting Server in
Connectivity Service Network of WiMAX is responsible forauthenticating the E-Learning users.
The open source E-Learning system such as MOODLE[3] is susceptible to session hijacking problem. E-Learningsystem discussed in [3] is also susceptible to man in themiddle attack. The Personalized E-Learning system usingSOA [4] does not address the security of the web services. E-Learning service using multiple biometric mechanisms [5, 6]addresses the initial authentication of users and does notfocus on the security issues during the session management.The user name and password based profile questions areaddressed in [7] to improve the authentication in onlineexamination. However, the system is susceptible to securityissues such as session hijacking. Intrusive and low-resourcesintensive approach [8] based on student verification to detectpresence of the student does not address the need to performverification during the intermediate session. The authentica-tion protocol for E-Learning in [9] forces the user to performfull authentication process at every time of reauthentication.
In order to overcome the security problems in E-Learningsystems the users are forced to perform reauthentication.
Hindawi Publishing Corporatione Scientific World JournalVolume 2015, Article ID 878327, 6 pageshttp://dx.doi.org/10.1155/2015/878327
2 The Scientific World Journal
When the users are forced to perform reauthenticationprocess, the user credentials are verified and authenticatedfor a short period of time so the integrity of the application ispreserved. The frequent reauthentication process introducesdelay in accessing the application. An authentication protocolwhich performs reauthentication process with minimumdelay is needed.
In this paper, cache based authentication protocol isproposed to support the authentication process with reduceddelay. The user credentials during the initial authenticationare cached at the Access Service Network Gateway to supportfaster reauthentication.
This paper consists of the following sections, Section 2contains the proposed system architecture and Section 3provides information about the system performance. InSection 4 conclusion is discussed.
2. Proposed System Architecture
In the proposedWiMAX based E-Learning system, the Con-nectivity Service Network of WiMAX provides the Internetconnectivity to connect with the E-Learning server.The usersof the E-Learning system are connected with the Base Stationusing subscriber station. Figure 1 represents the proposedarchitecture of E-Learning system using WiMAX.
Every user must be authenticated before accessingthe WiMAX network. The Authentication AuthorizationAccounting (AAA) Server is responsible for authenticatingthe user. Initially the E-Learning users forward the username,password, nature of the service, duration of the neededservice, and subscriber station MAC address as the initialattributes for authentication. The AAA server of WiMAXverifies these attributes and authenticates the E-Learningusers by providing the Authentication Key (AuK), SessionKey (SK), and Session Key Lifetime (SKlife) using SessionBased Authentication Protocol.These attributes are cached atthe ASN Gateway controlling the appropriate Base Station.
To improve the security in WiMAX based E-Learningsystem, the users of E-Learning systems are forced to performreauthentication after a predetermined period of time. Thereauthentication process requires frequent message transferand repeated authentication process between the same userand the authentication server. To support fast reauthentica-tion, the information such as mobile station MAC address,Base Station MAC address, Authentication Key, Session Key,Lifetime of the Session Key, and the unique identifier SKIDis cached at the Access Service Network Gateway during theinitial authentication. In the reauthentication process the usersends reassociation requests with its Session Key, SKID alongwith the timestamp of authentication to the Base Station.TheBase Station forwards the request to the ASN gateway. TheASN gateway generates the Session Key Identifier (SKIDnew)using the user information cached at its location and verifiesthe generated SessionKey Identifier (SKIDnew)with the SKIDin the reassociation request. During the calculation of SessionIdentifier the timestamp of authentication is included as oneof the attributes.
When the session key identifiers are identical, the user isallowed to communicate with the ASN gateway by sending
E-Learning server
Authentication server
Base Station 2Base Station 1 Base Station 3
Figure 1: Proposed WiMAX based E-Learning system.
reassociation request. The ASN gateway verifies the type ofthe user along with the nature of request. If the request isfrom the existing user, new Session Key is generated andcommunicated to the user using Session Key updatemessage.This key update procedure requires only four-way handshakemessage. Simultaneously the timestamp representing thetime of reauthentication is updated in the cache.
The Session Key Identifier (SKID) for each E-Learninguser can be calculated by applying the Secured Hash Algo-rithm (H) with the attributes represented in the followingequation:
SKID = H [SK |MAC BS|MAC SS |U ID|TS] . (1)
In (1), SK is Session Key of the user, MAC BS is the MACaddress of the Base Station, MAC SS is the MAC address ofthe subscriber station used by the E-Learning user, U ID isthe identity of user, and Ts is the timestamp at which the useris authenticated.
Theusage of timestampprovides the additional identity ofthe user. Amalicious user requesting the reassociation servicedoes not possess the time at which it is authenticated, so thesystem is protected from the man in the middle attack. Thereassociation request is initially handled by the ASN gatewayof WiMAX network, so the unnecessary reauthenticationrequests from the users are discarded at the ASN gateway,protecting the E-Learning system from Denial of ServiceAttack.
