a lightweight and secure group key based handover

1536-1276 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TWC.2020.2975781, IEEETransactions on Wireless Communications

1

A Lightweight and Secure Group Key BasedHandover Authentication Protocol for the

Software-defined Space Information NetworkKaiping Xue, Senior Member, IEEE, Huancheng Zhou, Wei Meng, David S.L. Wei, Senior Member, IEEE,

Mohsen Guizani, Fellow, IEEE

Abstract—With rapid advances in satellite technology, spaceinformation network (SIN) has been proposed to meet theincreasing demands of ubiquitous mobile communication due toits advantages in providing extensive access services. However,due to satellites’ resource constraint and SIN’s highly dynamictopology, it poses a challenge on management and resourceutilization in the development of SIN. There have been someworks integrating the software defined network (SDN) into SIN,defined as software defined space information network (SD-SIN), so as to simplify the management and improve resourceutilization in SIN. However, these works ignore the security issuein SD-SIN. Meanwhile, the existing security mechanisms in SDNare still unable to cope with the uniqueness of satellite network,and some other critical security issues still haven’t yet been welladdressed. In this paper, based on (t, n) secret sharing, an SIN-specific lightweight group key agreement protocol is proposed forSD-SIN to ensure both the security and applicability. Moreover,considering the highly dynamic network topology, we also designa group key-based secure handover authentication scheme toreduce the overhead of handover authentication. Security analysisshows that the handover authentication protocol can resistto various known attacks. In addition, further performanceevaluation shows its efficiency in terms of computation andcommunication overheads. Finally, the simulation results ofcomputing overhead to the network entities demonstrate thatour protocol is feasible in practical implementation.

Index Terms—Space Information Network, Software-definedNetworking, Group Key Agreement, Handover Authentication.

I. INTRODUCTION

W ITH rapid advances in satellite technology, SpaceInformation Network (SIN) is a promising network

architecture for providing large-scale coverage as well as highdata-rate transmission. Compared with the tradition terrestrialnetwork, SIN can overcome the shortage of geographiclimitation and provide more flexible and ubiquitous accessservices [1–3]. However, the security risks in SIN becomemore serious than those in traditional networks due to itsdistinctive structural features. Firstly, the highly exposedsatellite-ground links and inter-satellite links in SIN makeit vulnerable for adversaries to launch various attacks [4].

K. Xue, H. Zhou and W. Meng are with Department of ElectronicEngineering and Information Science, University of Science and Technologyof China, Hefei 230027, China.

D. Wei is with the Computer and Information Science Department,Fordham University, NY 10458, USA.

M. Guizani is with the Department of Computer Science and Collegeof Engineering, Qatar University, 2713 Doha, Al Tarfa, Qatar.

Corresponding Author: K. Xue (e-mail: [email protected])

Secondly, the dynamic network topology makes mobile usershand over frequently during accessto SIN [5]. Finally, thelimited computation capacity of entities in SIN makes itdifficult to effectively execute highly complex algorithms.Therefore, it is essential to design some efficient securitymechanisms to ensure secure communications in the SIN.

Meanwhile, the resource constraint of satellites and SIN’shighly dynamic network topology have posed a challengeon the development of SIN. Software defined networking(SDN) technology has been integrated into SIN, e.g., [6–9], defined as software defined space information network(SD-SIN), to simplify the management and improve resourceutilization in SIN. SDN technology, in which the data planeand control plane are decoupled, enables a network to beprogrammable and in turn simplifies the network management[10]. It has thus been attracting the attention of researchersand practitioners from academia and industry, respectively.The separation of control plane from data plane in SDNenables it to simplify network operations, which makesthe implementation of new protocols and functions easier.Meanwhile, it enables the control of network flows to beelastic, and is thus able to monitor network status more easily.Therefore, there are increasing interests in deploying SDNswitches in traditional or emerging networks [11–13]. Byadopting the SDN technology in SIN, low orbit satellites inSIN act as SDN switches, and they just need to follow dataforwarding instructions issued from a logically centralizedcontroller. This way, it can greatly reduce hardware costs,and lower computation and signaling interaction overheads.According to the strategy of network management center,the controller can dynamically adjust network resources toimprove the flexibility of resource utilization and service.

Although SDN technology with the centralized controlmechanism and the open programming interface enhancethe flexibility of management and operation in SIN, it alsoprovides various opportunities for attackers, which make SD-SIN security protection much more challenging. In SDN,whether and when an information flow goes through asecurity device are determined by the flow rules issued bythe controller. If an attacker can forge flow rules set bythe controller, he/she will be able to control the path ofnetwork traffic and bypass various security devices deployedin SDN. Therefore, the key agreement technology is essentialfor SDN to establish secure channels between the controllerand switches to protect information flows in software defined

This is the author's version of an article that has been published in this journal. Changes were made to this version by the publisher prior to publication.The final version of record is available at http://dx.doi.org/10.1109/TWC.2020.2975781

Copyright (c) 2020 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing [email protected] licensed use limited to: University of Science and Technology of China. Downloaded on March 01,2020 at 03:01:23 UTC from IEEE Xplore. Restrictions apply.



2

space information network (SD-SIN). It is not hard to see thatkey agreement is also a significant technology to guaranteethe confidentiality in the broadcast communication of SIN.However, the existing security mechanisms in SDN, e.g., SSL,IPSec, are unable to cope with the uniqueness of satellitenetwork, especially when the key management problem isinvolved. Meanwhile, some other critical security issues stillhaven’t yet been well addressed. For example, due to theever-changing network topology and intermittent physicallink, satellite nodes have to reestablish secure channel witheach other frequently, resulting in intolerably heavy handoveroverhead. Actually, entities in SD-SIN can be divided intodifferent categories so as to complete the specific tasksaccording to their respective functions, missions, and soon [14, 15]. For ensuring the confidentiality in the groupcommunication, group key agreement (GKA) protocols forSIN, used to establish a consistent group session key withina group, should also be well studied. The established groupkey can be used to protect the signaling messages and datatransmission within the group, thus ensuring the confidentialityof information flows in SD-SIN. However, the features of adynamic topology and the increasing number of satellite nodesin SIN pose a lot of challenges in designing GKA schemes.Most of the existing GKA protocols for traditional wirelessnetworks, e.g., [16–20], are not suitable for SD-SIN, and someGKA protocols proposed for SIN, [21–24], have been designedto be implemented in the application layers without taking thetopological features of satellite networks into consideration.Meanwhile, the existing handover authentication schemesproposed for traditional networks cannot be directly used inSIN, as there is a great difference in structure between SINsand other traditional wireless networks.

The handover mechanisms (e.g., spotbeam handover, inter-satellite links handover) in SIN have been surveyed extensivelyin literatures [8, 25]. Moreover, some literatures, e.g., [8],have introduced SDN into SIN to realize seamless handoverto improve the overall quality of service (QoS). However, thesecurity issues during the handover process have not receivedmuch attention so far. The handover authentication is stilla fundamental security mechanism to provide seamless andsecure access service for mobiles users in SIN. Although therehave been quite a few handover authentication protocols forthe traditional wireless networks, they are unable to work wellin SIN networks due to the characteristics of long time delayfor terrestrial transmission, highly dynamic of links, frequenthandover, etc. Therefore, it is very essential to design anefficient and secure handover authentication scheme for SIN.

