1 Introduction

The number of mobile phone users over the world exceeds six billion. Mobile Cloud Computing (MCC) is attracting a large number of users in different communities such as academia, industry, and governments where MCC serves as a method which aim to improve and deploy basic mobile phone applications. Gmail and Google Maps are examples of existing mobile applications [1,2,3]. Customers using cloud applications can connect to their applications using a cloud-based site through their receiver browser, which supports better capabilities with lower consumption of mobile’s provider.

As users communicate through different networks, security policies differ significantly, which necessitates the development of a new vertical handover authentication mechanism. Supporting smooth roaming and confident handover in MCC is a motivated mission, due to different mobility, security needs, and Quality-of-Service (QoS) for each access network [4]. Cloud applications designed for real-time, such as media streaming and video conferencing [5] suffer from strict performance needs, such as packet loss, and end-to-end delay. These performance limitations need to be avoided in order to provide unbroken secure facilities for mobile users. Therefore, handover protocol needs to be well-designed, which means that authentication is an essential component in designing handover protocols.

The handover authentication protocol is a crucial part of communication in Mobile Wireless Networks (MWNs), where cell phones need regular safe and perfect roaming between different access points [6]. Mobile clients in wireless networks need to be re-authenticated when they are roaming a new station (Wireless Local Area Network WLAN or 4G Long Term Evolution LTE) after the handover. Once a mobile user moves from mobile networks to the wireless network and vice versa, many security risks arise. This is due to the infrastructure of mobile and wireless networks such as the opening of mobile and wireless channels, the complications of both cases and the restriction of supply to radio stations. Thus, to overcome these performance restrictions and to give unbroken secure services for mobile users, a secure and well-organized handover authentication protocol represents a high need.

1.1 Background

1.1.1 Mobile cloud computing

Cloud computing is a vital paradigm designed for conveying on-demand sharing resources such as infrastructure, platform, software, etc., to client’s devices like PC or cell phones, over the Internet [7]. Users can access cloud applications using an internet browser on their PC or on their cell phones or any other mobile device. Cloud applications are used to get an improved level of performance and service.

The software and data are stored on servers at unidentified distant locations, as shown in Fig. 1. MCC which is a combination of cloud and mobile networks, adds extra benefits to mobile users using all cloud computing’ features and benefits in the mobile environment.

Fig. 1
figure 1

An illustration for internet cloud computing

Full size image

1.1.2 Handover in mobile networks

Mobile networks and WLANs are IP-based systems. The architectures of these networks are not the same, where protocol stacks; access schemes, mobility mechanisms, and service quality are different. Thus, the interconnection between these two types of networks is not simple. The Evolved Packet Core (EPC) is introduced in Release 15 [8], which characterized the interconnecting functionality between 3GPP and non-3GPP access systems. It is conceivable that you have new options for mobility using technology transfer over multiple access network systems. In addition, a trusted WLAN is provided in the EPC, facilitating a smooth transition between 3GPP and 3GPP networks, as shown in Fig. 2. Seamless handover is vital in designing progressive wireless broadband systems such as 3G and 4G. Although efforts have been performed to enhance handover latency, handover remains the most essential mobile network issue. When an MS enters into a cell boundary or suffers from dropping in signal quality in the serving station, the handover process is started. Therefore, the handover must be well designed. Otherwise, it will reduce QoS [9] dramatically. In the MCC environment, the data transfer rate changes dynamically, unlike wired networks that use a physical connection. Continuous service in mobile communications can be achieved when handover is supported from station to another seamlessly.

Fig. 2
figure 2

LTE-WLAN interconnection

Full size image

1.1.3 ANDSF overview

Evolved Packet System (EPS) [10] is designed to support many non-3GPP accesses to possess various features such as security, bandwidth, and so on. ANDSF is presented in EPS, its main function is to give information about non-3GPP networks, for example, WLAN. ANDSF provide information based on the operator’s structure such as:

  1. 1.

    MS Location: the current location can be sent by MS to the ANDSF server, using geographical position or macro cell-ID (SSID).

  2. 2.

    Information about network discovery: ANDSF server sends discovery information to the MS.

  3. 3.

    Inter-System Mobility Policy (ISMP) and Inter-System Routing Policy (ISRP): These are a set of operators which introduce procedures for the MS.

The MS can access ANDSF using the access technologies in 3GPP or non-3GPP that are connected through the EPC, as shown in Fig. 3. ANDSF is a dynamic database restricted and managed by the operators. Mobile users have the ability to access this server to find out neighboring WLANs. Data flows are exchanged simply only after connection with WAP (Wireless Application Protocol) is set up, while the LTE connection is on all the time for the offloading situation under thought. Therefore, the connection establishment delay can be ignored. The ANDSF server may give an accessible WLANs list to the MS based on its membership, position, day time, and so on. The ANDSF Management Object (MO) provides the MS with information about authority regions, appropriate duration of time, and accessibility of networks owned by various Radio Access Technologies (RATs). TS 24.302 [8] provides additional detailed analysis concerning the ANDSF functionality. Despite the fact that the use of the ANDSF module is optional [11]. Recent studies recognize the ANDSF as a vital empowering agent for productive vertical handover decision making [12, 13].

