2.7.1 Message Passing
The messages described in Figure 2.10 mean the following:
• Message 1 is sent from A to C directly. The presence or participation of B is not required.
• Message 2 is sent from A to C, with B forwarding it.
• Message 3 is sent from A to C, with B forwarding it, and message 4 is sent from B to C. B may also delay sending message 3 until message 4 is ready and then send both messages at once.
2.7.2 Definition of Terms
We will use the following cryptographic primitives, of which implementations are widely available.
m1, m2 is the concatenation of m1 and m2. This is sometimes denoted m1|m2 or
m1||m2 elsewhere.
Symmetric Encryption
EK(m) is the encryption of message m using a symmetric cipher with the key K,
and DK(c) is the corresponding decryption.
Digital Signatures
sigx(m) is a signature of the contents m that was created with the private signature
creation key of entity x. It can be verified with the public signature verification key of x and knowledge of m.
sigx(m) means the signature itself, it does not include the contents m that was
signed.
sigx(m), m would include the signed contents.
sigx(m1, m2), m1 includes only one part of the signed contents.
A B C
message 1 message 2 message 3
message 4
2.7. Notations and Assumptions 39
The public signature verification key of party x is denoted PK(x).
Hash Functions
Chapter
3
Roaming in Wireless Networks
This chapter will describe a solution for roaming in wireless networks with a special focus on privacy, but also on security and ease of use. We will first cover roaming in general and then describe a solution for roaming in WLAN networks. Variants for roaming with and without participation of the home network will be presented, as well as extensions to use regular user devices as relay stations.
The basic principle of roaming enables a mobile device (MD) which has a contract with a home network (HN) to access roaming services provided by a foreign network (FN). This requires the FN and HN to share a roaming agreement. It is our goal to incorporate three requirements into the roaming scenario which are novel compared to existing and proposed solutions:
First, in our scenario, the MDs and the FNs are be able to negotiate directly on the tariff to use for the next connection. In the context of wireless roaming, tariff describes the unit type, unit size, and unit price a user has to pay for using a provider’s mobile data services. E.g., a tariff could be time based (type) at 2 cent (unit price) per 60 seconds (unit size). In current mobile telephony networks, the tariffs are negotiated between the FN and the HN instead. Enabling negotiation between the MDs and the FNs directly allows for much more flexibility in traffic shaping, i.e., the FN can adjust the tariffs it offers according to its current load. The idea here is that the FNs broadcast service advertising messages which contain their roaming partners and current tariff options in cost per minute or per data volume to the public. The MD selects a suitable tariff from the list of tariffs currently offered by the FNs within its range depending on the user’s choice or preferences (tariff selection).
Second, the users can be aided in this selection between multiple tariffs by the help of a recommendation system running on the roaming client software. The tariff recommendation is based on the tariffs available at this moment and the user settings and history regarding his service usage.
Third, in current mobile cellular networks, the HN will receive all information about MD’s service use in foreign networks. In addition, the FN receives the correct long- term subscriber identifier of the MD and is able to track the MD’s service use
42 Chapter 3. Roaming in Wireless Networks
over several connections. These disclosures are unnecessary. Therefore, we aim at a comprehensive roaming and accounting solution that incorporates the following privacy requirements: The HN can neither find out where, when, and what specific services a user used at a specific FN nor what tariff was negotiated between the user and the FN. The FN cannot identify the user of an MD but only the correct HN of that user. In addition, the FN cannot link different service uses of the same MD. Parts of this work have been published in [30] and [31]. A part of the implementation was created by Andreas Straub in his bachelor thesis [142].
3.1
Introduction
This Section will describe the principles of roaming and the current practice in wireless roaming. We then derive the requirements for our WLAN roaming solution.
3.1.1 Background on Roaming
Roaming was originally introduced by the GSM cellular phone standard and is widely established in mobile phone networks. No payment is exchanged between the MD and the FN; instead, the HN guarantees payment to the FN for the services provided to the MD. The roaming agreement is a contract between two operators which also includes agreements on accounting interfaces and on the cost of the connection, i.e., on the share the FN receives. As these are long-running contracts, the fees cannot be adjusted without additional effort. This has two consequences: The operators cannot adjust the tariffs as a means for traffic shaping, i.e., increasing fees at times of high system load, and the roaming fees have remained high compared to non- roaming connections. The roaming fees are often an order of magnitude larger than regular fees, which has caused regulation in some jurisdictions. Some users even obtain a regional SIM/USIM card for their device when traveling abroad to avoid roaming fees.