In this paper, to address the above mentioned challengesfor the SD-SIN scenario, we present a lightweight group keyagreement protocol based on the secret sharing technology,which is applicable to SD-SIN by taking the advantage ofSDN. Meanwhile, the negotiated group key can also be usedto protect signaling interactions in SD-SIN. The proposedgroup key agreement protocol is completed with the assistanceof the controller in Geosynchronous Earth Orbit (GEO)satellites to implement the negotiation of the group key. Then,we design an SDN-enabled handover authentication basedon the group key shared between the satellites to provide

access services to reduce the redundant authentication processimplemented across different satellites. Our contributions canbe summarized as follows:◦ We propose a secure SD-SIN architecture, in which a

lightweight SIN-specific group key agreement protocolbased on the secret sharing technology is proposed to ensureboth of the security and applicability.◦ Considering the highly dynamic network topology in

SD-SIN, we design a group key-based secure handoverauthentication scheme to reduce the overhead of handoverauthentication.◦ We formally analyze the security strength and conduct

experiments by means of algorithm implementation andnetwork analysis. The results show the superiority of ourscheme in security and efficiency to the existing works.The rest of this paper is organized as follows. In Section II,

the related work is discussed. We introduce the systemmodel, security assumption, design goals, and the overviewof our scheme in Section III. In Section IV and Section V,we respectively describe the proposed group key agreementprotocol and handover authentication protocol in details. Then,security evaluation and performance analysis are presented inSection VI and Section VII, respectively. Finally, the paper isconcluded in Section VIII.

II. RELATED WORK

A. The Group Key Agreement Protocol

In group broadcast communication, group key agreementprotocol (GKA) has a wide range of applications. GKAguarantees secure communication between group members.The traditional GKA let all group members negotiate asymmetric group key together and then use the key toencrypt and decrypt messages sent among the group members.In recent years, some protocols have been proposed toestablish a group key for the group communication in differentnetwork scenarios. These protocols can be classified into twocategories: 1) Centralized GKA: A group key generation centeris introduced to manage the entire group, distribute group keysand implement key updating; 2) Distributed GKA: Each groupmember can contribute to key generation and distributionwithout the involvement of a group key generation center.

Many distributed GKA schemes, e.g., [26], are introducedto different network environments and they are able to removethe single point bottleneck, but they are not suitable forthe network scenarios where the communication capacity islimited. Meanwhile, in distributed GKA schemes, the overalloverhead of the system is much heavier, and moreover thedesign and operation of the scheme depend on the topologyof the specific network. In comparison, centralized GKAprotocols are more widely used in various wireless networkscenarios [16, 19, 20], where the computational complexityand communication overhead introduced by key managementis lower from the perspective of the group participants.However, the centralized key management center usually hasmuch heavier computational complexity and communicationoverhead. To be noted, most of the existing GKA protocols,e.g., [16–20], that are suitable for various traditional wireless





3

network scenarios, are unable to work well in SD-SIN dueto its specific characteristics, including limited resources,existence of long delay links, and dynamic network topologies.

In recent years, a few GKA schemes for satellite networkshave been proposed [21–24]. For satellite multicast, Howarthet al. [21] straightly introduced the existing logical-key-hierarchy (LKH) based GKA, where end users are placedin one branch of the LKH tree, and the satellite terminalsor gateways are located in another branch. In this scheme,satellites are transparent relays at the physical communicationslevel and do not participate in the group key agreementprocess. Wang et al. [22] proposed an identity-based GKAprotocol for SIN, which supports members’ dynamic joiningand leaving, but it introduces some expensive operations, e.g.,bilinear pairing operations, to the cluster head. The schemesin literatures [23, 24] belong to distributed GKA schemeswith the hierarchical characteristic, both of which haven’tconsidered the topological details of SIN. In addition, in [23],group members are primarily ground gateways and users. Insummary, the issues considered in these schemes are quitedifferent from those considered in our work.

In SD-SIN, high-orbit satellites act as SDN controller nodes,while low-orbit satellites act as SDN switch nodes. Therefore,one high-orbit satellite together with some low-orbit satellitescan form a communication group. Aiming at this groupcommunication and jointly considering the characteristics ofnetwork topology in SD-SIN, it is necessary to propose a moresuitable and efficient group key scheme. In a group, both thecontrol messages on the control plane and transmitted dataon the data plane can be protected by the group key and itssubsequent derivations. As far as we know, there is still noeffective and efficient GKA scheme proposed for SD-SIN.

B. Handover Authentication in Mobile Networks and SIN

Handover authentication is always an important issueof mobile communication networks, which ensures mobileusers to seamlessly and securely hand over across multipleaccess points. In 5G standardization, the mechanism designof handover authentication is still in the process ofprotocol standardization [27, 28]. Recently, in academia,many handover authentication protocols by adopting differenttechniques have been proposed for different mobile/wirelessnetwork environments.

Choi et al. [29] proposed an hash chain based handoverauthentication scheme. However, the scheme requires a certainamount of storage overhead, and it’s hard to synchronizehash values between the two ends of conducting mutualauthentication. For the machine-type communication scenariomentioned in the 3GPP standard, Lai et al. [30] proposed a3GPP to Wimax network roaming scheme, including handoverauthentication and security channel establishment. Consideringhandover between different types of access points on LTEnetwork, Cao et al. [31] proposed a lightweight handoverauthentication scheme based on context transfer betweenMMEs (Mobility Management Entity). He et al. [32] proposeda lightweight handover authentication scheme, which mainlyutilized hash operations, and meanwhile minimize modular

exponentiation and pairing operations, so as to improve itssecurity and efficiency simultaneously. In the 3GPP standard[28, 33], relevant handover authentication protocol has beengiven to ensure the quality of network communication, butit implements the similar procedure as the initial accessauthentication.

However, these schemes, suitable in traditional wirelessnetworks, cannot be directly used in SIN, as there is agreat difference between SINs and other traditional wirelessnetworks [4]. Therefore, it is a focused research topic todesign security protection mechanisms suitable for the uniquecharacteristics of SIN. In order to guarantee communicationcontinuity in SIN, many handover algorithms are proposed.However, the security issues during the handover procedurestill have not yet received sufficient attentions. These schemesmainly focus on handover efficiency, aiming at realizing fasthandover in the high-rate SIN environment with lossy links.In terms of security, they often adopt the same scheme as theinitial access authentication scheme, or use some lightweightbut weakened security mechanisms. These operations giveattackers more opportunities to further exploit security threatsexisting in these schemes to illegally access the network andeven destroy the availability of the entire network.

In order to improve the efficiency of handover authenticationand ensure that the re-established link after handover is alsosecure, some new handover protocols, e.g., [34, 35], havebeen proposed based on some cryptographic algorithms. Butthere are too many interactions between the involved nodesin these protocols and the participation of the authenticationserver is often required. If these schemes are applied toSIN, users’ communication continuity will be greatly affected.Although our previous works [34, 35] provide solutions toimplement handover authentication with different securityfeatures, respectively, they are still not efficient enough and notvery general. The handover authentication in [34] requires thecurrent attached satellite to send the access control list, whichcontains the identification of all legal accessed users currentlyattached within it, to the subsequent attached satellite. Whenthe number of users in the domain is drastically increased, thetransmission of the list will consume too much inter-satellitelink bandwidth, and the lookup operation in the list will alsoreduce the efficiency of handover. In another work [35], eachtime when users hand over to a new satellite, the accessauthentication process needs to be re-executed, which bringslarge computational overhead to the hardware-constrainedsatellites. Meanwhile, Yang et al. [36] further proposed agroup signature based scheme for SIN, but group signatureintroduces considerable computational complexity. Moreover,the group signature technology requires the update of signingkey or public key once revocation occurs, which will also bringin unnecessary implementation delay. To be noted, there is nosecure seamless handover scheme introduced in [36], whichis mainly for access authentication in cross-domain roamingscenarios. Therefore, for the secure communication in satellitenetwork environment, it is in a desperate need to design asecure and lightweight handover authentication scheme. Inthis paper, the proposed GKA mechanism actually providesa secure and trusted environment among low orbit satellite





4

nodes. The existence of shared group keys provides a goodopportunity for designing an efficient handover authenticationscheme.