Fig. 3
figure 3

ANDSF and MS interaction

Full size image

1.2 Contributions

One of the main factors affecting handover performance in heterogeneous IEEE 802.11/LTE-A mobile cloud network, is the delay introduced by the authentication procedure when a mobile user moves between base stations (BSs). Full mobility while reducing poor QoS, is one of the biggest challenges in mobile wireless networks [14]. The re-authentication delay is the main issue of handover especially in the vertical handover, which is needed to assure secure transmission [15]. Practically, the time required to handle re-authentication is about 46% of the complete handover delay [16]. To decrease the handover latency, the re-authentication procedure must be enhanced. Therefore, many researchers are attracted to this issue. The clear lack of fast and secured authentication protocol in MCC motivated the authors to propose a novel predication-based handover authentication protocol for three handovers cases: Wi-Fi-to-LTE, LTE-to-trusted Wi-Fi and LTE-to-untrusted Wi-Fi handover. The handover prediction [17] is the process of determining the next station available for building a network with a Mobile Station (MS). The main contributions of the proposed protocol are:

  1. 1.

    Employing a handover prediction method to help MS to perform authentication for expected target stations before handover occurrence to reduce the degradation in QoS.

  2. 2.

    The proposed authentication protocol is based on symmetric key cryptosystem and Access Network Discovery and Selection Function (ANDSF) that achieves mutual authentication and reduces re-authentication delay, which introduces a high level of security without QoS degradation.

  3. 3.

    The prediction scheme is used to enhance the performance and accuracy of the proposed authentication protocol. It is used to minimize the occurrence of redundant handover and to reduce the elapsed time to establish a secure channel in case of authenticating untrusted station.

1.3 Organization of the paper

The rest of this paper is organized as follows: A brief related work of the authentication handover protocol is presented in Sect. 2. Materials and methods of the proposed protocol are presented in Sect. 3. Evaluation of the proposed scheme, simulation, and performance and security analysis are introduced in Sect. 4. Section 5 concludes the paper.

2 Related work

Many handover security protocols were introduced between 4GPP LTE and WLAN to minimize the re-authentication delays during the handover process. Broadly these protocols can be classified as symmetric encryption-based protocols and asymmetric encryption-based protocols. In most of the existing authentication protocols, there is a gap in mobile equipment as users might need to visit the authentication server and home server more than once [18, 19]. These protocols have the following limitations:

  1. 1.

    They needed redundant several sequences of challenge-response communications between the home subscriber (HSS) server and the MS; as a minimum of 4 messages flows. The visited server frequently proceeds a great re-authentication delay, as it is remote from the home server.

  2. 2.

    A bottleneck may occur in the home server because it must be consistently associated and available.

  3. 3.

    According to [20], the visited server needs to connect to the home server because it can’t authenticate message flows and can’t avoid denial of service (DoS) attack.

2.1 Symmetric encryption-based protocols

He et al. [21] introduced a smart cards handover authentication protocol for wireless communications. The main advantages of the introduced protocol are (1) single registration, (2) no password/verifier table, and (3) high efficiency in password authentication. It is simple to implement for mobile users as it only performs symmetric encryption/decryption operation. However, it suffers from some weaknesses such as lack of user-friendliness, unfairness in key agreement and attacks against the user anonymity. El Bouabidi et al. [22], introduced a secure handover re-authentication protocol between WLAN networks and 3GPP LTE. This protocol achieves mutual authentication between the Universal Mobile Telecommunications System (USIM) and HSS. It can also handle appropriate security keys between MS and appropriate WLAN. The authentication delay is the main drawback of this protocol because of the different interchanging information during the authentication process.

