Enhancing Network Security through Advanced Authentication and Key Management Mechanisms

: This paper introduces the SEAKS-PKMv2 protocol, a robust security mechanism aimed at addressing vulnerabilities within the PKMv2 framework, particularly focusing on mutual authentication, key management, and encryption in mobile WiMAX networks. By integrating RSA-based and EAP-based authentication methods, SEAKS-PKMv2 establishes a secure environment that mitigates risks such as replay, man-in-the-middle and interleaving attacks. The protocol adopts a distributed authentication and localized key management approach, facilitating efficient and secure network access and data transmission. Through simulation, we evaluate the SEAKS-PKMv2 protocol's performance in terms of packet delivery ratio, overhead, processing time, and resilience against rogue relay station attacks. The findings demonstrate significant improvements in network security and efficiency, confirming the effectiveness of SEAKS-PKMv2 in enhancing the integrity and confidentiality of communications in distributed network settings.


INTRODUCTION Overview of Pkmv2 Protocol
The v2 protocol provides RSA-based authentication in addition to EAP (Extensible Authentication Protocol)-based authentication, which adds another layer of protection.The Pkmv2 protocol offers the following safety options: The Pkmv2 protocol, which manages MAC security via TEK (traffic encryption key) is a privacy and key management system.All security messages and handover keys used in the initial authentication and authorization process will be managed by TEK.The protocol supports user authentication via EAP and features such as SIM-based authentication, user name/password-based authentication and certification-based authentication are all supported.In order to ensure the security of the sent data, the traffic is encrypted using a state machine whose keys are obtained from TEK and which also features a proper refresh mechanism.Support for rapid handoffs is provided via the speedy re-authentication method provided by three-way handshakes.The protocol provides a three-way authentication technique by which the SS and BS can verify one other's identities.The protocol employs RSA algorithms for key exchange, with the MS proving its identity via a digital certificate from the device's manufacturer (X.509) or a SIM card.The public key and Mac address of the mobile station are included in this certificate, which is then sent to a certificate authority for verification.The CA checks the mobile station's identity and certifies the certificate.After the user's identity has been verified, an authorization key will be generated using the user's public key; MS and BS will then utilize this authorization key to generate a new encryption key for use with the AES algorithms.The following procedures provide the foundation of RSA authentication and key generation and management: -First, the mobile station will communicate with the BS by sending authentication information messages.Massage analysts in Massachusetts are X.509-certified.The MS then sends the BS an RSA request message consisting of a Pre-Pak and Saids.This transmission includes an X.509 certificate, cryptographic algorithm specifications, the basic CID of the MS, and a 64-bit random integer.Respond to this message once the base station has received it.Using the MS's public key, it verifies the MS's identity, determines the protocol types and encryption techniques and finally triggers Pre-Pak for the mobile stations.RSA when BS receives a reply message, it sends back an RSA reply message with the following data:

Multiple Dangers to the Pkmv2 Protocol
In this updated protocol, the SS sends a confirmation message to the BS after a successful three-way authentication.However, the protocol's authorizing steps lack both integrity and non-repudiation.If an interceptor with a strategically placed radio receiver manages to pick up an authorization request or response, there is no digest mechanism to confirm that the messages have not been tampered with and no other safeguards are in place to prevent the sender from denying the authenticity of the communication.An adversary who isn't using SS signature can create bogus frames and steal, alter and retransmit real ones.Attacks using Simple Interleaving and Replay: If SS does not sign the transaction, a replay attack could be possible.Second, the provided signature does not aid the nonce version even when using the SS signature form.Since the nonce version is missing, an interleaving attack is possible since the attacker can respond to the BS with a provided nonce.Man-in-the-middle attack mutual authentication via three-way handshaking is provided by the PKMv2 protocol, rendering a man-in-the-middle attack impossible.However, a man-in-the-middle assault can still occur.Security mechanisms in SS and BS negotiation parameters will be disabled after the network has completed the first network entrance operation.Due to the protocol's fast handover support, the initial parameter has no security implemented, making it easy for an attacker to register himself as a false SS or BS by capturing this value.Despite the timestamp checking in the X.509 three-way authentication protocol, a new sort of attack called the "multiple attack" has been introduced by the author.By including BS identification, you can protect yourself against the attack.