The proposed authentication protocol performs fast reau-thentication process with minimum number of messagetransfers between the E-Learning user and the authenticationserver using four-way handshake messages.
The four-way handshake message is used to update newSession Key to the E-Learning user during reauthenticationprocess. Figure 2 represents the message exchanges duringreauthentication process with the four-way handshake.
During reauthentication the ASN gateway is responsiblefor verifying the user and after identifying legitimate existinguser, new Session Key is updated to the user along with thetimestamp representing the time at which the reauthentica-tion is performed.Thus, the delay during the reauthenticationprocess is reduced. The repeated reauthentication processprotects the system from session hijacking problems where
The Scientific World Journal 3
ASN gatewayEAP success EAP success
ACK
Generate SKnew
Generate SKIDnew
4-way handshakeVerification success (SKID)
SKnew,TSi
User Authentication server
Reassociation (SKID, TSi ,NSi)
Figure 2: Handshake messages in reauthentication process.
another user impersonates and utilises the service. The pro-posed Session Based Cache Scheme enabling authenticationis presented in the following section.
2.1. Session Based Key Caching Scheme. In this section,proposed caching mechanism at ASN gateway for rapidreauthentication of E-Learning users is discussed. This typeof caching technique can be used with fixed E-Learningusers connected with the Base Station. In this scheme theuser information exchanged during the initial authenticationis cached at the ASN gateway followed by forwarding therequest to the authentication server. During the reauthentica-tion process, the user verification is done at the ASN gatewayand it is used only for updating the Session Key.This cachingscheme reduces the number of redundant message transfersbetween the E-Learning user and the authentication server atthe time of reauthentication.
The attributes used in the algorithm are as follows:
𝐶𝑖: context information about user identity,
SKSA𝑖: security information of the E-Learning user
𝑖
such as session identity and Authentication Key,SID: identity of the session,Sessionlife: duration of the session,Count: number of times at which the reauthenticationis performedASNGci: cache available at the Access Service Net-work Gatewayci,AS: Authentication, Authorization, and AccountingServer,AT: authentication table, representing the authenti-cation table available at the server with each entryrepresenting the user information,TS𝑖: timestamp, representing the time at which the
user𝑖is reauthenticated,
Sessiontimeout: expired session due tomaximum num-ber of reauthentication processes.
The functions used in the algorithm are as follows.
Cache Notify (𝐶𝑖, SKSAi, SID, 𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑙𝑖𝑓𝑒, TSi). At the time of
initial authentication this message is used by authentication
server to maintain the cache maintenance at ASN gateway. Itenables caching of information such as user identity, securityassociation information, session information, and time atwhich the client is authenticated.
Insert Cache (Ci, SID, 𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑙𝑖𝑓𝑒𝑡𝑖𝑚𝑒, ASNGi, TSi). This mes-sage is issued after the successful reauthentication, to updatethe authentication time and count attributes at the cache andalso in the authentication table.
Cache Update (ASNGi, Ci, SID, 𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑙𝑖𝑓𝑒). This message isissued when the cache is full. The session entry with leastduration of session is replaced with the new entry. Thismessage is cascaded with the AT Update message to updatethe corresponding entry in the authentication table to avoidthe future reference to the same cache entry.
Delete Session Entry (Ci, SID, 𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑡𝑖𝑚𝑒𝑜𝑢𝑡). This message isperiodically issued to improve the cache hit ratio, by deletingthe expired session in the cache.
AT Update (Ci, SID, 𝑆𝑒𝑠𝑠𝑖𝑜𝑛𝑡𝑖𝑚𝑒𝑜𝑢𝑡). This message is usedto update the user information in the authentication tablemaintained at the authentication server. After the receipt ofthe message the server performs the initial authenticationevenwhen the already authenticated user sends the reauthen-tication requests.
The proposed cache based authentication algorithm isrepresented in Algorithm 1.
In this algorithmat initial network entry time, E-Learninguser identity is verified and acknowledged with authenti-cation and Session Key, Traffic Encryption key using AAAserver. So the new user can use the services of WiMAXnetwork for E-Learning. When the same user requests reau-thentication the ASG gateway verifies the user identity andforwards the updated Session Key and timestamp TS
𝑖to the
user.