2.2 Asymmetric encryption-based protocols

Choi et al. [23] introduced credentials based handover authentication scheme using chameleon hashing and Diffie–Hellman key exchange. The advantages of this scheme are the offered efficient authentication technique and a robust key. However, it can’t achieve user anonymity since a user always needs to send the same credential to the AP for verification. Yang et al. [24] presented a collective authentication protocol for wireless networks. This protocol depends on the group signature. It needed three message flows between the roaming server and the distant station through the handover process. Although this protocol is able to ensure user anonymity, it neglects user un-traceability. Other drawbacks of this protocol are wasting time and increasing power consumption especially if users’ number is large. He et al. [25] analyzed a roaming protocol based on a group signature with backward unlinkability [26]. Backward unlinkability experiences a high roaming authentication cost for the roaming user. It provided each roaming user with N secret keys, where N is the system parameter. As N increases, the property of backward unlinkability becomes stronger. The introduced protocol uses group signature algorithms to authenticate users anonymously. However, it involves a huge revocation cost and requires four pairing operations and consumes a large amount of communication bandwidth since the revocation values of all revoked users should always be included in the revocation list. Sharma et al. [27, 28] presented a one-pass IP Multimedia Subsystem (IMS) authentication protocol depends on Session Initiation Protocol (SIP) procedures. Although the IMS ensures safety, the proposed protocol remains vulnerable to numerous threats such as replay and man-in-the-middle attacks. He et al. [29] proposed a novel bilinear maps based handover authentication protocol named PairHand. PairHand only requires two handshakes between an MS and an AP and does not need to transmit or verify any certificate as in traditional public-key cryptosystems. The main advantage of PaiHand is its efficiency in computation and communication. However, in mutual authentication and key establishment process, it not only takes into account the possibility that the APs are not trustworthy and may leak users’ privacy-related information. Cao et al. [30] introduced a handover authentication protocol based on integrated ID-based cryptography. This protocol ensures anonymity but is still unprotected from attackers because the user identity of the MS is delivered in a plain text form when an MS needs to authenticate handover to the target station. Another advantage of this scheme is there is no third party between mobile users and the target station in the authentication process in the handover. Although it doesn’t include any pairing procedure for access in heterogeneous networks and doesn’t ensure the user’s un-traceability. Cao et al. [31] presented a straightforward handover authentication protocol based on the enhanced proxy signature. In this protocol, mutual authentication between the MS and the expected next station is straightforwardly achieved by establishing a session key with their long-term secret keys. Sithirasenan et al. [32] presented an authentication mechanism for WLANs beyond wireless technologies such as LTE and WiMAX networks. In this mechanism, a single set of authorizations is used with each network. In some network type, it is hard to implement, because it needs to modify existing network infrastructure and mobile tools considerably. Liu et al. [33] designed a time-bound anonymous protocol to authenticate handover, especially for the nearby networks. This protocol depends on the group signature beside the time information put in the signature. Therefore, normal cancellation is combined with the mandatory cancellation of the user. However, user un-traceability isn’t yet feasible. He et al. [34] introduced a new handover authentication protocol named HashHand. The security analysis and experimental results have demonstrated that HashHand not only eliminates the security vulnerabilities of PairHand without sacrificing its merits but is also more efficient and provides a key update mechanism. However, it is leading to inefficient with regard to computation cost and cannot improve the performance of PairHand and its improved version. Degefa et al. [35] proposed a Security Enhanced Authentication and Key Agreement depends on Wireless Public Key Infrastructure (WPKI). It uses Ellipse Curve Cipher (ECC) encryption to guarantee user identity security and exchanges message with limited energy consumption. Odelu et al. [36] presented an enhanced roaming protocol to address the drawbacks found in Jo et al.’s roaming protocol [37]. It achieves the session key (SK) security along with reduced computation, communication and storage costs.

The proposed authentication protocol is based on symmetric key cryptosystem and Access Network Discovery and Selection Function (ANDSF) that achieves mutual authentication and reduces re-authentication delay, which introduces a high level of security without QoS degradation caused by public-key encryption.

3 The proposed vertical handover authentication protocol

The standard handover process is based on the transition from higher coverage, and a small bandwidth station to a larger bandwidth station with less coverage. Vertical delivery depends on switching from one network to another with a different type, such as LTE and WLAN. A well-structured handover is required to integrate different wireless access networks with each other. The re-authentication process is considered a critical issue in designing the handover protocol. It might cause an undesirable delay in real-time applications. Therefore, the re-authentication delay should be kept to its minimum.

The non-3GPP trust relationship is defined by the MS to determine which non-3GPP station will be used to initiate handover. The trust relationship may be trusted non-3GPP or un-trusted non-3GPP. It is recognized using any of the next possibilities:

  1. 1.

    The MS determines the trust relationship through the 3GPP-based access authentication if the non-3GPP required access authentication from the MS (password is required).

  2. 2.

    The MS uses information from its memory if the non-3GPP depends on a pre-defined policy with the MS.

A new MCC handover authentication protocol is proposed, considering the different architecture in handover between LTE and Wi-Fi networks. The flowchart of the proposed protocol is illustrated in Fig. 4.

Fig. 4
figure 4

A flowchart of the proposed protocol

Full size image

The assumptions of the proposed protocol are:

  1. I.

    The channel between the base station and the MC is assumed to be secure. Also, the channel between the MC and the trusted AP is secure.

  2. II.

    Before the handover operation takes place:

A pre-shared symmetric key(s) is established between each of the following using the secure channel e.g. SSL:

  1. 1.

    MC and a trusted AP which is termed as (\( K_{MC, AP} \))

  2. 2.

    MC and ANDSF which is termed as (\( K_{MC, ANDSF} \)).

  3. 3.

    ANDSF and LTE BS which is termed as (\( K_{ BS, ANDSF} \)).

  4. 4.

    MC and BS which is termed as (\( K_{MC, BS} \)).

Each AP has a unique ID and each LTE provider has a unique ID, so MC can easily identify and connect to Wi-Fi AP and ANDSF. Table 1 shows the notations used in the proposed protocol.

Table 1 Notations
Full size table

The proposed protocol consists of three phases: initial entry, handover decision, and handover authentication phases. Each one of these phases will be explained in the next sections. It is assumed that the MC can visit the same BS/AP more than once, so in the proposed protocol, a table called Key Tracking Table (KTT) is provided with information about MC login history including the identity of the mobile cloud, current \( AP_{ID} \)/\( BS_{ID} \), visited \( AP_{ID} \)/\( BS_{ID} \), and time to live for key expiration time T. The KTT will be stored in both MC and ANDSF. The information in that table is used to reduce the time for re-calculating the symmetric key (\( K_{MC'} \)) used for authenticating previous visited \( AP_{i} \)/\( BS_{i} \).

