Local Gateway Assisted Handover Key Derivation in Enterprise Femtocell Network

With the dense deployment of femtocells in enterprise femtocell network and the small coverage of femtocells, handover in enterprise femtocell network will be frequent. The general handover key derivation method which is used in handover procedures in LTE is not suitable for handover in this scenario because of its long time cost and the weak security. To solve this problem, this paper has proposed a new local gateway assisted handover key derivation schema in enterprise femtocell network. It can meet the fast derivation and good forward/backward key secrecy requirement of handover key derivation in enterprise femtocell network. The simulation result has verified that the proposed handover key derivation schema works better than the existing method.


Introduction
Enterprise Femtocell Network (EFN) is a novel and very promising application concept of femtocells [1]- [4]. It is defined as a group of femtocells that are able to form a partially autonomous network under the administration of a Local Network Operator (LNO). EFN is conceived as a complementary solution to existing macrocell deployments in order to improve network coverage and capacity, offload traffic from the Evolved Packet Core (EPC), and provide new services to mobile subscribers. EFN can be deployed for many scenarios, such as shopping malls, corporate environments, convention centers, or university campuses.
The handover key derivation method used in EFN is the same with the general one used in handover procedures in LTE [5]- [7]. There is no specific handover key derivation methods for Enterprise Femtocell Network (EFN). In recent years, a lot of researches on handover authentication for eNBs have been proposed [8]- [13]. But this general handover key derivation methods in LTE is not suitable for EFN. There are two different key derivation ways for X2-based handover and S1-based handover in LTE. In X2-based handover situation, the new key for target HeNB K * eNB is generated from the old communication key K eNB between UE and source HeNBs. The source HeNB may derive K * eNB by K eNB . So K * eNB is not forward secure. In S1-based handover situation, the key K * eNB is derived from the K ASME by MME. This provides good key backward/forward secrecy.
But because MME is far away from HeNB of EFN, this method will take a lot of time. With the dense deployment of HeNB in EFN and the small coverage of HeNB, handover in EFN will be frequent. S1-based key derivation method will not be efficient enough for EFN. This paper is to solve the handover key derivation problem in EFN. To meet the fast derivation and good forward/backward key secrecy requirement of handover key derivation in EFN, a local key derivation device, named Local Key Distributor (LKD), is added into Enterprise Femtocell Gateway (EFGW). When UE hands its connection over to EFN, the MME (Mobility Management Entity) issues delegation power to the LKD. Then LKD uses a key K LKD , which is derived from K ASME by MME, to generate new keys for target HeNBs in handover process in EFN. This helps to reduce the time of key derivation greatly. Meanwhile, it provides good key forward/backward secrecy, because the source HeNB can't derive the new key for target eNB without knowing the key K LKD .
The rest of this paper is organized as follows: In Section 2, we will introduce how to deploy a local key distributor into EFN. In Section 3, we will detail the local gateway assisted handover key derivation schema in EFN. And the performance analysis will be presented in Section 4.

The Deployment of Local Key Distributor into EFN
In order to provide EPC functionalities within the EFN and to keep data and signalling traffic within the local network, there was a new element introduced in the network architecture: Enterprise Femtocell Gateway (EFGW). In the literatures [1]- [4]. From the logical point of view, the EFGW is located in the edge of the EFN and acts as a network manager for local mobility, traffic management, access control, authentication, power management, and fault management. And it can also provide Local IP Access (LIPA) or Selected IP Traffic Offload (SIPTO) services, which are particularly relevant in femtocell networks [5].
Local Key Distributor (LKD) can be deployed separately or integrated into EFGW. Figure 1 presents the evolved system architecture with the deployment of the LKD integrated into EFGW. LKD will use the standard S1 interface to communicate with entities in EPC (Evolved Packet Core). The LKD behaves towards the EPC (Evolved Packet Core) like a standard eNB. And LKD communicates with HeNB in EFN with enhanced S1 interface. The details of the enhancement will be explained later in this proposal.

The Proposed Local Gateway Assisted Handover Key Derivation Schema
Handover key derivation problem in EFN has three sub problems, including how to generate new keys during hand-in process (handover process from an eNB/HeNB out of EFN to a HeNB in EFN), how to generate new keys during inter-HeNB handover process in EFN, and how to generate new keys during hand-out process (handover process from a HeNB in EFN to an eNB/HeNB out of EFN. The key derivation procedures in these three scenarios are as follows:

Key Derivation Procedure in Hand-In Process
Except generating new key for target HeNB, the other propose of this procedure is to derive a delegation key for LKD, which LKD will use to generate new keys for target HeNBs in place of MME in later intra-HeNB handover in EFN. The key derivation process is shown as Figure 2.   The message sequence of key derivation during hand-in procedure into EFN is as follows: 1. UE sends Measurement Report message to the source eNB (S-eNB) in macrocell network. 2. S-eNB computes K * eNB with Key Derivation Function (KDF). 3. S-eNB sends Handover Required to MME K * eNB will be included in the Handover Required message. 4. MME computes K *+ eNB and NH *+ NCC 5. MME sends Handover Request message to LKD K *+ eNB and NH *+ NCC are included in the Handover Request message. K *+ eNB will be sent to LKD, and used as the key K LKD . 6. When LKD receives K *+ eNB and NH *+ NCC from MME, it sets K LKD = K *+ eNB , and then computes K *# eNB and NH *# NCC by K *# eNB = KDF (K LKD , NH *+ NCC ) and NH *# NCC = KDF (K LKD , K *# eNB ). 7. LKD sends Handover Request message to T-HeNB 8. If T-HeNB can accept this handover, it sends Handover Request Acknowledge message to LKD 9. T-HeNB stores NH *# NCC and computes K *& eNB = KDF(K *# eNB , PCI, EARFCN-DL), and derive K UPenc , K RRCint , K RRCenc 10. LKD sends Handover Request Acknowledge message to MME 11. MME sends Handover Command message to S-eNB 12. S-eNB sends Handover Command message to UE 13. UE derives new keys for communication with T-HeNB, and then derive K upenc , K RRCint , K RRCenc 14. UE sends Handover Confirm message to T-HeNB. 15. T-HeNB sends Handover Notify message to LKD. 16. LKD relays the Handover Notify message to MME.

Key Derivation Procedure of Inter-HeNB Handover in the EFN
In the inter-HeNB handover process in EFN, the new keys for target HeNB are generated by LKD in this paper. The handover key derivation functionality of MME under the control of the EPC is transferred to LKD in the EFN. This helps to reduce the time for generating new keys for target HeNB. The inter-HeNB handover key derivation process in EFN is shown as Figure 3.
The concrete procedures are as follow: 1. UE sends Measurement Report message to the source HeNB (S-HeNB) in macrocell network. 2. S-HeNB computes K * eNB with Key Derivation Function (KDF). K * eNB = KDF (NH NCC , PCI, EARFCN-DL), K * eNB is a material for generating new key of target HeNB, KDF must be a one-way function (e.g. a hash function like SHA256). 3. S-eNB sends Handover Required message to LKD K * eNB is included in the Handover Required message. 4. LKD computes K *# eNB and NH *# NCC by K *# eNB = KDF (K LKD , K * eNB ) and NH *# NCC = KDF (K LKD , K *# eNB ). In this step, LKD acts as a proxy MME using K LKD to generate new key K *# eNB for target HeNBs. And NH *# NCC is a parameter used for next handover.

Key Derivation Procedure of Hand-Out Process
The key derivation procedure of hand-out process is almost the same with that in handover between eNBs in LTE, as shown in Figure 4. The LKD just acts as a relayer to transmit messages between source HeNB (S-HeNB) and MME when LKD finds the target eNB (T-eNB) is not in EFN. The concrete procedures are as follows: 1. UE sends Measurement Report message to the source HeNB (S-HeNB) in macrocell network. 2. S-HeNB computes K * eNB with Key Derivation Function (KDF). K * eNB = KDF (NH NCC , PCI, EARFCN-DL), K * eNB is a material for generating new key of target HeNB, KDF must be a one-way function (e.g. a hash function like SHA256). 3. S-HeNB sends Handover Required message to LKD K * eNB will be included in the Handover Required message. 4. LKD relays this Handover Required message to MME 5. MME computes K *+ eNB and NH *+ NCC K *+ eNB = KDF (K ASME , K * eNB ), NH *+ NCC = KDF (K ASME , K *+ eNB ). K *+ eNB and NH *+ NCC will be transferred to target eNB directly, and NH *+ NCC will be used for generating K * eNB in next handover. 6. MME sends Handover Request message to T-eNB K *+ eNB and NH *+ NCC are included in the Handover Request message. 7. If T-eNB can accept this handover, it sends Handover Request Acknowledge message to MME 8. T-eNB stores NH *# NCC, K *# eNB = K *+ eNB , and computes K *& eNB = KDF(K *# eNB , PCI, EARFCN-DL), and derive K UPenc , K RRCint , K RRCenc NH *# NCC will be used in next handover key derivation. And K UPenc , K RRCint , K RRCenc are generated from K *& eNB , Figure 4. Key derivation during hand-out process.

Performance Analysis
In the following parts, the performance of this paper is analyzed in terms of communication time cost and computational time cost, by comparing it with previous LTE methods in 3GPP TS 33.401. And the forward/backward secrecy of this solution is analyzed theoretically.