2.2. Least Session Based Cache Replacement Algorithm.In the Least Session Based Replacement Algorithm(see Algorithm 2), the entry in the cache which has least timeof expiry in the session duration is evicted from the cache andreplaced with the new user entry. The session replacementis done using the Cache Update message generated by
4 The Scientific World Journal
CEAP AuthenticationPrecondition: Every user transfers timestamp and nonce along with its identity in the request message.Input: 𝑇ES,𝑁ES, SKIDOutput: SK, SKnew, TEKBegin(1) While all users are authenticated(2) If initial authentication request //new user request(3) If 𝑇ES == 𝑇BS and𝑁ES ==𝑁BS //user verification
Forward the session key SK, AuK, TEK to user𝑖
If free cache block //cache the session at ASNG𝑖
Store the SK, SKID, SKSA𝑖, Sessionlife,TS𝑖 in cache
If no cache blockSend Replace (𝐶
𝑖, SKSA, SID, Sessionlife, TS𝑖, ASNG𝑖) to ASNG𝑖
End IfEnd If
(4) If re-authentication request //existing user requesting re-authentication(5) Compute the SKIDASNG𝑖(6) If SKID == SKIDASNG𝑖 //cached user verification
If SID in AT and count ≤ 6 //not a expired sessionForward new session key SKnew to userUpdate TS
𝑖and count
(7) If invalid user requestGot to step (3) //perform full authentication
End IfEnd IfEnd If
End
Algorithm 1: Proposed Cache Based EAP Authentication Algorithm.
ReplaceAssumption: all cache blacks are occupied by user session informationInput: 𝐶
𝑖, SKSA
𝑖, SID, Sessionlife, TS𝑖, ASNG𝑖
Output: Updated cache at ASNG𝑖
Begin(1) while cache block id != max //check each cache entry
(1.1) If Sessionlife ≥max or count > 6 //old session(1.2) Evict the entry //delete the entry from cache
(2) store the user session at ASNG𝑖
(3) update Timestamp TS𝑖in AT //update authentication table
End IfEnd
Algorithm 2: Least Session Based Cache Replacement Algorithm.
the corresponding ASN gateway. For maintaining theconsistency between the server and the cache, the messagesdiscussed in the previous section are used.
E-Learning user credentials are to be replaced efficientlyso that the cache hit during reauthentication can be improved.When the cache hit ratio increases, the latency in reau-thentication is reduced. In the Least Session Based CacheReplacement Algorithm the cache items with maximumnumber of access trails for reauthentication process arereplaced with new user credentials. The users of the sessionwith least lifetime may not request reauthentication. Thecache entries with minimum active lifetime are also selected
for eviction using the Sessionlife, counting attributes in theproposed cache replacement algorithm.
3. Performance Evaluation
The proposed system is simulated with the NS-3 simulator.The simulation is performed with different traffic loads. Therequest for authentication can be from different categoriesof the E-Learning users such as for online learning, e-seminar. The performance of the system is evaluated basedon latency in authentication, latency with various cache sizes.The latency in authentication is evaluated by simulating the
system with three hundred E-Learning users with varyingnumbers of base stations and also with a cache size of 200GB.The system with different cache sizes is also simulated withthree hundred E-Learning users.
The experiment is conductedwith theminimumdurationof three hours per session consisting of six modules. Themaximum duration of each module is designed with thirty-minute duration [10]. So the allowable limit for reauthentica-tion is calculated using the following mathematical model.
Let 𝛿 be the probability that a user requests reauthentica-tion before the session expires.
Let 𝑇𝑛be the time at which the user request for re-
authentication.Let 𝑇 be the duration of the session.Let 𝑇𝑝be the session cache period.
Using the residual life theorem [11], the 𝑇𝑛has the
exponential distribution with fixed duration of the session 𝑇with the duration as 0 ≤ 𝑇
𝑛≤ 𝑇; then 𝛿 is represented as
𝛿 = 𝑃 [𝑇𝑛≤𝑇𝑝] = ∫𝑇
𝑇𝑝=0
1
𝑇∗ (∫𝑇𝑝
𝑇𝑛=0
𝜇𝑒−𝜇𝑇𝑛𝑑𝑇
𝑛)𝑑𝑇𝑝
= ∫𝑇
𝑇𝑝=0
1
𝑇[1 − 𝑒−𝜇𝑇𝑝] 𝑑𝑇
𝑝=
1𝑇[𝑇+ 𝑒
−𝜇𝑇−1𝜇] .
(2)
For the duration of three hours the probability that a user canbe successfully reauthenticated using the cache is representedwith Table 1.
Table 1 represents that the six reauthentication processesof E-Learning consisting of three-hour session can be han-dled effectively. So in the proposed algorithm the number oftimes at which the reauthentication can be handled (count) istaken as six.