III. SYSTEM MODEL, SECURITY ASSUMPTION, DESIGNGOALS AND OVERVIEW OF OUR SCHEME

A. System Model

As shown in Fig. 1, a general SD-SIN architecture consistsof space information network, terrestrial network, and someextra specific servers. The space information network (SIN) isa heterogeneous one with satellite network as the backbone,and consists of a variety of satellites and spacecrafts in general.SIN is deployed with spacecrafts at different orbits, groundstations, and mobile terminals provided with the satellitecommunication capability [37]. The terrestrial network ismainly composed of the traditional wireless networks deployedon the ground, such as LTE-A networks, WiFi, and so on [38].As shown in Fig. 1, the differences between SIN and SD-SINinclude the replacement of the service router with the SDNswitch and the requirement for a logical control channel [6].

InternetWireless core network

LTE

GEO（Satellite controller）

Terrestrial controller

Network management center

AP1

AP2

AP3

Terrestrial Netw

orkSpace

Information

Netw

ork

Fig. 1. System model

From the aspect of SDN technology, in SD-SIN, there aremainly three types of entities, including SD-SIN switch, SD-SIN controller, and network management center (NMC). NMCserves as the orchestrator of the whole SD-SIN, includingboth space information networks and terrestrial networks.The functions of NMC mainly include resource registrationand inquiry and devising some strategies (e.g., routing,security, and accounting) [39]. The Geosynchronous EarthOrbit (GEO) satellites acts as controllers of space informationnetwork, which is responsible for collecting link status amongsatellites and forwarding instructions from NMC to satellites.Meanwhile, GEO can also predict satellite trajectories. Withno less than three GEOs, the service of SD-SIN could coverthe entire globe. Terrestrial controller is deployed on theground, and the function of which includes maintaining thelocal service information (e.g., service type and location)in the database and distributing the instructions from NMC

to switches via the secure link between controllers andNMC. Low orbit satellites with limited computational abilityplay a role of SDN switches. It is worth noting that inaddition to data forwarding, they are only allowed to supportsimple verification operations, such as implementation ofsymmetric cipher algorithm and one-way hash, as performingcomplex cryptographic operations introduce significant delays.In addition, we assume that these LEO satellites have amoderate storage capacity just like traditional network routersand a small trust zone, e.g., a secure digital memory card,to store some secure values. With this architecture, user’strack can be easily predicted, which will facilitate theimplementation of handover authentication scheme.

B. Security Assumption

We assume that the network management center (NMC)cannot be compromised by any adversary, and thus canbe completely trusted for all entities in our system. LEOsatellites in the system can be impersonated by other maliciousadversaries, and then they will deceive other LEO satellitesto provide access services for illegal users. As the satellitecontroller in SIN, GEO satellites can be considered to befully trusted, and it will honestly forward signaling messagesbetween other satellite nodes and NMC. As each GEO satelliteis static related to the NMC, it is easy to pre-establish thesecure channel by traditional secure protocols based on pre-shared key, e.g., using the Third Generation Partnership ProjectAuthentication and Key Agreement (3GPP-AKA). Thereafter,each GEO can establish a secure channel by key agreementalgorithm with other GEOs with the help of NMC. In addition,we assume that the adversary has the ability to modify, injector interrupt the interaction messages over the air, and triesto corrupt the proposed scheme. Moreover, all satellite nodesmay suffer from virus attacks, even being hijacked.

C. Design Goals

In this paper, we propose a secure SD-SIN architecture,in which a SIN-specific lightweight group key agreementprotocol based on (t, n) secret sharing is proposed to ensureboth of the security and applicability. Moreover, consideringthe highly dynamic network topology in SD-SIN, we designa group key-based secure handover authentication scheme toreduce the overhead of handover authentication. In view ofthe inherent characteristics of SIN, it’s necessary to find acompromise state between security and availability. In general,in addition to providing the basic functions of SDN, a well-designed security protection scheme for SD-SIN should satisfythe following properties:◦ Applicability and efficiency. The proposed scheme must

be suitable to SD-SIN and achieve a high efficiencyin terms of computation and communication complexity,especially for the access to satellites. The access to satellitesis usually resource-constraints, which cannot support theimplemention of complex operations.◦ Integrity and Confidentiality. Since the controller in SD-

SIN can control the whole network, the proposed schemeshould prevent control signaling from being forged. Besides,





5

sensitive data in SD-SIN should also be protected fromdisclosure to any other parties. Therefore, low orbit satellitesmust establish secure channels with each other when havingcommunication needs between them. So do between loworbit satellites and high orbit satellites.

◦ Low overhead of secure channel reconstruction. Thelow orbit satellite network is highly dynamic, and themovement of satellites in low earth orbit is so fast thatmost satellites have to reestablish secure channels with eachother frequently, which brings in heavy handover overheadin SD-SIN. In addition to reducing the overhead of linkreconstruction by means of the specific communicationand network technologies, the proposed security schemeshould consider the special features of SD-SIN and reducethe handover overhead to reduce the secure channelreconstruction overhead.

D. Overview of Our Scheme

The overview of the group key agreement and handoverauthentication scheme is shown in Fig. 2. The satellitesof the same group at lower orbit, e.g., Low Earth Orbit(LEO) satellites, can negotiate a shared group key with theassistance of the satellites at higher orbit, i.e., GEO satellites.In order to protect the confidentiality of messages transmittedbetween satellites and group manager (GM) integrated in thenetwork management center, we assume that each satelliteshares a key with the GM. Each group member first sendsa random selected point with a pair of values to the GEOsatellite connecting with it. Then, each GEO satellite forwardsits collected points to the GM in a secure manner. Uponreceiving these n points, GM first chooses a group key GKand lets f(0) = GK. Then, GM constructs an interpolatedpolynomial f(x) with degree N . Finally, GM regenerates npoints on the polynomial f(x) and returns them to each groupmember. Subsequently, these group members can recover thepolynomial to share the group key GK.

The handover authentication protocol, as an importanttechnology in mobile networking, makes mobile users able tosecurely and seamlessly roam across different access points.The handover scenario we will introduce is shown in Fig. 2,where a mobile user accesses LEO2 to obtain network serviceand LEO2 will generate the handover ticket for this user byusing group key GK. When the user is handing over from thecurrent satellite LEO2 to the target satellite LEO3, the userfirst needs to send a handover request to LEO3. Then, after theauthentication is successful verified, the mobile user is allowedto access target satellite LEO3. Moreover, there is anotherhandover scenario where mobile users hand over betweentwo ground stations. In this scenario, the session key mustbe changed to provide secure communication with forwardsecurity and backward security. With the help of LEO2 andthe old ground station G, a new session key SK∗ will beestablished between the mobile user and the target groundstation G∗.

IV. THE GROUP KEY AGREEMENT SCHEME

The group key agreement protocol needs the involvement ofthree entities: LEO satellites, GEO satellites, and GM. GM is

GEO2

… …

LEO1 LEO2 LEO3 LEOn

GK GK GK

GEOmGEO1

… …

Network management center①H

andover

tic

ket

②H

O_r

eque

st

③ Authentication

④H

O_r

espo

nse

④H

O_response*

⑤ Transfer araP

Target ground station G*Current ground station G

⑥ Key negotiation parameter

Construct the polynomial f(x),

where f(0)=GK

Group managerData center

Ground station

Fig. 2. Overview of the proposed scheme

the trust party integrated in NCC. GEO satellites are assistantsfor the communication between LEO satellites and GM. ALEO satellite is a group member (Leoi) with constrainedcompute resource. The protocol is implemented to achievegroup key agreement by using the secret sharing technology[40]. Our proposed group key agreement protocol consists ofsystem initial phase and group key agreement phase.