3.1 Case I: Handover from Wi-Fi to LTE

If the MS moves away from the serving station (here WLAN AP), the radio signal strength is reduced beyond the threshold and the data flow might cut off. In order to continue data transfer, the MS initiates a handoff request to the neighboring station (here LTE eNode). The proposed Wi-Fi to LTE authentication protocol is explained in the next sub-sections.

3.1.1 Initial entry phase

During the initial entry phase, MC generates a shared symmetric key \( K_{MC} \) and sends it along with \( MC_{ID} \) to both Wi-Fi AP (encrypted by \( K_{MC, AP} \)), and to ANDSF (encrypted by \( K_{MC, ANDSF} \)).

3.1.2 Handover decision

The ANDSF is responsible for the process of discovery and selection of the LTE network, so it always scans the area for an available network(s). After receiving \( K_{MC} \) and \( MC_{ID} \) from MC; the ANDSF will:

  • Generate a random number \( r_{1} \).

  • Compute \( K_{{MC^{'} }} \), which is a symmetric key that will be used to authenticate the target \( BS_{i} \), using Eq. 1

    $$ K_{{MC^{'} }} = H( K_{MC} , r_{1} , MC_{ID} ) $$
    (1)

    .

  • ANDSF sends the term (\( K_{{MC^{'} }} \), \( r_{1} \), \( MC_{ID} \)) encrypted by \( K_{ANDSF, BS} \)

3.1.3 Vertical handover authentication phase

After HO decision is made and ANDSF selects the appropriate \( BS_{i} \), the selected base station, \( BS_{i} \), sends the random value \( r_{1} , \) to MC. The mutual authentication between MC and \( BS_{i} \) is as follows:

  1. 1.

    MC Compute \( s K_{{MC^{ '} }} \) using Eq. (1).

  2. 2.

    MC Encrypt the random number \( r_{1} , \) using \( K_{{MC^{{\prime }} }} \).

  3. 3.

    MC Generate a new random number \( r_{2} \).

  4. 4.

    MC Send both \( r_{2} \) and the encrypted \( r_{1} \) to \( BS_{i} \).

  5. 5.

    After receiving the message from MC, \( BS_{i} \) decrypts the message to get the \( r_{1} \) and checks If \( r_{1} \)(BS) = \( r_{1} \) (MC), then the MC is authenticated by BS. Else, BS rejects the MC.

  6. 6.

    If MC is authenticated, \( BS_{i} \) encrypts the random number \( r_{2} \) using.

  7. 7.

    \( K_{{MC^{'} }} \) and sends the encrypted value to MC.

  8. 8.

    MC decrypts \( E_{{K_{{MC^{'} }} }} (r_{2} ) \) and checks if \( r_{2} \)(MC) = \( r_{2} \)(\( BS_{i} \)), so mutual authentication is completed, otherwise, MC refuse the \( BS_{i} \).

After mutual authentication is achieved between the MC and the selected BS, MC can transfer network data flow from Wi-Fi AP to the LTE network. An illustration of the proposed Wi-Fi to LTE authentication protocol is shown in Fig. 5. A pseudo-code of the proposed protocol is presented in Algorithm 1.

figure e
Fig. 5
figure 5

Illustration of the proposed Wi-Fi to LTE authentication protocol

Full size image

3.2 Case II: Handover from LTE BS to trusted Wi-Fi AP

3.2.1 Initial entry phase

  1. 1.

    MC generates a shared symmetric key \( K_{MC} \)

  2. 2.

    MC sends both \( MC_{ID} \) and \( K_{MC} \) encrypted by \( K_{MC, BS} \) to BS.

  3. 3.

    Then BS sends \( K_{MC} \) to ANDSF along with \( MC_{ID} \) encrypted by the shared key (\( K_{ BS, ANDSF} \)).

3.2.2 Handover decision

After ANDSF receives [\( K_{MC} \),\( MC_{ID} \)] from MC:

  1. 1.

    ANDSF generate a random number \( r_{1} , \) and computes \( K_{{MC^{'} }} \).

  2. 2.

    ANDSF establishes a shared key between it and the selected trusted AP \( K_{{ANDSF, AP_{i} }} \).

  3. 3.

    Then ANDSF sends the term (\( K_{{MC^{'} }} \),\( r_{1} \), \( MC_{ID} \)) encrypted by \( K_{{ANDSF, AP_{i} }} \) to selected AP.

3.2.3 Vertical handover authentication phase

After HO decision is made and ANDSF selects \( AP_{i} \). \( AP_{i} \) sends the random value (\( r_{1} \)) to MC to calculate \( K_{{MC^{'} }} \), to start mutual authentication between MC and \( AP_{i} \).

  1. 1.

    MC encrypts the random number \( r_{1} \) using \( K_{{MC^{ '} }} \) and generates a new random number \( r_{2} \).

  2. 2.

    Then MC sends the encrypted \( r_{1} \) and the random number \( r_{2} \) to \( AP_{i} \).

  3. 3.

    After receiving the message from MC, \( AP_{i} \) decrypts the message to get the value of the random number r1 and checks if \( r_{1} \)(MC) = \( r_{1} \)(AP) then the MC is authenticated, else the authentication is terminated.