In GSM/UMTS/LTE roaming networks, the user usually cannot select a roaming partner himself. He is always bound to his contract partner within his home country, and to its roaming partners when traveling abroad. Also, the user is informed about the prices charged when roaming with each connection, and he cannot select a tariff matching his needs even when the FN would offer different tariffs to its own clients. When multiple FNs are present, the user cannot select the one with the best matching service and pricing model.
Roaming is a threat on privacy, as a company other than the user’s trusted HN may acquire sensitive personal information about the user. Some information disclosure cannot be avoided, i.e., that a device is using services, and that it is a client of an HN that the FN has an agreement with. The information which of these HNs the user is a client of can be avoided with schemes where the user pays directly to the FN, e.g., using a credit card. However, giving payment information such as a credit card number to the FN is a greater privacy risk than the disclosure of the actual HN, as the credit card information allows identification of a unique person
3.1. Introduction 43 Visitor MD Visited Operator FN Home Operator HN Connection Setup Protocol:
Tariff Selection, Key Setup, Initialization Payment and
Service Usage Phase
Clearing Protocol billing (offline)
Figure 3.1: Phases of the Roaming Solution (Simplified)
and also contains the real name. It would also be a security threat, as the credit card information can be abused by anyone, and anyone can operate an access point. A different problem is that the propagation of wireless signals is often limited in buildings, for both cellular and WLAN services. Current solutions do not allow user equipment to relay signals for other users, although the hardware on consumer devices is capable of providing such a service. This would help increase the signal strength for users inside of buildings, or with a greater distance to the access point.
3.1.2 Our Approach
In this section our approach to roaming is described from a high-level point of view. Later, details of the solution will be discussed.
Users operate Mobile Devices (MDs) such as laptops or smartphones with a wireless interface. Each user has a trust relationship with one operator, referred to as the Home Network (HN) of that user’s mobile device. In particular, the HN has issued initial credentials for the MD, knows the user’s identity, and is able to (legally) enforce billing against the MD1. Any wireless access network operated by an operator other than MD’s home operator is called Foreign Network (FN).
As in any other roaming solution, our goal is to enable the MDs to obtain service not only from their HN but also from FNs. The roaming agreement establishes a trust relationship between the FN and the HN: The FN trusts the HN to reimburse the FN for the service the FN provides to HN’s MDs. The HN in turn bills the MD for its service usage at the FN. Naturally, the FN must be able to verify that an MD is entitled to use its services, i.e., that it is registered with an operator with which the FN has a roaming agreement. Vice versa, the MD has to be assured that the FN is indeed a network operator with which the HN has a roaming agreement. A roaming agreement includes a clearing interface between operators.
Each FN advertises its services and tariffs using a broadcast message which can be received by all MDs within radio range. These service advertising messages received from different FNs allow the user of the MD to select an FN based on the tariffs offered for each connection. This allows the FNs to change their tariffs at any time,
44 Chapter 3. Roaming in Wireless Networks
and provides the user with transparency about the tariff to be used. The client software on the MD uses a recommendation system to help the user in selecting a suitable tariff when more than one tariff is available.
Our solution consists of a protocol suite for mobile devices detecting available net- works, selecting an appropriate tariff, connecting to a foreign network, a tick pay- ment protocol for continuous payment during service usage, and clearing protocols (as shown in Figure 3.1) that offer the aforementioned features. Each part of the protocol suite is specific to the underlying scenario, i.e., whether the connection from the MD to the FN is made directly or over a Hop, and whether the HN is taking part during the connection setup. Therefore, there are four different solutions, but all of them intend to achieve the same goals.