Key Derivation Cost Analysis
There are two parts of key derivation cost, computation cost and communication cost. The communication cost includes the delay of delivery between the eNB/HeNB and the MME λ , the communication cost between the UE and the eNB δ , the cost between eNB/HeNB ε , the communication cost between HeNB and LKD α , the communication cost between LKD and MME β . Since MME is far away from eNB/HeNB, δ is range in 0 δ λ < < . And because LKD and HeNBs are connected with each other in the same way (like Ethernet) in EFN, ε and α can be considered to be equal ε α = . With the deployment of LKD in EFN, the HeNB communicates with MME through LKD, then λ α β = + . Since LKD is far away from MME, and it communicates with MME by an Internet link, β is always far bigger than 10 α * . Table 1 presents the communication costs of different method in different handover process. Table 1 shows that comparing with the previous key derivation method in LTE, LKD-based method reduces the key derivation time greatly in inter-HeNB handover in EFN without introducing extra communication cost in hand-in and hand-out process.
To test the computation cost of key derivation, the time used for the primitive cryptography operations has been measured by using C/C++ OPENSSL library tested on an Celeron 1.1 GHz processor as an UE, Dual-Core 2.6 GHz as an eNB, a LKD and a MME. The computation cost of generating a key of UE is 0.0356 ms, and computation cost of generating a key of LKD, eNB or MME is 0.0121 ms.
To show the performance of this paper visually, we gives a simulation example of communication cost as follows: The one-way latency of the LTE radio access is modelled to fit normal distribution ( ) . The broadband link transmission delay in EFN is modelled to fit normal distribution ( ) . The communication delay of Internet backhaul and mobile operator networks is modelled to fit normal distribution ( ) N 10, 20 β . And the load-dependent queuing delay is modelled as an M/D/1 system. Figures 5-7 presents the performance of different method in inter-HeNB handover, hand-in and hand-out process in EFN.     Figure 5 presents the inter-HeNB handover key derivation time cost of the previous LTE X2-based method, previous LTE S1-based method and our LKD-based method (this paper). Figure 5 shows that computation cost is nearly zero, and the communication cost accounts for the main parts of total cost. And it shows that this paper greatly reduces the communication cost, comparing to the previous X2-based method and S1-based method in LTE. This is because LKD localizes the key derivation signaling in EFN, not like the previous S1-based or X2-based method in LTE. Figure 6 presents the handover key derivation time cost of previous S1-based method and LKD-based method (this paper) in hand-in process. Figure 6 shows that this paper only increases 0.0955 ms in total. This is because LKD-based method only adds one step to the process of previous S1-based method to compute keys for target HeNBs. This result shows that LKD-based key derivation method generates keys for the target HeNB in EFN, with almost the same performance of previous S1-based method, meanwhile it helps the LKD get its proxy key K LKD from MME. This is very meaningful because this paper introduces very little cost to allocate proxy key for LKD, which will reduce the communication cost in later inter-HeNB handover in EFN. Figure 7 presents the handover key derivation time cost of previous S1-based method and LKD-based method (this paper) in hand-out process. The results show that the costs of the two methods are the same. This is because LKD only acts as a relay for the delivery of key derivation signaling messages.

Forward/Backward Secrecy Analysis
Based on the knowledge of forward/backward secrecy of S1-based handover key derivation, the forward/backward secrecy of the LKD-based handover key derivation method (this paper) is analyzed as follows: In the hand-in case, the MME generates K LKD and NH *+ NCC (K LKD = K *+ eNB = KDF(K ASME , K * eNB ), NH *+ NCC = KDF (K ASME , K *+ eNB )) for LKD by K AMSE , so K LKD and NH *+ NCC are not known to both the source eNB and the target HeNB, and then LKD uses the K LKD and NH *+ NCC to generate new keys K *# eNB and NH *# NCC (K *# eNB = KDF(K LKD , NH *+ NCC ), NH *# NCC = KDF(K LKD , K *# eNB )) for target HeNB, so the keys K *# eNB and NH *# NCC are also not known to source eNB. Then the target HeNB computes K *& eNB = KDF (K *# eNB , PCI, EARFCN-DL). So K *& eNB can't be derived from the known parameters by the source eNB. The key forward secrecy is provided in hand-in case.In the inter-HeNB handover case, the LKD generates new keys K *# eNB and NH *# NCC (K *# eNB = KDF(K LKD ,K * eNB ), NH *# NCC = KDF(K LKD , K *# eNB )) for target HeNB. Because source HeNB don't know K LKD , K *# eNB and NH *# NCC are not known to source HeNB. Then target derives its new key K *& eNB = KDF (K *# eNB , PCI, UEID) by which is also not known to source HeNB. So the key forward secrecy is provided in inter-HeNB handover case. In the hand-out case, the new key derivation process in LKD-based method is similar with that in S1-based handover in LTE. So the key forward secrecy is provided in hand-out case. Besides, the target HeNB knows nothing about the key materials and the key of source eNB (HeNB) in all the process, so the key backward secrecy is provided in LKD-based handover key derivation method in this paper. In conclusion, good key forward/backward secrecy is provided in LKD-based handover key derivation method in this paper.