  4. 4.

    If the MC is authenticated.\( AP_{i } \) encrypts the value of \( r_{2} \) using \( K_{{MC^{'} }} \), and sends it to MC.

  5. 5.

    MC decrypts \( E_{{K_{{MC^{'} }} }} (r_{2} ) \) and checks if \( r_{2} \) (MC) = \( r_{2} \) (\( AP_{i} \)) to finish the mutual authentication, otherwise, MC rejects \( AP_{i} \).

After mutual authentication is achieved, MC can transfer network data flow from the LTE network to Wi-Fi AP. Figure 6 illustrates the proposed protocol. A pseudo-code for the proposed protocol is presented in Algorithm 2.

figure f
Fig. 6
figure 6

Illustration for proposed LTE to trusted Wi-Fi authentication protocol

Full size image

3.3 Case III: Handover From LTE to untrusted Wi-Fi

In this case, MC discovers an untrusted Wi-Fi connection and wants to initiate handover to this station. Before connecting to the new station, MC must first authenticate it for a secure connection. In other words, it must create a secure channel to secure the data flow to the untrusted station. IP-sec [38] is the most common way to establish this secure channel. The main disadvantage of IP-sec is taking a long time to execute, approximately 1 s. Therefore, a handover prediction scheme is introduced to predict the next station so that the secure channel can be established before the handover condition is met.

3.3.1 The proposed handover prediction scheme

The benefit of handover prediction is to reduce the intrusion in hard handover and accomplishment of the perfect variety set size in the soft handover case. In the case that an appropriate and proficient handover prediction is achieved, redundant handover’ numbers (unnecessary handover) can be minimized. Numerous techniques can be applied for minimizing the redundant handover’ numbers; like Hysteresis Margin HM [39] and Time-To-Trigger (TTT) [40]. All techniques depend on postponing the handover for a pre-defined period of time. The use of these methods for prediction purposes does not need to take care of overhead since the components are already aggregate in MAC administration messages. Hence, these parameters are passed on inside the network paying little mind to whether MS uses the prediction information or not [41].

The proposed technique is based on continuously reporting the quality of the signal (channel) coming from the network in MS’s scanning process. In the HM case, a comparison of one or numerous signal parameters between the current and predicted station is performed. The decision and initiation of the handover process are dependent on that comparison. Once the signal factor of the predicted objective station surpasses the signal factor of the current in addition to HM, the handover is started. As particular by the accompanying condition:

$$ S_{i}^{\Pr ed} > S_{i}^{Ser} + HM $$
(2)

where \( S_{i}^{\Pr ed} \) and \( S_{i}^{Ser} \) denote the signal, quality factors of the predicted target and current serving station correspondingly. Mobile networks can detect and correct three types of triggering TTT issues (too early, too late, and to a wrong cell) supported by Mobility robustness optimization. Several techniques are proposed from researchers to improve the operation of handover triggering, avoiding these three types of issues, and decreasing the false handover warnings. Traditional handover triggering techniques are generally based on RSS from the current station \( BS_{s} \)/\( AP_{s} \) [41, 42].

The proposed development depends on the description of two independent thresholds. The first threshold \( HO\_thrSer_{X,Y} \) defines the received signal level by the MS from the current station \( BS_{s} \)/\( AP_{s} \), although another threshold \( HO\_thr\Pr ed_{X,Y} \) defines the measured signal level by the MS from the possible prediction objective \( BS_{s} \)/\( AP_{s} \).

If RSSI of the serving station \( BS_{s} \)/\( AP_{s} \) descents under \( HO\_thrSer_{X,Y} \) and concurrently the RSSI of a nearby \( BS_{s} \)/\( AP_{s} \) surpasses \( HO\_thr\Pr ed_{X,Y} \), the prediction conclusion is the probability of MS handover from \( BSx/APx \) to \( BSy/APy \). As a result, \( BSy/APy \) is considered as the predicted objective \( BS_{s} \)/\( AP_{s} \). The average of few past signal levels prompting the handover beginning is computed which used to decide the mean estimations of the ordinary thresholds for the handover. Necessary RSSI samples number is determined, which is the purpose of the examination to be specified additionally in this proposed protocol. The following equations define the mean thresholds.

$$ avg\_HO\_thrSer_{X,Y} = \frac{1}{{HO_{{BS_{Y} ,BS_{X} }} }}\sum\limits_{i = 1}^{{HO_{{BS_{X} ,BS_{Y} }} }} {RSSI_{{MS,BS_{X} }}^{{HO_{i} }} } $$
(3)
$$ avg\_HO\_thr\Pr ed_{X,Y} = \frac{1}{{HO_{{BS_{Y} ,BS_{X} }} }}\sum\limits_{i = 1}^{{HO_{{BS_{X} ,BS_{Y} }} }} {RSSI_{{MS,BS_{Y} }}^{{HO_{i} }} } $$
(4)

where \( HO_{{BS_{X} ,BS_{Y} }} \) is the number of handovers that happened among the current serving \( BS_{s} \)/\( AP_{s} \) and the possible target \( BS_{s} \)/\( AP_{s} \) through the observed time period. \( RSSI_{{MS,BS_{X} }}^{{HO_{i} }} \) and \( RSSI_{{MS,BS_{Y} }}^{{HO_{i} }} \) are RSSIs received from \( BSx/APx \) and \( BSy/APy \) correspondingly at the instant time, and Index I states the separate handover occurrence.