PROPOSED SECURITY MECHANISM
SEAKS is presented as a solution to the above-mentioned security concerns.Authentication management and key management are SEAKS' two primary modules.Authentication management, including single-hop and re-authentication techniques, are built into SEAKS-PKMv2.The Key administration is made up of the AK administration and the TEK administration.Single and multihop authentication schemes are used to demonstrate the SEAKS protocol's distributed authentication characteristics.Key reauthentication and key management at the local level are highlighted by the AK and TEK state machines.SEAKS is a decode-andforward relay that operates on a non-transparent, self-organized model.SEAKS is a distributed authentication and re-authentication with localized key maintenance hybrid technique.This method not only provides an effective countermeasure to the vulnerabilities, but it also aids in reducing the overall authentication burden on the MR-BS and authentication server.Figure 2 depicts the SEAKS modules and their respective functions.

Authentication Management
Client-server mode authentication and key exchanges between the SS/ RS/N-RS and the MR-BS are supported by authentication management for both SEAKS-PKMv1 and SEAKS-PKMv2 authentication protocols.SEAKS authentication management enables for re-authentication in localized security controls, as well as a self-organized and cost-efficient technique for numerous N-RS to authenticate itself in distributed and hop-by-hop security control.Authentication and confidentiality are two separate but equally important aspects of security that must be taken into account.Authentication may be required yet secrecy is unnecessary in many situations.In PKM protocols, N-RS authentication using MR-BS requires sending three messages.Figure 3 depicts three messages, the first two of which are Auth-Info and Auth-Req, and the third of which is Auth-Reply.Message 2 will be analyzed because the first one is highly informative but not necessary.Since the MR-BS and N-RS exchanged capabilities and the Security Association Identifier (SAID) throughout SBC and ranging procedure, Message 2 is always sent in plain text.Second, since MR-BS is unable to decrypt a public key, certificates must be transmitted in plain text.Similarly, Message 2 is quite susceptible to many attacks.Discretion is not necessary here; just the message's reliability is.A successful transmission ensures that the "attacker cannot alter or modify the message."As a result, it's useful for warding off DoS, MITM, and replay attacks.Similarly, the SS is even more vulnerable to replay attacks while receiving message 3. Message 3 must be genuine and secret, with the latter condition being "message should not be modified and should come from the legitimate MR-BS" to prevent replay attacks.

SEAKS-PKMv2 Authentication Protocols
PKMv2 was suggested by the IEEE 802.16 standard to address the issue of mutual authentication in PKMv1 by appending a single message to the conclusion of the protocol.The SS sends a confirmation message to the BS as part of a three-way authentication scheme, of which PKMV2 is a part.Due to the optional nature and purely informational nature of the first communication, the security analysis started with the second message.Message 2 is sent unsigned.The request message may be tampered with or

