In a WMN, client devices or clients (e.g. computers or mobile phones) are directly connected with respective access points (APs), as shown in FIG. 1. Throughout the following, the expression “AP” is used to designate any node, which can provide access for users. It can be for example a Wireless Fidelity (WiFi) AP, a Worldwide Interoperability for Microwave Access (WiMAX) or Wideband Code Division Multiple Access (WCDMA) or Long Term Evolution (LTE) or Universal Mobile Telecommunications System (UMTS) or Global System for Mobile communication (GSM) base station (BS). In WMN, the AP can have an access function and a backhauling function as well, which is also called Mesh AP (MAP). The backhauling functions of APs serve to mesh with other backhauling nodes of the WMN. These backhauling nodes and the APs can be referred to as “mesh nodes”, since they all have mesh functions and form a mesh network together. Such wireless mesh networks have received more and more attention due to their fast deployment, low cost, self-organizing, self-configuring and self-healing functionalities. Existing WMNs comprise IEEE 802.11 networks, ad hoc networks, and wireless sensor networks. In Long Term Evolution (LTE) of the Universal Mobile Telecommunications System (UMTS), an X2 interface has been defined for communication among enhanced base stations or enhanced Nodes B (eNBs). Here, interconnections among eNBs essentially form a mesh network, which can be implemented by wireless or wired links.
Furthermore, in WMN, the packet will be received and re-transmitted by an intermediate node (called one hop) before it arrives at destination. Thus the latency from source node to destination node will be much larger than that in case of point-to-point (PTP) or point-to-multi-point (PMP) transmissions. Large latency may impact user feeling and service QoS (quality of service), especially with speech service. Multi-hop transmission may also impact security. Multi-hop may cause an even larger latency in authentication, since the authentication packet has to pass the whole WMN before it arrives at the core network. A very large authentication will result in a handover or re-entry of very large latency. In a word, latency is one of the important issues in WMN, since it is related to service QoS requirement and security topic, e.g. authentication.
In communication systems, authentication is important to prevent sniffer of illegal mesh node, access of illegal users, fraud usage and so on. In a WMN, authentication comprises mesh node authentication, terminal authentication and user authentication. Mesh node authentication can be certification based, while user authentication can be user name/password based. A user may log in the network on different terminals by the same credential (e.g. user name/password). Authentication of a terminal can thus be considered as a combination of node and user authentication, which is used to ensure the validity of the terminal and the user using this terminal.
In general, two types of authentication methods are provided, Pre-Shared Key (PSK) and 802.1x based (i.e. Extensible Authentication Protocol (EAP) based) authentication. An 802.1x based authentication system comprises three functionalities, which are supplicant, authenticator and authentication server (AS). The supplicant corresponds to a user, terminal or mesh node in the authentication process. The authenticator corresponds to an AP in case of user or terminal access, or a mesh node in case of a new node entry, path establishment or topology update. The AS is generally implemented by an AAA (Authentication, Authorization and Accounting) server.
FIG. 2 shows an authentication procedure for a user or a terminal in a mesh network environment. When a user is trying to access the network, he sends his user name and password as credential to an AP (A) 20-1 which provides access to its first computer 12-1 or handset terminal 11. The AP 20-1 forwards the user's credential to an authentication server (AAA server) 60 via a parent node (X) 32 through a backbone network 50. The nodes X, A and B form a very simple mesh network. The authentication server 60 stores a list of authorized user names and passwords and checks the received credential. If it finds out that the user is a legal user, the authentication server 60 notifies the serving AP 20-1 to admit access. Otherwise, the serving AP 20-1 will be notified to reject the requested access.
When the user logs off, the serving AP 20-1 should also notify the authentication server 60 to change the user's status. When the user later logs in on another terminal (e.g. a second computer 12-2) or the same terminal again, the whole authentication has to be redone via the same AP 20-1 or a new AP (B) 20-2 depending on the location of the second computer 12-2. In the above cases, the APs 20-1, 20-2 act as authenticator and the user or terminals 11, 12-1, 12-2 act as supplicant.