3.1. Authentication Latency. EAP based authentication pro-tocol provides less authentication delay at the initial stage. Asthe session time is prolonged the number of user requests forauthentication also increases. The load on the authenticationserver increases. The reauthentication cannot be supportedwith the expected time of users. So the performance of theEAP based authentication protocol is not suitable for E-Learning. In the proposed CEAP authentication protocol,cache is used to store the user information at initial authen-tication. When a user requests reauthentication, the usercredentials are verified with the cache. Instead of using theauthentication for updating the Session Key, ASN gatewayperforms the key updates with few message transfers. The
Late
ncy
(ms)
Number of base stations2 4 6 8 10 12
2
1.5
1
0.5
0
EAPProposed CEAP
Cache size: 200GBUsers: 300
Figure 3: Authentication latency.
graph represented in Figure 3 represents the proposed pro-tocol and even when the loads on the system increase theusers are served with the minimum delay. The latency forreauthentication in the proposed protocol is reduced by 50%when compared with the EAP based authentication protocol.
3.2. Cache Access Latency. The latency in authentication isalso affected with the time needed to locate the E-Learninguser entry in the cache. The user request for reauthenticationcan be served with the minimum delay only when theuser credentials are available in the cache. When a frequentcache miss occurs then the user is requested to performthe full authentication with the authentication server whichtakes more time for authentication. The cache replacementalgorithm plays a major role in providing authentication withminimum latency.The proposed system is implemented withMost Frequently Used Cache Replacement Algorithm andthe Least Session Based Cache Replacement Algorithm withdifferent cache sizes (Figure 4).
In the Most Frequently Used Cache Replacement Algo-rithm, the count ismaintained formaintaining the number oftimes of reauthentication in a particular session.When countexceeds threshold the user entry is selected for replacement.The system implemented with Least Session Based CacheReplacement Algorithm requires that the session with theleast time of expiration is evicted and updated with new userentry. In comparison with MFU replacement algorithm, theLeast Session BasedCache ReplacementAlgorithmhas bettercache hit rate during the reauthentication of E-Learningusers.
4. Conclusion
In this paper, cache based authentication protocol is usedto perform secure reauthentication in WiMAX E-Learningapplications. When compared with the existing EAP basedauthentication protocol, the proposed protocol achieves
6 The Scientific World JournalCa
che h
it ra
tio (%
)
Cache size (GB)200 400 600 800 1000 1200 1400
14
12
10
8
6
4
2
0
CEAP (LSB)CEAP (MFU)
Users: 300
Figure 4: Cache Access Latency.
better performance by reducing the delay occurring duringthe repeated reauthentication process. The delay is furtherreduced with the efficient use of Least Session Based CacheReplacement Algorithm.
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper.
Acknowledgment
This research has been supported by funding from Fund forImprovement of Science and Technology (DST-FIST).
References
[1] IEEE 802.16 Working Group, “IEEE standard for local andmetropolitan area networks, part 16: air interface for fixedbroadband wireless access systems,” IEEE Standard 802.16-2004, 2004.
[2] IEEE 802.16 Working Group, “IEEE Standard for Local andMetropolitan Area Networks, part 16: air interface for fixed andmobile broadband wireless access systems, amendment 2: phys-ical and medium access control layers for combined fixed andmobile operation in licensed bands,” IEEE Standard 802.16e-2005, 2006.
[3] C. Floyd, T. Schultz, and S. Fulton, “United States Air ForceAcademy Security Vulnerabilities in the open source MoodleeLearning system,” in Proceedings of the 16th Colloquium forInformation Systems Security Education, Lake Buena Vista, Fla,USA, June 2012.
[4] K. Palanivel and S. Kuppuswami, “A scalable reference archi-tecture to personalized E-learning systems using SOA,” Interna-tional Journal of Advanced Technology & Engineering Research,vol. 144, 2014.
[5] K. Palanivel and S. Kuppuswami, “Reference architecture forpersonalized E-learning systems using proxy and caching
(RAPESPAC),” International Journal of Computer Applications,vol. 38, no. 10, pp. 17–26, 2012.
[6] S. Asha and C. Chellappan, “Authentication of e-learners usingmultimodal biometric technology,” in Proceedings of the IEEEInternational Symposium on Biometrics and Security Technolo-gies, 2008.
[7] A.Ullah,H. Xiao, andM. Lilley, “Profile based student authenti-cation in online examination,” inProceedings of the InternationalConference on Information Society (i-Society ’12), pp. 109–113,IEEE, London, UK, June 2012.
[8] K. M. Apampa, G. Wills, and D. Argles, “An approach topresence verification in summative e-assessment security,” inProceedings of the International Conference on InformationSociety (i-Society ’10), pp. 647–651, June 2010.
[9] C. Rajagopal and K. Bhuvaneshwaran, “Secured session basedauthentication protocol for E-learning using WiMAX net-works,” International Journal of Advancements in ComputingTechnology, In press.
[10] http://elearnmag.acm.org/archive.cfm?aid=1291532.[11] S.M. Ross, Stochastic Processes,Wiley, Hoboken, NJ, USA, 1996.