A. System Initial Phase

In this phase, each LEO satellite (Leoi) that has beenauthorized by the network management cente shares a secretvalue (xi, yi) with the network management center that actsas the group manager during the group key agreement process.From a security perspective, these secret values will be storedin trusted hardware configured in the satellite where the datastored is unreadable to adversaries.

B. Group Key Agreement Phase

The group key will be shared between GM and the groupmembers in this phase. The process is described as follows:

1) Each group member Leoi firstly generates the randomchallenge value Ri and the timestamp tsi, and thenenters them into the trusted hardware configured inthe satellite. The trusted hardware module computesh(xi, IDLeoi , Ri, tsi), where h() is the hash function,and outputs it to Leoi. Finally, Leoi sends the groupkey agreement request message GKAi

req = {hi =h(xi, IDLeoi , Ri, tsi), IDLeoi , Ri, tsi} to network man-agement center on the ground by using GEO satellite asthe forwarding node.

2) Upon receiving the group key agreement request messageGKAi

req(1 ≤ i ≤ N), GM first performs datasource authentication and data integrity verificationby checking whether the received hi is equal toh∗(xi, IDLeoi , Ri, tsi) calculated from the locally storedxi and the received parameters {IDLeoi , Ri, tsi}. Then,GM computes the point (xi, yi + Ri) for Leoi whohave been successfully authenticated. For the convenienceof description, we assume that all n LEO satelliteshave been successfully authenticated, thus obtaining





6

n points (xi, yi + Ri)(1≤i≤N). Then GM randomlychooses a group key GK, and constructs an interpolatedpolynomial f(x) with degree N to pass through (N +1)points, (0, GK), and (xi, yi + Ri) for i = 1, 2, ...., N .Next, the GM reselects N additional points P ∗i onf(x) for N members, Leoi (1 ≤ i ≤ N ), andcomputes Authi = h(GK, IDLeoi , Ri, P

∗1 , ..., P

∗N ).

Finally, GM broadcasts the key agreement response mes-sage {Authi, IDLeoi , P

∗1 , ..., P

∗N}(1≤i≤N) to all group

members.3) Upon receiving the response message, each group

member Leoi firstly computes the point (xi, yi + Ri)through the trusted hardware module. Subsequently, Leoican recover the polynomial f(x) from point (xi, yi+Ri)and other n received points {P ∗1 , ..., P ∗N}, thus retrievingthe group key GK = f(0). Then, Leoi computesAuth∗i = h(GK, IDLeoi , Ri, P

∗1 , ..., P

∗N ) and checks

whether this hash value is identical to the received Authi.If these two values are identical, Leoi believes that thisgroup key is valid and accepts it; otherwise, Leoi stopsthe group key agreement protocol.

After the group key agreement procedure is completed, then group members will use key GK as their shared group key.Thus, they can use this GK to protect data confidentiality insubsequent group communications.

V. HANDOVER AUTHENTICATION BASED ON THE SHAREDGROUP KEY

In SIN, satellites move with a higher speed relative tomobile users in terrestrial networks, which results in a highdynamic feature of the network topology. This dynamictopological feature poses a major challenge on the continuousand secure communication of end users. Therefore, it isessential to provide a secure and efficient seamless handoverscheme to provide satisfactory quality of service (QoS) forsome services while keeping security protection, especially,for the real-time ones.

A. Initial Authentication Phase

In this phase, user U implements the initial authenticationprocess before he/she starts to access SD-SIN and obtains ahandover ticket from the satellite. For satisfying high securityand performance requirements, the user can implementthe low-latency authentication scheme proposed in [35] toachieve the initial authentication between the user and thesatellite/ground station. For simplicity, it is assumed that theauthentication scheme proposed in [35] has been implementedin the initial authentication process. After the mutualauthentication is completed, user U can share secret keys KUS

and SK with the satellite and the ground station, respectively.In addition, the satellite currently providing access servicesissues handover tickets for all users connected to it. Thedetails are described as follows. Let CS be the current satelliteaccess point and NS be the new satellite access point. Thecurrent satellite access point CS first generates a temporarygroup key TGK by computing TGK = KDF (GK), where

KDF represents a key derivation function, which is a one-way function. Then, CS computes a handover ticket HTUaccording to Eq. (1) for U and sends HTU encrypted by usingkey KUS .

HTU = ENCTGK(IDU ,KUS , Texp), (1)

where ENC is a symmetric encryption algorithm and Texp isthe expiration time of HTU . Finally, U stores the receivedHTU for achieving secure and seamless handover in thesubsequent communication.

B. Handover Authentication Phase

In this phase, the user and the target satellite (NS)accomplish the handover authentication process and negotiatea session key between them when the user moves away fromthe CS to the NS. The procedure is described in details asfollows:

1) U first chooses a random number RU and gener-ates MAC1

U = H(KUS , IDU , RU , HTU , ts1), wherets1 is a timestamp used to resist replay attacks.Then, U sends handover request message HOreq ={IDU , IDNS , RU , HTU , ts1,MAC1

U} to NS, the targetsatellite access point.

2) Upon receiving the handover request message HOreq,the NS first checks whether the timestamp ts1 is withinthe allowable time range compared with the current time.If it is right, the NS computes a temporary group keyTGK = KDF (GK) to decrypt the receiving HTU toobtain KUS and Texp. If Texp is valid, the NS utilizesKUS to verify the correctness of MAC1

U . If MAC1U

is not correct, the NS rejects the handover request;otherwise, the NS trusts that the received MAC1

U is fromthe legal user. Then, it chooses a random number RNS

and computes MACNS = H(KUS , IDNS , RNS , ts2),and sends the handover response message HO1

res ={IDU , IDNS , RNS , ts2,MACNS , “satellite handoff”}or HO2

res = {IDU , IDNS , RNS , ts2,MACNS , “groundstation handoff”} to the user. Subsequently, the NScomputes the new secret key

KUSnew = KDF (KUS , IDU , IDNS , RNS , RU ).

3) Upon receiving the handover response message, the userfirst determines whether the HO1

res or HO2res is received.

(1) If message HO1res is received, it represents that

the handover has happened between the satellite accesspoint, and the ground station unchanged. Then, the userperforms the following operations: he/she verifies the va-lidity of timestamp ts2 and the correctness of MACNS .If they are valid, the user computes secret key KUSnew

=KDF (KUS , IDU , IDNS , RNS , RU ) and sends the han-dover confirmation message HOcof = {MAC2

U}, whereMAC2

U = H(KUSnew, IDU , IDNS , RNS , ts3). Upon

the receipt of the handover confirmation message, NSconfirms MAC2

U to complete and end the handoverprotocol. Thus, a new secret key KUSnew can be sharedbetween the user and the NS.





7

(2) If message HO2res is received, it represents the

handover has happened between ground stations (betweenthe current ground station CG and the new ground stationNG). After KUSnew

is shared between the user andthe NS as described above in (1), the following stepsstill need to be performed: (a) NS sends the handoverrequest message HO∗req = {IDU , IDNG, IDNS} tothe new ground station IDNG; (b) Upon receivingHO∗req , the NG sends the authentication request messageto the CG to request the user context; (c) On thereceipt of the message, the current ground station CGsends the authentication response message including theuser context, which consists of user’s key negotiationparameters and other relevant parameters, to NG; (d)The CG forwards the key negotiation parameters to theuser via the secure channel. Subsequently, the user cangenerate the new session key SK∗.

Finally, after the handover authentication procedure iscompleted, legitimate users will be allowed to switch to newsatellite/ground station. Meanwhile, the keys shared betweenthe user and the new satellite/ground station are renegotiated.