Thus, if a person with a WiFi handset device walks into the neighboring WiFi AP, the authentication procedure has to start again. Upon new authentication the connection is lost in case e.g. WiFi Protected Access 2 (WPA2) is involved, since access is only granted as a result of a successful authentication. Thus, all layers above Layer 2 (L2) of the OSI (Open Systems Interconnection) reference model, i.e. Internet Protocol (IP) layer, may be dropped since packets cannot be transmitted during the authentication phase and the application may terminate, e.g., Voice over IP (VoIP) calls may be dropped due to large time delay. Hence, for the terminal or user, some services, such as VoIP, may be terminated at increased possibility during authentication. Moreover, for a mesh node, topology updates will be very slow, since a new link will not be open before a successful authentication. Additionally, since authentication time is dominant in a handoff procedure, continuous high layer services can only be provided in cases of fast authentication during handoff. Since the authentication signaling exchange will pass the whole mesh network, time delays will be even larger before completing authentication.
When the user or terminal logs on again, the whole authentication procedure must be redone, so that authentication will require lots of radio resources and undesired delays if a user or terminal logs in and logs off frequently.
Additionally, it is to be noted that the authentication function is typically implemented in an authentication server. If this server is out of control or damaged, the network can no longer operate in a normal way.
However, a connection may be lost before a successful authentication. The reauthentication process will cause large time delays, especially in case of mesh networks. Therefore, an uninterrupted voice service is hard to provide during handover.
Due to the fact that the signaling exchange will pass through the whole network, many radio resources are required and time delay may be large, since a packet has to pass many network nodes before it arrives at the authentication server. Additionally, during the forwarding procedure, it is hard to guarantee or manage the link status due to multiple hops on the link to the authentication server.
If a user is ill-disposed, e.g. he launches a replay attack, even if the authentication server is powerful enough, many mesh nodes may be involved in forwarding the traffic from this user and may thus may be congested. As a result, the network becomes vulnerable.
So far, several solutions have been proposed to achieve faster re-authentication. Cisco Centralized Key Management (CCKM) has been proposed as a protocol that enables fast re-authentication in infrastructural wireless local area networks (WLANs), whereby the APs do not have to interact with the authentication server in order to re-authenticate a station that previously was authenticated. However, the CCKM has the disadvantage that it is required both in APs and in client devices. Therefore, client devices must be updated to support CCKM, which is a prohibitive requirement in WMNs which should be open to all existing terminals. Additionally, CCKM is designed only for infrastructural WLANs and does not fit to multiple hop relay environments of WMNs.
As another option, a proactive key distribution scheme, as described for example in “Proactive Key Distribution using Neighbor Graphs”, IEEE Wireless Communications, vol. 11, issue 1, February 2004, proposed to solve the re-authentication problem during handover. By caching keys in those APs which the user is likely to handover to, it is possible to reduce the authentication signaling and thereby the authentication time. However, the proactive key distribution scheme is unable to cooperate with all current standard authentication processes and needs to modify these existing protocols as well as existing terminals. Moreover, it does not consider specific problems in mesh environments, such as the rules to choose an AP for caching keys. Therefore it needs substantial modification for WMN use cases. Furthermore, the authentication server has to know the neighboring APs and which APs decide to cache the security keys by signaling exchange with these APs.
As a further option, an abbreviated handshake procedure is defined in IEEE P802.11s/D2.0, March 2008, for enabling fast authentication during new link establishment. Network nodes in a small range share the same pairwise master key (PMK), so that fast authentication can be implemented by the pre-shared PMK. However, this procedure is only suitable for link establishment, and traditional authentication has to be done again if the node logs off and re-enters the network later.
Finally, the Internet Engineering Task Force (IETF) Hokey (Handover keying) group has proposed a fast re-authentication procedure specified in RFC 5296, where a key-sharing authentication method is provided between the authentication server and the supplicant. Peer and server mutually verify proof of possession of keying material from an earlier EAP method run. However, again, the supplicant and authenticator both have to be modified.