The MS may reach to an area where more than one possible target \( BS_{s} \)/\( AP_{s} \) satisfies prediction conditions, a few techniques for the assurance of the absolute most probable target \( BS_{s} \)/\( AP_{s} \) to be very much characterized. This technique relies upon the computation of the most minimal contrast between the two thresholds (\( HO\_thrSer_{X,Y} \), \( HO\_thr\Pr ed_{X,Y} \)) and the present (\( RSSI_{{MS,BS_{X} }} \) and \( RSSI_{{MS,BS_{Y} }} \)) correspondingly.

figure g

This is performed for all likely targets \( BS_{s} \)/\( AP_{s} \). These stations are recorded in \( ListPred(BS_{s} /AP_{s} ) \). The predicted target \( BS_{s} \)/\( AP_{s} \) is the determination of the predicted target \( BS_{s} \)/\( AP_{s} \), it is performed according to the output of the following equation:

$$ DiffBS_{X} ,BS_{Y} = |avg\_HO\_thrSer_{X,Y} - RSSI_{{MS,BS_{X} }} | + |avg\_HO\_thr\Pr ed_{X,Y} - RSSI_{{MS,BS_{Y} }} | $$
(5)

The \( BS_{s} \)/\( AP_{s} \) with the lowest (\( DiffBS_{X} ,BS_{Y} \)) is determined as the predicted target \( BS_{s} \)/\( AP_{s} \), as shown in the following equation.

$$ \Pr edTar(BS_{s} /AP_{s} ) = \hbox{min} (ListPred(BS_{s} /AP_{s} )) $$
(6)

The advantages of the proposed PHO process are that it increases the efficiency of the proposed authentication protocol without adding any overhead to the authentication process. Algorithm 3 illustrates the proposed PHO. The proposed protocol from LTE 3GPP to untrusted Wi-Fi is described in 3 phases, initial entry, HO Decision, and HO authentication.

3.3.2 Initial entry phase

After MC generates the shared symmetric key \( K_{MC} \) and sends both \( MC_{ID} \) and \( K_{MC} \) encrypted by (\( K_{MC, BS} \)) to BS, BS sends \( K_{MC} \) to ANDSF along with \( MC_{ID} \) encrypted by the shared key \( K_{ BS, ANDSF} \)

  1. 1.

    MC generates a shared symmetric key \( K_{MC} \).

  2. 2.

    MC sends both \( MC_{ID} \) and \( K_{MC} \) encrypted by \( K_{MC, BS} \) to BS.

  3. 3.

    Then BS sends \( K_{MC} \) to ANDSF along with \( MC_{ID} \) encrypted by the shared key (\( K_{ BS, ANDSF} \)).

3.3.3 Handover decision phase

When the BS signal comes under a predefined threshold, the prediction handover scheme begins. After PHO predicts the untrusted target AP station, ANDSF will start a key agreement with this AP to create a secure channel between the expected AP and ANDSF. Then ANDSF generate \( K_{{ANDSF, AP_{i} }} \) and sends it to the predicted \( AP_{i} \). Thus, there is a secure channel between ANDSF and predicted \( AP_{i} \).

3.3.4 Vertical handover authentication phase

The remaining steps will be performed for the authentication phase as documented in the trusted Wi-Fi to LTE protocol. The diagram of the proposed authentication protocol and the algorithm are presented as shown in Fig. 7 and Algorithm 4 respectively.

figure h
Fig. 7
figure 7

Illustration for proposed LTE to untrusted Wi-Fi authentication protocol

Full size image

4 Evaluation of the proposed protocol

4.1 Simulation scenario

The random waypoint mobility model (RWPMM) [49] is utilized as a movement manner of all mobile stations. The LTE base stations are structured in a regular mode with the same height and the same level of transmitting power. The access points (Wi-Fi) are structured in a random manner using the same transmitting power and the same height. The simulation parameters’ variables and their ranges are shown in Table 2. The urban macrocell path loss model [43] is used to calculate the RSSI level for the mobile stations and the neighboring stations. In the simulation, we used an MS speed in a random interval from 2 to 10 m/s. The proposed handover prediction schemes are evaluated by using MATLAB16 within different areas. The positions of all MSs and \( APs \) are produced in a random manner.

Table 2 Simulation parameter
Full size table

4.2 Simulation results

The time between the prediction of a station and the handover occurrence (PHO_Time) is monitored and compared to the time it took to establish a secure channel (VHO_Time). The PHO_Time is listed in Table 3 and illustrated in Fig. 8. According to the simulation results, the handover the minimum prediction time is 1.8 s which is greater than the time required to perform a complete EAP/TLS authentication, which is about 1000 ms [44]. After running the simulation and monitoring PHO_Time and VHO_Time under different conditions, the value of PHO_Time is more than VHO_Time, so there is enough time to create the secure channel before handover, so the MC can authenticate the untrusted AP without having trouble creating the secure channel using a key agreement.

