Mutual Preimage Authentication for fast Handover in Enterprise Networks

Andreas Noack, Mark Borrmann

The 5th International Symposium on Information Security (IS'10), Greece, 2010


Wireless enterprise networks with a central authentication server are very common in companies due to their simple serviceability. Roaming between wireless cells of these enterprise networks usually results in connection interrupts because of long authentication times, which are very negative for near realtime communication like VoIP calls. Fast handover in enterprise networks demands therefore a fast authentication and key exchange protocol.

We propose an extensible authentication protocol (EAP) for this purpose that is explicitely optimized to reduce authentication times, while still providing a high security level. The "Mutual Preimage Authentication" (MPA) protocol offers a secure authentication of both sides and a secure key agreement with only two cryptographic messages and symmetric cryptography. Even more, the MPA protocol provides non-repudiation for the authentication process.

Our contribution includes a formal security proof under an enhanced Canetti-Krawczyk (eCK) based security model and a practical performance analysis on the basis of a proof-of-concept implementation, where we demonstrate the efficiency of our protocol in comparison with common efficient EAP protocols.

Tags: Enterprise, Extensible Authentication Protocol, Handover, RADIUS, Roaming, Wireless networks