Improving Cross-domain Authentication overWireless Local Area Networks

As mobile users cross the border of two adjacent domains with on-going sessions, their re-authentication causes a significant impact on inter-domain handoff latency as it requires remote contact with the authentication server across domains, making it difficult to employ current authentication protocols. This paper focuses on the cross-domain authentication over wireless local area networks (WLANs) that minimizes the need for remote access. We analyze the security requirements suggested by the IEEE 802.11i authentication standard, and consider additional requirements to help reduce the authentication latency without compromising the level of security. We propose an enhanced protocol called the Mobility-adjusted Authentication Protocol (MAP) that performs mutual authentication and hierarchical key derivation with minimal handshakes, relying on symmetric cryptographic functions. We also present security context nodes (SCNs) that handle security contexts in conjunction with MAP, which allows for avoiding continuous remote contact with the home authentication server. In contrast to Kerberos which favors inter-realm authentication, MAP achieves a 26% reduction of authentication latency without degrading the level of security.