Table 3 Values of PHO-Time
Full size table
Fig. 8
figure 8

Comparison between PHO_Time and VHO_Time

Full size image

The relation between the MS’ speed and success percentage of the prediction scheme is illustrated in Fig. 9 with HM = 5 and MS’ speed = 2, 4, 6, 8 and 10. The success percentage is 96% in an MS’ speed = 2 which is a realistic result because the possibility of delivery from one station to another is reduced as the MS moves at low speed. In most cases, the predicted station is the station with the highest success ratio. Moreover, increasing MS’s speed will reduce the accuracy of the prediction scheme due to a large number of handovers that occur and the short time between each handover. Even though, the proposed scheme accomplishes a success ratio of more than 89% with high MS speed = 10 m/s with large HM value.

Fig. 9
figure 9

Success percentage of the prediction scheme

Full size image

The relationship between the number of handovers occurred and different MS’ speeds are illustrated in Fig. 10. It is observed that the relationship between the number of handovers and the speed of MS is proportional. The optimum case with the smallest number of handovers occurred at MS’ speed = 2. Increasing the MS’ speed with high HM = 5 increasing the number of handovers. The number of handovers occurred during the simulation period is monitored to recognize the effect of the proposed prediction scheme on the number of handovers an MS might do. The proposed scheme decreases the number of handovers by 50% when compared to the handover without any prediction.

Fig. 10
figure 10

Number of handovers (with and without prediction) at different speeds

Full size image

4.3 Performance analysis

A comparison of the proposed protocol with the existing authentication protocols is presented in Table 4, in terms of user cryptography operations, parties number, user anonymity [45], un-traceability [46], and communication overhead [47]. Communication overhead is the handover time in the authentication procedure and key distribution process. The communication cost between the MC and AP/BS is labeled as \( \alpha \) and the expected cost of authentication message between AP/BS and ANDSF is \( \beta \). As shown in the Table 4 the user cryptography operation needed for the proposed handover authentication protocol is only one hash and 2 symmetric key operations which takes less time to compute with more security added from both hash and symmetric cryptography. The proposed protocol requires only two parities (MCC and AP/BS). An authentication server that added extra load and time to the authentication process is not required in the proposed protocol. Therefore, it needed only 3 message flow in the authentication process from the MCC and the authenticated AP/BS. The main advantages of the proposed handover authentication protocol are:

Table 4 Performance comparison
Full size table

  • Reduced bandwidth consumption: The proposed protocol does not require any sequence number synchronization SQN among the MC and LTE network, which used to decrease bandwidth consumption. In addition, confidential identities for MC and MS can give the ability to reduce bandwidth usage, since the client identity should not be requested again as in EAP-AKA.

Reduced authentication delay: The time it takes for a process to complete the authentication procedure is the authentication delay. Handover delay is monitored between LTE and WLAN and the average value is calculated in different situations and it is found to be approximately 3.408 s. The total authentication time is monitored, and the result is 1.568 s which costs 46% of the full delivery delay. The proposed protocol uses only symmetric encryption operation in the authentication process which presents a delay lower than the usual EAP-AKA and Fast EAP-AKA [29, 48].

4.4 Security analysis

Many authentication protocols are sensitive against some kind of attacks such as impersonation attack [49], replay attack [50, 51], and data leakage attack [52, 53].

  • Impersonation attack: an attacker assumes the identity of one of the legitimate parties in a communication protocol.

  • Replay attack: an attacker might use an old authentication challenge-response to respond to a new authentication challenge.

  • Data leakage attack: an attacker might reveal sensitive data during the authentication process.

As mentioned above, there are three handover cases performed by the MC: (1) From Wi-Fi to LTE, 2) From LTE to trusted Wi-Fi, (3) From LTE to untrusted Wi-Fi. The first two cases are secured due to the assumption that the channel between the base station and the MC and the channel between the MC and the trusted AP are secure. As for the third case, we initiate a scenario game to prove that the proposed vertical authentication protocol is secure against the mentioned attacks. The game is conducted as follows:

  • Initial entry: MC generates a shared symmetric key \( {\text{K}}_{\text{MC}} \) and sends both \( {\text{MC}}_{\text{ID}} \) and \( {\text{K}}_{\text{MC}} \) encrypted by \( {\text{K}}_{{{\text{MC}}, {\text{BS}}}} \) to BS. Then, BS sends \( {\text{K}}_{\text{MC}} \) to ANDSF along with the \( {\text{MC}}_{\text{ID}} \) encrypted by the shared key \( K_{BS,ANDSF} \)

  • Handover decision: ANDSF predicts the untrusted target \( {\text{AP}}_{\text{i}} \) and perform a key agreement through an SSL channel between the predicted \( {\text{AP}}_{\text{i}} \) and the ANDSF.

  • Authentication: After the handover, the decision has been taken for selecting the appropriate \( {\text{AP}}_{\text{i}} \). The MC and the selected \( {\text{AP}}_{\text{i}} \) starts to authenticate each other before transferring any data. The \( {\text{AP}}_{\text{i}} \) sends a random value (\( {\text{r}}_{1} \)) to the MC in order to compute the \( {\text{K}}_{{{\text{MC}}^{ '} }} \). Then, the MC encrypts the random number \( {\text{r}}_{1} \) using \( {\text{the}}\,{\text{computed}}\,{\text{K}}_{{MC^{{\prime }} }} \) and sends it along with another random number \( r_{2} \) to \( {\text{AP}}_{\text{i}} \). The \( {\text{AP}}_{\text{i}} \) decrypts the message to check the validity of r1, if it is valid then the MC is authenticated, else the authentication is terminated.