TABLE INOTATIONS AND LOGICAL POSTULATES IN BAN LOGIC

Notations DescriptionP |≡ X Principal P believes statement XP CX P sees the statement X]X The formula X is fresh

P |∼ X P once said XP |⇒ X P has jurisdiction over statement X(X,Y ) Formula X or Y is one part of formula (X,Y ){X}K Formula X is encrypted with key K

PK←→ Q P and Q use the shared key K to communicate

VI. SECURITY EVALUATION

In this section, we first show that the proposed handoverauthentication scheme can achieve mutual authentication, keyagreement, and resistance of several typical attacks. Then, weapply BAN Logic [41] to prove the correctness of the handoverauthentication protocol.

A. Security Analysis

Mutual Authentication: The proposed handover authenti-cation scheme can achieve the mutual authentication betweenuser U and the target satellite access point NS. In ourproposed scheme, only the legitimate user can access tothe SIN via NS. The NS authenticates U by checkingthe received MAC1

U = H(KUS , IDU , RU , HTU , ts1),where KUS = DECTGK(HTU ). Only the legitimate userknows the secret key KUS and thus can generate thelegal MAC1

U = H(KUS , IDU , RU , HTU , ts1). Besides, Uverifies the NS by checking if the received MACNS =H(KUS , IDNS , RNS , ts2) because only the legitimate NScan derive the temporary group key TGK and then decryptHTU to obtain the secret key KUS . Therefore, the mutualauthentication between the user and the target satellite can beaccomplished.

Key Agreement: In the proposed handover authenticationscheme, user U negotiates a session key KUSnew with thetarget satellite access point NS, which is derived from thesecret key KUS and the random number RU and RNS

dynamically generated by U and NS, respectively. Only thelegitimate user knows the correct key KUS and only thelegitimate NS can derive the temporary group key TGKand then extract the secret key KUS by decrypting HTU .In addition, in the handover scenario where the user handsover between ground stations, the secret session key SK∗ canbe negotiated between the user and the target ground station.Furthermore, any adversaries cannot obtain keying materialsbecause the handover session key is not transmitted over anylinks and is computed on each side independently.

Resistance of Eavesdropping Attack: The secret key KUS

is encrypted and encapsulated in HTU by NS by using thetemporary group key TGK. Even if an adversary couldintercept HTU through eavesdropping attack, he/she cannotobtain the secret key KUS because TGK is unknown. Besides,the keys used to protect the sensitive data are not transmittedover communication links. Therefore, our scheme can preventadversaries from launching the eavesdropping attack to obtainthe sensitive information.

Resistance of Replay Attack: An adversary always tries tointercept messages and further replay them. However, he/shestill cannot be authenticated successfully when the timestampvalue in the reply message is checked as invalid. Moreover,the timestamp value cannot be modified and replaced becausethey are hashed to get the message authentication code MACU

and MACNS , respectively. Thus, the replaying message canbe easily detected by checking the validation of the timestampand message authentication code.

Resistance of Man-in-the-Middle (MitM) Attack: AMitM attacker cannot derive the new session key KUSnew

by eavesdropping the public parameters from the wirelesscommunication channel since KUSnew is derived based onthe secret values KUS after successful mutual authentication.Therefore, it is infeasible for an adversary to launch MitMattack to invade the existing connection. Furthermore, itis infeasible for the attacker to create a correct messageauthentication code without the secret key KU . Thus, no onecan impersonate the legitimate NS or the legitimate U.

B. Authentication Proof Based on BAN Logic

The BAN logic [41] is a formal model widely usedto analyze the security of authentication schemes. Inthis subsection, using the BAN logic, we provide anauthentication proof, and demonstrate how the proposedhandover authentication achieves the security goals. Somenotations and logical postulates used in the BAN logic analysisare described in TABLE I.

The rules introduced below describe the main logicalpostulates of the BAN logic.

According to the analytic procedures of the BAN logic, ourproposed protocol should satisfy the following security goals:

G1. NS |≡ U KUS←→ NS

G2. NS |≡ U |≡ U KUSnew←→ NS





8

TABLE IICOMPARISON OF COMPUTATION OVERHEAD

Cost of Initial Phase (ms) Cost of Authentication (ms) Total (ms)Choi’s [29] 6Tmexp + 2TRV + 2Th 8Tmexp + 2TRV + 6Th + 8Tmul + 4Tsy 14Tmexp + 4TRV + 8Th + 8Tmul + 4Tsy

Lai’s [30] 2Tpair + Tmul 4Th + 6Tmul + 2Tpair 4Tpair + 7Tmul + 4Th

Cao’s [31] 4Tmexp + 2Tsy 10Tmexp + 4Th + 6Tmul + 2Tsy 14Tmexp + 4Th + 6Tmul + 4Tsy

He’s [32] 0 2Tpair + 6Th 2Tpair + 6Th

LTE-A [33] 0 6Th 6Th

Ours Th + Tsy 6Th + Tsy 7Th + 2Tsy

To facilitate the derivation, we first transfer the communica-tion message of our proposed handover authentication schemeinto idealized form as follows.Message 1. U → NS : Handover request message

NS C{IDU , IDNS , RU , ts1,

{IDU , U

KUS←→ NS, Texp}TGK

,{IDU , RU , ts1, {IDU , U

KUS←→ NS, Texp}TGK

}KUS

}.

Message 2. NS → U : Handover response message

U C{IDU , IDNS , RNS , ts2, {IDNS , RNS , ts2,

UKUSnew←→ NS}KUS

}.

Message 3. U → NS : Handover confirm message

NS C {IDNS , RNS , ts3, UKUSnew←→ NS}KUSnew

.

The initial assumptions ensure that the logical analysisof the proposed solution can be successfully conducted.Therefore, in order to analyze the proposed scheme, we makethe following assumptions about the initial state of the scheme.

A1. U |≡ U KUS←→ NS

A2. U |≡ CS GK←→ NS

A3. NS |≡ CS GK←→ NSA4. NS |≡ ](Texp)A5. NS |≡ (U/CS |⇒ U

KUS←→ NS)A6. U |≡ ](ts2)A7. NS |≡ ](ts1)A8. NS |≡ ](ts3)A9. U |≡ ](RU )A10. NS |≡ ](RNS)

Finally, based on the idealized form of the messages andassumptions, we analyze the idealized form of the proposedscheme and provide the main procedures of proof as follows.

According to Message 1 and assumption A3, we apply the

message-meaning rule P |≡P K←→Q,PC{X}KP |≡Q|∼X to obtain

S1. NS |≡ U/CS |∼ {IDU , RU , ts1, IDU , UKUS←→

NS, Texp}According to S1 and assumptions A4 and A7, we apply the

nonce-verification rule P |≡](X),P |≡Q|∼XP |≡Q|≡X to obtain

S2. NS |≡ U |≡ U KUS←→ NS

According to S2 and assumption A5, we apply thejurisdiction rule P |≡(Q|⇒X),P |≡(Q|≡X)

P |≡X to obtain

S3. NS |≡ U KUS←→ NS

According to Message 2 and assumption A1, we apply the

message-meaning rule P |≡P K←→Q,PC{X}KP |≡Q|∼X to obtain

S4. U |≡ NS |∼ {IDNS , RNS , ts2, UKUS←→ NS}

According to S4 and assumptions A6 and A9, we apply thenonce-verification rule P |≡](X),P |≡Q|∼X

P |≡Q|≡X to obtain

S5. U |≡ NS |≡ U KUS←→ NS

According to Message 3 and S3, we apply the message-

meaning rule P |≡P K←→Q,PC{X}KP |≡Q|vX to obtain

S6. NS |≡ U |∼ {IDNS , RNS , ts3, UKUSnew←→ NS}

According to S6 and assumptions A8 and A10, we applythe nonce-verification rule P |≡](X),P |≡Q|∼X

P |≡Q|≡X to obtain

S7. NS |≡ U |≡ U KUSnew←→ NS

As a result, the above logic proves that the contributedscheme achieves mutual authentication between U and NS.