3.1.3 Derived Requirements for the Proposed Solution
In the following, we will focus on a WLAN consisting of one or more access points (APs) as the access network. A protocol suite for roaming WLAN devices which overcomes the limitations described above must fulfill the following requirements: The security goals authentication (MD, FN, and HN are certain that they are com- municating with the right parties), confidentiality (exchanged data is protected from eavesdropping), non-repudiation (MD and FN cannot dispute the tariff they agreed on), perfect forward secrecy (a disclosure of long-term keys after a session was recorded does not reveal session contents), and key confirmation (the parties are certain that they established the same keys) must be achieved, which are defined in detail in Section 2.1.5. The proposed solution must also support a secure payment between roaming devices and network operators, meaning that the MD always has to pay exactly for the services that it did use, not more and not less. The MD cannot avoid payment, and the FN cannot overcharge.
Also, the operator must be able to change its tariffs depending on current demand. The users must be able to choose between different operators and select from different tariff options on a per-connection basis. This selection is aided by a recommendation algorithm.
In addition, service usage within buildings should be improved by allowing user devices to relay signals for other user devices, and by providing an incentive for them to do so.
Our protocol suite has to offer a very high degree of privacy protection by revealing only strictly required information to the participating parties. The HN can neither find out where, when, and the amount of services a user used at an FN nor the tariff used between the user and the FN. The FN cannot identify the user of an MD but only the correct HN of that user. In addition, the FN cannot link different service uses of the same MD. Still, law enforcement requirements have to be met on a case-by-case basis.
3.1. Introduction 45
3.1.4 Basic Assumptions on Prerequisites
Our approach uses public key primitives, but does not require a full public key infrastructure to be in place, i.e., the operators do not have to rely on a centralized certification authority. In the variants of the solution where the HN takes part in the connection setup, no certification authority and no revocation mechanism is needed at all. Instead, we assume that each operator runs its own certification authority service. All certificates issued by these authorities are issued on signature creation keys and contain signature verification keys. Each MD stores the public key of its own HN. Each operator runs its own authentication server AuS, which has access to the private key of its operator. Each AP is connected to the AuS of its respective operator.
The MDs are not required to obtain certificates of the FNs and vice versa. No public key of the FN has to be known to the MD, and no public keys of the MD have to be known to the FN. No shared secret keys need to be preinstalled anywhere. The MDs carry an identifier which is known to the HN, i.e., a serial number given by the HN. The MDs can also be issued multiple identifiers by the HN. Each MD carries a signature creation key, with the corresponding signature verification key known to the HN. The MD knows its HN’s signature verification key. These can be set up from the HN to the MD using a SIM card, by installing a client software, or by a similar mechanisms. The public keys can be kept up to date using existing mechanisms.
To enable roaming among their users, operators have to exchange the public keys of their CAs (but not their MDs) among each other and keep them up to date using suitable mechanisms.
For the integrated payment system, the HN has to vouch for its MDs to the FN. Therefore, the HN must verify that its MD is solvent (post-paid contract) or that its MD has made a deposit with its HN beforehand (pre-paid contract).
We assume that access points are able to broadcast service advertising messages. In our WLAN implementation, this is achieved using an efficient encoding scheme in the SSID (see Section 3.3.2) so far, although other mechanisms can be used.
The HN may take part in connection setup (called „HN online“) or not („HN of- fline“).
3.1.5 Outline for the Chapter
In the remainder of this chapter, related work is discussed in Section 3.2, including tariffs in telecommunication and roaming networks. The outline of our solution to roaming in WLAN will be clarified in Section 3.3. Multiple solutions will be pre- sented and evaluated, one for each of four different WLAN roaming scenarios: The connection between MD and FN can be direct or over other MDs, which then act as relay stations. Both variants work with the home network online using remote veri- fication during the connection setup or offline using a broadcast of cross certificates and CRLs between the roaming partners.
46 Chapter 3. Roaming in Wireless Networks
These are the four roaming scenarios to which a solution will be presented: • Direct Connection, HN online: Section 3.4
• Connection over another station, HN online: Section 3.5 • Direct Connection, HN offline: Section 3.6
• Connection over another station, HN offline: Section 3.7
The Payment Protocols are described in Sections 3.8 for direct connections and in Section 3.9 for connections over another station. A comparison of the solutions is presented in Section 3.10. The implementation of the direct connection HN online solution is described in Section 3.11. Further concerns are discussed in Section 3.12 and the conclusion is drawn in Section 3.13.