  • Forge: If the MC is authenticated, an attacker can send a valid authentication response in an attempt to deceive the MC.

  • Output: MC verifies the authentication response to finish the mutual authentication. An attacker wins the game if it was a valid response.

The proposed vertical authentication protocol is proved to be secure under the above security model as follows:

Theorem 1

An attacker cannot intercept the communication and impersonate the MC or the\( {\text{AP}}_{\text{i}} \).

Proof

Initial entry: MC generates a shared symmetric key \( {\text{K}}_{\text{MC}} \) and sends both \( {\text{MC}}_{\text{ID}} \) and \( {\text{K}}_{\text{MC}} \) encrypted by \( {\text{K}}_{{{\text{MC}}, {\text{BS}}}} \) to BS. Then, BS sends \( {\text{K}}_{\text{MC}} \) to ANDSF along with the \( {\text{MC}}_{\text{ID}} \) encrypted by the shared key (\( K_{BS,ANDSF} \)).

Handover decision: ANDSF predicts the untrusted target \( {\text{AP}}_{\text{i}} \) and sends \( {\text{K}}_{{{\text{ANDSF}}, {\text{AP}}_{\text{i}} }} \) to it through an SSL channel between the predicted \( {\text{AP}}_{\text{i}} \) and the ANDSF. Therefore, there is no chance for an impersonation attack to occur as all the channels between the parties are secured by using the SSL connection.□

Theorem 2

An untrusted \( {\text{AP}}_{\text{i}} \) cannot use an old authentication challenge-response to respond to a new authentication challenge.

Proof

Authentication: After the handover, the decision has been taken for selecting the appropriate \( {\text{AP}}_{\text{i}} \). \( {\text{The AP}}_{\text{i}} \) sends a random value (\( {\text{r}}_{1} \)) to the MC in order to compute the \( {\text{K}}_{{{\text{MC}}^{ '} }} \). Then, the MC encrypts the random number \( {\text{r}}_{1} \) using \( {\text{the computed K}}_{{{\text{MC}}^{ '} }} \) and sends it along with another random number \( r_{2} \) to \( {\text{AP}}_{\text{i}} \). \( {\text{The AP}}_{\text{i}} \) decrypts the message to check the validity of r1, if it is valid then the MC is authenticated, else the authentication is terminated.

Forge: If the MC is authenticated, the \( {\text{AP}}_{\text{i }} \) sends backs the encrypted value of \( {\text{r}}_{2} \) using \( {\text{K}}_{{{\text{MC}}^{ '} }} \), and caches it in order to deceive the MC in the future authentication challenges. Finally, the MC decrypts \( {\text{E}}_{{{\text{K}}_{{{\text{MC}}^{ '} }} }} ({\text{r}}_{2} ) \) to finish the mutual authentication.

Output: Each authentication challenge is independent of the previous challenges. In other words, each challenge is performed with different random numbers. In the next authentication challenge, new random numbers will be generated. Therefore, if the untrusted \( {\text{AP}}_{\text{i }} \) retrieved the cached value of \( {\text{r}}_{2} \,{\text{and}}\,{\text{sent}}\,{\text{it}}\,{\text{to}}\,{\text{the}}\,{\text{MC}} \). The MC will decrypt \( {\text{E}}_{{{\text{K}}_{{{\text{MC}}^{ '} }} }} ({\text{r}}_{2} ) \) to find that it is extremely unlikely to be equal to the newly generated random number. Hence, the untrusted \( {\text{AP}}_{\text{i }} \) cannot deceive the MC.□

Theorem 3

An attacker cannot access any sensitive and protected data.

Proof

In the proposed protocol, all sensitive data are encrypted using a strong symmetric encryption algorithm and a hash function. In addition, the MC and the ANDSF continuously create new keys during a predefined time period. Therefore, any unauthorized access to any secret keys or sensitive data is impossible to occur in the proposed protocol.□

5 Conclusion

A new handover authentication protocol for Mobile Cloud Computing paradigm is proposed in this paper. The proposed protocol is based on symmetric-key cryptography and a hash function. The use of the symmetric key cryptosystem and the Hash function to provide a secure connection between LTE and WLAN AP provides similar security features and uses fewer resources than general cryptographic systems with certificates. Thus, the proposed protocol has a lower overhead than the current protocols that rely on public-key cryptosystems with certificates. The proposed protocol provides benefits such as being secure against a number of common attacks like man-in-the-middle attack and replay attack, providing mutual authentication, key confidentiality, robust security, and efficiency. The security and performance analysis shows that the proposed protocol minimizes bandwidth consumption and authentication delay. Hence, using the prediction scheme solves the problematic issue of establishing a secure channel in authenticating untrusted networks without adding any overhead. With these advantages, the new proposal protocol is believed to provide a comprehensive solution to handoff in MCC.