VII. PERFORMANCE ANALYSIS

In this section, we will compare the proposed handoverauthentication scheme with existing schemes in terms ofcomputation overhead, communication overhead, securityfunctionality and performance comparison, and algorithmimplementation efficiency.

A. Computation Overhead

For the handover authentication overhead, we define it as thetime cost of cryptography operations involved in the proposedscheme. We investigated the time costs of the primitivecryptography operations using the OpenSSL library [42] onan Intel P III Mobile 733 MHz processor. Meanwhile, theresults in [43] show that the time costs for performing an RSAverification, point multiplication, modular exponentiation, andpairing operation are TRV = 0.435ms, Tmul = 1.082ms,Tmexp = 1.019ms, and Tpair = 33.584ms, respectively. Notethat the time costs of highly efficient operations (less than0.001ms) such as symmetric encryption/decryption operationTsy and one one-way hash function Th are omitted. TABLE IIcompares our proposed handover authentication scheme withsome existing works, i.e., [29], [31], [32] and [33], in termsof computation complexity with authentication delay. FromTABLE II, one can see that the total time required fora successful handover authentication in our work is muchless than that of Choi’s scheme, Cao’s scheme, and He’sscheme. This is because the operations adopted by our schemeare highly efficient operations (e.g., hash function), and the





9

operation costs of which are significantly smaller than otheroperations (e.g., point multiplication, pairing operation). WhileLTE-A scheme has an equally low authentication overhead toour scheme, LTE-A scheme is not able to resist various attackssuch as eavesdropping attack, replay attack, and MitM attack.Moreover, as what we analyzed in Communication overhead,the communication overhead of LTE-A scheme is far higherthan that of our scheme.

B. Communication Overhead

For the communication overhead, we mainly evaluate thesizes of authentication messages in our proposed handoverauthentication scheme compared with some existing schemes.In order to better compare the communication overhead withthe existing schemes, we give the relevant parameters usedin these schemes in TABLE III. According to the sizesof all the messages, we also give a comparison of thecommunication overhead of the existing protocols as shownin TABLE IV. We can see that the communication overheadof our scheme is much lower than that in schemes [29], [30],[31], and [33]. Although the scheme in [32] has a little lowercommunication overhead than our scheme, its computationoverhead is excessively high as shown in ComputationOverhead.

TABLE IIIPARAMETER SIZE

Parameters Size (bits)Identity (IDU/IDS/IDG) 128

Pseudo-ID (PID) 256p/q 1024/160Key 128

GUTI/TAI/PCI/ECGI/GUMMEI ∗ 128Hash/MAC 64

Random number (R) 128ECDH key 192

Timestap (ts)/Expiration time (Texp) 17* GUTI: Globally Unique Temporary ID, TAI:

Tracking Area Identity, PCI: Physical Cell Identity,ECGI: E-UTRAN Cell Global Identifier, GUMME:source MME ID

TABLE IVCOMPARISON OF COMMUNICATION OVERHEAD

Scheme communication overhead (bits)Choi’s [29] 9045Lai’s [30] 2432Cao’s [31] 6208He’s [32] 1408

LTE-A [33] 2048Ours 1442

C. Security functionality and performance comparison

Finally, TABLE V shows the security functionality andperformance comparison of our proposed scheme and someexisting protocols [29–31, 33]. It can be seen that our proposedhandover authentication scheme has a better performance insecurity and efficiency compared with the existing protocols.

D. Algorithm Implementation Overhead

We construct experimental environment with Banana PiR1 with 1.2GHz CPU speed and 1GB RAM using Clanguage with OpenSSL library [42]. We further implementthe algorithms executed in the user side, the current satelliteside, and the new satellite side, respectively. In the experiment,the symmetric encryption/decryption algorithm used in ourprotocol adopt the AES algorithm, the key sizes of which isset to 128 bits. To ensure the reliability of the experiment,we repetitively conduct the same experiments 100 times.Meanwhile, in each time, the algorithm in our scheme is runfor 100 times, and further get the average time cost of asingle algorithm running. Furthermore, we use scatter plots todescribe these 100 experimental results. As shown in in Fig. 3,we can obtain three scatter plots for the three algorithms,which are implemented on the user side, the current satelliteside, and the new satellite side in our scheme. The currentsatellite-side and new satellite-side algorithm execution timeare about 8.079 µs and 26.035 µs on average, respectively.And the average time of user-side algorithm execution isabout 22.987 µs. Therefore, from the experiment results, wecan draw a conclusion that our proposed protocol is moreefficient in terms of computation and communication costs,which makes it feasible in practical implementations.

VIII. CONCLUSION

The integration of space information network (SIN)and software-defined networking (SDN) has been treatedas a promising method to enhance the operation ofsatellite networks and the development and management ofcommunication services in SIN. Although the study of networkarchitecture of software-defined space information network(SD-SIN) has been brought into research and discussed foryears, some security challenges posed on ensuring securecommunication for SD-SIN have been overlooked. In orderto guarantee the confidentiality of information flow in SD-SIN, a lightweight group key agreement protocol based onthe secret sharing technology was presented in this paper,which can establish a secure channel between satellitesand between the controller and satellite for protecting theinformation flow in SD-SIN. Moreover, an efficient and securehandover authentication mechanism was proposed based onthe group key shared among the satellites, which satisfies aset of essential security features, while it only needs lowercomputation cost and less communication overhead comparedwith the existing schemes.

ACKNOWLEDGMENT

The authors sincerely thank the editor, Dr. GeorgeAlexandropoulos, and the anonymous referees for theirinvaluable suggestions that have led to the present improvedversion. This work is supported in part by the National KeyResearch and Development Program of China under Grant No.2016YFB0800301, Youth Innovation Promotion AssociationCAS under Grant No. 2016394, and the National NaturalScience Foundation of China under Grant No. 61671420.





10

TABLE VCOMPARISON OF SECURITY AND PERFORMANCE FEATURES

Choi’s [29] Lai’s [30] Cao’s [31] He’s [32] LTE-A [33] OursMutual Authentication Yes Yes Yes Yes No Yes

Resistance of Eavesdropping Attack No Yes Yes Yes No YesResistance of Replay Attack Yes Yes Yes Yes No Yes

Resistance of Man-in-the-Middle (MitM) Attack Yes Yes Yes Yes No YesKey derivation Yes Yes Yes Yes Yes Yes

Computational cost High High High High Low LowCommunication overhead High Low High Low Low Low

24

26

28

30

32

34

36

0 20 40 60 80 100Sample Sequence

(a) Current satellite-side execution time

24

26

28

30

32

34

36


(b) New satellite-side execution time

22

23

24

25

26

27

28

29


(c) User-side execution timeFig. 3. Time cost for different entities

REFERENCES

[1] Y. Hu and V. O. Li, “Satellite-based Internet: a tutorial,” IEEECommunications Magazine, vol. 39, no. 3, pp. 154–162, 2001.

[2] J. Li, K. Xue, D. S. Wei, J. Liu, and Y. Zhang,“Energy efficiency and traffic offloading optimization inintegrated satellite/terrestrial radio access networks,” IEEETransactions on Wireless Communications, 2020. DOI:10.1109/TWC.2020.2964236.

[3] J. Li, H. Lu, K. Xue, and Y. Zhang, “Temporal netgrid modelbased dynamic routing in large-scale smallsatellite networks,”IEEE Transactions on Vehicular Technology, vol. 68, no. 6,pp. 6009–6021, 2019.