Authorization Key and Re-authentication Management
The proposed SEAKS protocol allows for devices to re-authenticate themselves locally and refresh their AK at regular intervals.Figure 6 is a good representation of the state machine diagram for SEAKS AK and the Re-authentication method.The AK and Re-Auth refreshment state machines include six states: startup, authorization, waiting for an operation, waiting for a re-key, and authorization.There are five distinct occurrences: pending key, rejected key, grace period timeout, and key expiration.In the preliminary phase, no assets are committed.No processing is planned, and all timers have been disabled.It is anticipated that N-RS progressed from the initial stage to the authorized one after acquiring the AK and valid lists of SAID.This requires N-RS to regularly transmit the key request and receive the key response messages so that AK may be refreshed.After sending the key request, N-RS goes into a waiting mode until it receives the key replay.If the MR-BS sends back the correct key, it enters the operational state.
When N-RS has a valid and recently updated AK, the system is said to be in an operational condition.If N-RS detects that AK's lifespan is about to expire while in the operation state, it will transition to the re-key-wait state by issuing a key-request.N-RS enters the authorized state and must resend the key request if it first seemed to be invalid.If not, the AK is updated and sent back into service.If the key request is not sent and the key grace period has elapsed while in the operating state, N-RS transitions to the Re-Auth stage.If the key request is denied while in the Re-key-wait phase, the process will transition to the Re-auth state.When the key request grace period has elapsed and N-RS has not received a key replay message from MR-BS, the system transitions from the authorized to the Re-auth state.The Auth-Req is sent to the MR-BS during the Re-auth state, and the MR-BS is always prepared to begin the re-authentication process again if necessary.Each TEK in the N-RS is accountable for controlling the keying settings of its own SAID.The events or protocols are triggered to allow communication between the authorization state machine and the TEK state machine.All of the TEK state machines will be shut down, however, if the authorization state machine1 gets an authentication reject message from the MR-BS.For a given SAID, the MR-BS active keying content is included in Key-Reply message.Key-request, key-reply, key-reject, TEK Invalid, stop, authorized, Auth-pending, Auth-complete, time out, TEK Refresh time out and grace time out are some of the eleven events that can occur in the TEK state machine's eleven states.During the initialization phase, all timing and processing are messed up.Assuming it has authorization, N-RS sends the key request message for its associated SAIDs and waits for the replay in the operational wait state.If the key request is declined or pending at this phase, the process will go on to the start phase.In contrast, it enters the operational state and stops sending key requests if and only if it gets the key replay.When the timer expires and N-RS's keying settings for its SAID lists are correct, the system is in a stable functioning condition.N-RS enters the Re-key wait state after sending the key request to update the TEK during the operating state.N-RS will return to state, however, if the grace time out comes and the key request is not sent.If N-RS gets a valid key replay while in the Rekey wait state, it will transition to the operating state.
If the key request submitted during Re-key wait turns out to be invalid, the process will continue to operation wait.Otherwise, it enters the initialization phase if the key is declined.If authentication is required while in the Re-key wait state, the process will transition to the Operation Re-auth Wait state until authentication is complete or a key request is issued, at which point it will transition back to the Re-key wait state.If re-authentication is terminated, the process returns to the beginning.Therefore, the scheme is autonomous due to the aforesaid key management and re-authentication.

RESULTS AND DISCUSSION
The parameters listed in Table 1 were used to inform the development of the network model for MMR network security.This study employs a network model that is IEEE 802.16 MAC layer compliant.The traffic pattern is a point-to-multipoint connection.Seven opaque relay stations are employed in the simulation.Each relay is linked to exactly one base station.Since replay attacks are the primary drivers of DoS, MITM, and interleaving attacks, we employ Relay 7 as an opponent who can create such an attack.The parameters for AK and TEK are set at 5s and 3s, respectively.RSA protocol, RSA-SHA-

Packet Delivery Ratio
The packet delivery ratio is the proportion of sent data that was received by its intended recipient.The consequences of the packet delivery ratio in the absence of the adversary are shown in Figure8(a).The graph shows that when compared to SEN XU and OD-2009, the proposed SEAK protocol has a lower packet delivery ratio by 15% and 20%, respectively.This is because the SEAKS protocol's security feature adds some processing time before it can be put into effect.This causes the data packets to miss their endto-end deadline because of the delay in the packet's deadline.When an attack is present, however, as shown in Figure 8(b), the SEAKS protocol has a higher packet delivery ratio than SEN XU and OD-2009 by 13% and 22%, respectively.This is because, as we've already shown, SEN XU and OD-2009 are helpless in the face of a successful replay assault.

Packet Overhead
The term "packet overhead" refers to the ratio of outgoing to incoming data rates in a network.28% greater than OD-2009 and 8% higher than SEN XU.In order to verify the validity of the received packets, the proposed authentication technique adds a little amount of packet overhead, but only because it processes only legal packets and discreetly discard confusing packets.Figure9(b) displays simulation findings showing that when an attacker incorporates a replay attack into a network deployment, the proposed SEAKS authentication method has a 9% lower packet overhead than SEN XU and a 12% lower overhead than OD-2009.As we've already established, this is because non-transparent relay stations won't forward a packet from an enemy unless their own hash of the packet matches the adversary's plain text.Therefore, across all deployments, no legitimate packet loss happens.This implies there will be a greater chance of receiving a packet, resulting in lower packet overhead.However, SEN XU and OD-2009 will accept the packet from a malicious source that is masquerading as MR-BS and SS.As a result, there is a greater packet overhead since the likelihood of receiving a packet has decreased.