[4] G. Zheng, P.-D. Arapoglou, and B. Ottersten, “Physical layersecurity in multibeam satellite systems,” IEEE Transactions onWireless Communications, vol. 11, no. 2, pp. 852–863, 2012.

[5] J. Li, K. Xue, J. Liu, Y. Zhang, and Y. Fang, “An ICN/SDN-based network architecture andefficient content retrieval forfuture satellite-terrestrial integrated networks,” IEEE Network,vol. 34, no. 1, pp. 188–195, 2020.

[6] L. Bertaux, S. Medjiah, P. Berthou, S. Abdellatif, A. Hakiri,P. Gelard, F. Planchou, and M. Bruyere, “Software definednetworking and virtualization for broadband satellite networks,”IEEE Communications Magazine, vol. 53, no. 3, pp. 54–60,2015.

[7] N. Zhang, S. Zhang, P. Yang, O. Alhussein, W. Zhuang,and X. S. Shen, “Software defined space-air-ground integratedvehicular networks: Challenges and solutions,” IEEE Commu-nications Magazine, vol. 55, no. 7, pp. 101–109, 2017.

[8] B. Yang, Y. Wu, X. Chu, and G. Song, “Seamless handover insoftware-defined satellite networking,” IEEE CommunicationsLetters, vol. 20, no. 9, pp. 1768–1771, 2016.

[9] Y. Miao, Z. Cheng, W. Li, H. Ma, X. Liu, and Z. Cui,“Software defined integrated satellite-terrestrial network: Asurvey,” in Proceedings of 2016 International Conference onSpace Information Network (SINC), pp. 16–25, Springer, 2016.

[10] M. Yu, J. Rexford, M. J. Freedman, and J. Wang, “Scalable flow-based networking with DIFANE,” ACM SIGCOMM ComputerCommunication Review, vol. 41, no. 4, pp. 351–362, 2011.

[11] M. Al-Fares, S. Radhakrishnan, B. Raghavan, N. Huang, and

A. Vahdat, “Hedera: dynamic flow scheduling for data centernetworks,” in Proceedings of the 7th USENIX conference onNetworked systems design and implementation (NSDI), 2010.

[12] Z. Han, D. Niyato, W. Saad, T. Basar, and A. Hjørungnes, Gametheory in wireless and communication networks: theory, models,and applications. Cambridge University Press, 2012.

[13] Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, “A survey onsecurity and privacy issues in internet-of-things,” IEEE Internetof Things Journal, vol. 4, no. 5, pp. 1250–1258, 2017.

[14] D. Li, J. Liu, and W. Liu, “Secure and anonymous data transmis-sion system for cluster organised space information network,” inProceedings of 2016 IEEE International Conference on SmartCloud (SmartCloud), pp. 228–233, IEEE, 2016.

[15] Q. Yu, W. Meng, M. Yang, L. Zheng, and Z. Zhang, “Virtualmulti-beamforming for distributed satellite clusters in spaceinformation networks,” IEEE Wireless Communications, vol. 23,no. 1, pp. 95–101, 2016.

[16] S.-H. Seo, J. Won, S. Sultana, and E. Bertino, “Effectivekey management in dynamic wireless sensor networks,” IEEETransactions on Information Forensics and Security, vol. 10,no. 2, pp. 371–383, 2015.

[17] A. Mehdizadeh, F. Hashim, and M. Othman, “Lightweightdecentralized multicast–unicast key management method inwireless IPv6 networks,” Journal of Network and ComputerApplications, vol. 42, pp. 59–69, 2014.

[18] T. R. Halford, T. A. Courtade, K. M. Chugg, X. Li, andG. Thatte, “Energy-efficient group key agreement for wirelessnetworks,” IEEE Transactions on Wireless Communications,vol. 14, no. 10, pp. 5552–5564, 2015.

[19] E. Klaoudatou, E. Konstantinou, G. Kambourakis, and S. Gritza-lis, “A survey on cluster-based group key agreement protocolsfor WSNs,” IEEE Communications Surveys & Tutorials, vol. 13,no. 3, pp. 429–442, 2010.

[20] T.-F. Lee and M. Chen, “Lightweight identity-based group keyagreements using extended chaotic maps for wireless sensornetworks,” IEEE Sensors Journal, vol. 19, no. 22, pp. 10910–10916, 2019.

[21] M. P. Howarth, S. Iyengar, Z. Sun, and H. Cruickshank,“Dynamics of key management in secure satellite multicast,”





11

IEEE Journal on Selected Areas in Communications, vol. 22,no. 2, pp. 308–319, 2004.

[22] C. Wang, K. Mao, J. Liu, and J. Liu, “Identity-baseddynamic authenticated group key agreement protocol for spaceinformation network,” in Proceedings of 2013 InternationalConference on Network and System Security (NSS), pp. 535–548, Springer, 2013.

[23] Y. Ding, X.-w. Zhou, Z.-m. Cheng, and Q.-w. Wu, “Key man-agement in secure satellite multicast using key hypergraphs,”Wireless Personal Communications, vol. 70, no. 4, pp. 1859–1883, 2013.

[24] J. Shen, C. Wang, S. Ji, T. Zhou, and H. Yang, “Secure emergentdata protection scheme for a space-terrestrial integratednetwork,” IEEE Network, vol. 33, no. 1, pp. 44–50, 2019.

[25] G. Maral, J. Restrepo, E. Del Re, R. Fantacci, and G. Giambene,“Performance analysis for a guaranteed handover service inan leo constellation with a “satellite-fixed cell” system,” IEEETransactions on Vehicular Technology, vol. 47, no. 4, pp. 1200–1214, 1998.

[26] L. Zhang, “Key management scheme for secure channelestablishment in fog computing,” IEEE Transactions on CloudComputing, 2019.

[27] Y. Zhang, R. Deng, E. Bertino, and D. Zheng, “Robust anduniversal seamless handover authentication in 5G HetNets,”IEEE Transactions on Dependable and Secure Computing,2019. DOI: 10.1109/TDSC.2019.2927664.

[28] “Technical specification “3rd generation partnership project;technical specification group services and system aspects;security architecture and procedures for 5g system”,” tech. rep.,3GPP, December 2018. TS 33.501, Release 15.

[29] J. Choi and S. Jung, “A handover authentication using cre-dentials based on chameleon hashing,” IEEE CommunicationsLetters, vol. 14, no. 1, pp. 54–56, 2010.

[30] C. Lai, H. Li, R. Lu, R. Jiang, and X. Shen, “SEGR: A secureand efficient group roaming scheme for machine to machinecommunications between 3GPP and WiMAX networks,” inProceedings of 2014 IEEE International Conference onCommunications (ICC), pp. 1011–1016, IEEE, 2014.

[31] J. Cao, H. Li, M. Ma, Y. Zhang, and C. Lai, “A simple androbust handover authentication between HeNB and eNB in LTEnetworks,” Computer Networks, vol. 56, no. 8, pp. 2119–2131,2012.

[32] D. He, S. Chan, and M. Guizani, “Handover authenticationfor mobile networks: security and efficiency aspects,” IEEENetwork, vol. 29, no. 3, pp. 96–103, 2015.

[33] “Technical specification “3rd generation partnership project(3GPP); evolved universal terrestrial radio access (E-UTRA)and evolved universal terrestrial radio access network (E-UTRAN); overall description; Stage 2”,” tech. rep., 3GPP, April2016. TS 36.300 version 13.3.0 Release 13.

[34] K. Xue, W. Meng, S. Li, D. S. Wei, H. Zhou, and N. Yu, “Asecure and efficient access and handover authentication protocolfor Internet of things in space information networks,” IEEEInternet of Things Journal, vol. 6, no. 3, pp. 5485–5499, 2019.

[35] W. Meng, K. Xue, J. Xu, J. Hong, and N. Yu, “Low-latency authentication against satellite compromising for spaceinformation network,” in Proceedings of the 15th IEEEInternational Conference on Mobile Ad Hoc and Sensor Systems(MASS), pp. 237–244, IEEE, 2018.

[36] Q. Yang, K. Xue, J. Xu, J. Wang, F. Li, and N. Yu,“AnFRA: Anonymous and fast roaming authentication forspace information network,” IEEE Transactions on InformationForensics and Security, vol. 14, no. 2, pp. 486–497, 2019.

[37] J. Mukherjee and B. Ramamurthy, “Communication technolo-gies and architectures for space network and interplanetaryInternet,” IEEE Communications Surveys & Tutorials, vol. 15,no. 2, pp. 881–897, 2013.

[38] H. Yao, L. Wang, X. Wang, Z. Lu, and Y. Liu, “Thespace-terrestrial integrated network: An overview,” IEEE

Communications Magazine, vol. 56, no. 9, pp. 178–185, 2018.[39] T. Li, H. Zhou, H. Luo, and S. Yu, “SERvICE: A software

defined framework for integrated space-terrestrial satellitecommunication,” IEEE Transactions on Mobile Computing,vol. 17, no. 3, pp. 703–716, 2018.

[40] A. Shamir, “How to share a secret,” Communications of theACM, vol. 22, no. 11, pp. 612–613, 1979.

[41] M. Burrows, M. Abadi, and R. M. Needham, “A logicof authentication,” Proceedings of The Royal Society A:Mathematical, Physical and Engineering Sciences, vol. 426,no. 1871, pp. 233–271, 1989.

[42] “OpenSSL.” http://www.openssl.org. Accessed on Jan. 2020.[43] D. He, J. Bu, S. Chan, and C. Chen, “Handauth: Efficient

handover authentication with conditional privacy for wirelessnetworks,” IEEE Transactions on Computers, vol. 62, no. 3,pp. 616–622, 2013.

Kaiping Xue (M’09-SM’15) received his bachelor’sdegree from the Department of Information Security,University of Science and Technology of China(USTC), in 2003 and received his Ph.D. degreefrom the Department of Electronic Engineering andInformation Science (EEIS), USTC, in 2007. FromMay 2012 to May 2013, he was a postdoctoralresearcher with the Department of Electrical andComputer Engineering, University of Florida. Cur-rently, he is an Associate Professor in the School ofCyber Security and the Department of EEIS, USTC.

His research interests include next-generation Internet, distributed networksand network security. Dr. Xue has authored and co-authored more than80 technical papers in the areas of communication networks and networksecurity. His work won best paper awards in IEEE MSN 2017, IEEE HotICN2019, and best paper runner-up award in IEEE MASS 2018. He serves onthe Editorial Board of several journals, including the IEEE Transactions onWireless Communications (TWC), the IEEE Transactions on Network andService Management (TNSM), Ad Hoc Networks, IEEE Access and ChinaCommunications. He has also served as a guest editor of IEEE Journal onSelected Areas in Communications (JSAC) and a lead guest editor of IEEECommunications Magazine. He is serving as the Program Co-Chair for IEEEIWCMC 2020 and SIGSAC@TURC 2020. He is an IET Fellow and an IEEESenior Member.

Huancheng Zhou received the B.S. degree fromthe Department of Information Security, Universityof Science and Technology of China (USTC),in 2017. He is currently a graduated studentin Communication and Information System fromthe Department of Electronic Engineering andInformation Science (EEIS), USTC. His researchinterests include network security protocol designand analysis.

Wei Meng received his B.S. degree from theDepartment of Information Security from School ofTelecommunications Engineering, Xidian Universi-ty, China, in 2016, and received her M.S. degreefrom the Department of Electronic Engineering andInformation Science (EEIS), USTC, in 2019. Herwork won the best paper runner-up award in IEEEMASS 2018. Her research interests include networksecurity protocol design and analysis.





12

David S.L. Wei (SM’07) received his Ph.D. degreein Computer and Information Science from theUniversity of Pennsylvania in 1991. He is currentlya Full Professor of Computer and InformationScience Department at Fordham University. FromMay 1993 to August 1997 he was on the Faculty ofComputer Science and Engineering at the Universityof Aizu, Japan (as an Associate Professor andthen a Full Professor). Dr. Wei has authored andco-authored more than 120 technical papers inthe areas of distributed and parallel processing,

wireless networks and mobile computing, optical networks, peer-to-peercommunications, cognitive radio networks, big data, cloud computing, andIoT in various archival journals and conference proceedings. He servedon the program committee and was a session chair for several reputedinternational conferences. He was a lead guest editor of IEEE Journal onSelected Areas in Communications for the special issue on Mobile Computingand Networking, a lead guest editor of IEEE Journal on Selected Areas inCommunications for the special issue on Networking Challenges in CloudComputing Systems and Applications, a guest editor of IEEE Journal onSelected Areas in Communications for the special issue on Peer-to-PeerCommunications and Applications, a lead guest editor of IEEE Transactionson Cloud Computing for the special issue on Cloud Security, a guest editorof IEEE Transactions on Big Data for the special issue on Trustworthinessin Big Data and Cloud Computing Systems, and a lead guest editor ofIEEE Transactions on Big Data for the special issue on Edge Analyticsin the Internet of Things. He also served as an Associate Editor of IEEETransactions on Cloud Computing, 2014-2018, and an Associate Editor ofJournal of Circuits, Systems and Computers, 2013-2018. He is presently aneditor of IEEE Journal on Selected Areas in Communications for the Series onNetwork Softwarization & Enablers and a lead guest editor of IEEE Journalon Selected Areas in Communications for the special issue on LeveragingMachine Learning in SDN/NFV-based Networks. Currently, Dr. Wei focuseshis research efforts on cloud and edge computing, IoT, big data, machinelearning, and cognitive radio networks.

Mohsen Guizani (S’85-M’89-SM’99-F’09) re-ceived the B.S. (with distinction) and M.S. degreesin electrical engineering, the M.S. and Ph.D. degreesin computer engineering from Syracuse University,Syracuse, NY, USA, in 1984, 1986, 1987, and 1990,respectively. He is currently a Professor at the CSEDepartment in Qatar University, Qatar. Previously,he served in different academic and administrativepositions at the University of Idaho, WesternMichigan University, University of West Florida,University of Missouri-Kansas City, University of

Colorado-Boulder, and Syracuse University. His research interests includewireless communications and mobile computing, computer networks, mobilecloud computing, security, and smart grid. He is currently the Editor-in-Chief of the IEEE Network Magazine, serves on the editorial boards ofseveral international technical journals and the Founder and Editor-in-Chiefof Wireless Communications and Mobile Computing journal (Wiley). Heis the author of nine books and more than 500 publications in refereedjournals and conferences. He guest edited a number of special issues in IEEEjournals and magazines. He also served as a member, Chair, and GeneralChair of a number of international conferences. Throughout his career, hereceived three teaching awards and four research awards. He also receivedthe 2017 IEEE Communications Society WTC Recognition Award as well asthe 2018 Ad Hoc Technical Committee Recognition Award for his contributionto outstanding research in wireless communications and Ad-Hoc Sensornetworks. He was the Chair of the IEEE Communications Society WirelessTechnical Committee and the Chair of the TAOS Technical Committee. Heserved as the IEEE Computer Society Distinguished Speaker and is currentlythe IEEE ComSoc Distinguished Lecturer. He is a Fellow of IEEE and aSenior Member of ACM.



a lightweight and secure group key based handover

Documents