Processing Time
The delivery ratio performance is heavily influenced by the processing time each hop.Figure10 shows a simulation result for processing time in milliseconds (ms) vs the number of relays (hops) between the sender and the receiver.The findings show that SEAKS protocol has a 43% faster throughput than SEN XU and a 14% faster throughput than OD-2009.The SEAKS protocol's ease of use in repelling attacks is the primary factor.When compared to other digital signature techniques, notably public key cryptography19, hashing functions and message digest systems are the most lightweight schemes.The performance of a nontransparent, distributed network will suffer if the amount of time spent processing or executing raises the microcontroller's duty cycle.In the graph, there is a little curve followed by a straight line, demonstrating the self-organized structure of the network.Second, after all the keys are dispersed, processing time is lowered since authentication is decentralized but key management is localized.The processing times for the other two authentication methods are much higher.The graphs demonstrate that an increase in the number of hops results in a noticeable delay in processing.The absence of decentralized authentication and key management at the neighborhood level is to blame.

CONCLUSION
The comprehensive study on enhancing network security through the implementation of the SEAKS-PKMv2 authentication scheme has demonstrated significant improvements in addressing vulnerabilities associated with network threats.SEAKS-PKMv2, with its dual modules of authentication management and key management, provides a robust framework that not only counters the prevalent security challenges such as replay attacks, man-in-the-middle attacks, and the vulnerabilities in mutual authentication processes but also introduces a decentralized and self-organized model for more efficient network management.Through rigorous simulation analyses, the SEAKS-PKMv2 protocol exhibited superior performance in packet delivery ratio, packet overhead, processing time, and resilience against an increasing number of rogue relay stations when compared to existing protocols like OD-2009 and SEN XU.The protocol's ability to quietly discard confusing packets while processing valid ones, coupled with its localized key management and periodic authentication, ensures a secure and reliable network environment.This study underscores the importance of continuous innovation in authentication and key management strategies to safeguard against evolving network threats.The SEAKS-PKMv2 protocol represents a significant step forward in the field of network security, providing a scalable and forwardcompatible solution that can be adapted to various network architectures, including distributed IEEE 802.16e networks and nontransparent relay-based IEEE 802.16 networks.Future research should focus on further refining the SEAKS-PKMv2 protocol to enhance its efficiency and to explore its applicability in emerging network technologies such as 5G and IoT, where security and efficiency are paramount.
identity certificate, MS public key used to encrypt the Pre-Pak, the Pre-Privacy Authorization key, the PAK lifetime, the SAIDs, the 64-bit random number received from MS, his own 64-bit random number, and the RSA signature on the rest of the message.Each of the keys-the PAK from the received Pre-PAK, the AK from the derived PAK, and the KEK and HMAC/CMAC key from the derived AK-were independently derived by the MS and BS.Then, the BS will challenge the MS using SA-TEK.Examine the MS for a valid AK to see if they can access the network.For the MS to seek a TEK from the BS, it must send an SA-TEK request message.A TEK is then generated by the BS and encrypted with the KEK before being sent to the MS in the SA-TEK response message.To prepare for upcoming encrypted and decrypted communication, MS decrypts the TEK.

Fig. 1 :
Fig. 1: Initial RSA Authentication and Key Generation and Management Process

Figure 7 Figure 7 :
Figure 7: Traffic encryption key mechanism 0 18 was used to analyze the effectiveness of the suggested security measure in distributed and N-RS-based IEEE 802.16 networks.The current IEEE 802.16 topology network has been simulated in order to test the proposed SEAKS protocol.Researchers have focused their attention on the impact of factors including packet delivery ratio, packet overhead, processing time, and the number of compromised relay stations on the performance of SEAKS protocols in a network simulator.For each study, two simulations were run: one with and one without attackers.These bad actors are solely to blame for the replay attack, which is the root of all other assaults.Three distinct authentication protocols-OD-2009, SEN XU, and SEAKS-were evaluated and tested in each simulation.
Figure9(a) displays simulation data showing that even in the absence of an attack, the packet overhead of the proposed authentication technique is quite large, being