CERT
Back to [6]   [7]    Forwards to [8]



Recovery in Wireless and Mobile Communication Systems

Tasneem Gandapur Brutch, Paul Brutch, and Udo Pooch
(tasneem, paulb, pooch@cs.tamu.edu)
Department of Computer Science
Texas A&M University

1.  Position

Recovery is an essential property for a survivable infrastructure.  Ellison, Fisher, Linger, et. al. state that survivable systems are most clearly distinguished from systems that are merely secure because survivable systems require recovery [EF97].  If mobile computing systems are to support critical applications, the capability to provide recovery is crucial.  Since mobile hosts are more prone to failure and wireless communication is more prone to eavesdropping and disruption than static wired hosts, new security and recovery schemes need to be developed.  In this paper, we propose a model for a system to provide mutual authentication, confidentiality, and data integrity in a recoverable environment.

2.  Introduction

The integration of wireless and mobile communication devices in the traditional wired data networks has resulted in the popularity of various portable PCS devices.  We will refer to these as Mobile Hosts (MHs).  A mobile host is defined as a device which can alter its point of attachment from one network or sub-network to another, while retaining its network connections, and without changing its IP address [Pe97].

In order to ensure recoverability in wireless and mobile devices, it is imperative for the communication system to provide a mechanism to checkpoint the state of wireless and mobile devices.  Using checkpoints, processes on mobile devices can be restarted from the last saved global checkpoint in case of loss or failure of the device [AB94].  This is especially of significance when critical applications are executed on mobile hosts.  Recovery schemes used in static wired networks do not work very well in mobile wireless networks.  Algorithms used for checkpointing mobile devices encounter additional issues unique to the mobile and wireless environment.  Some of these issues are:

  1. Mobile Wireless networks have non-uniform network characteristics which vary over time [PK96].
  2. Mobile hosts are vulnerable to failure much more than static hosts [AB94].
  3. The local disk of a mobile host is unstable and/or limited in capacity [PK96].
  4. The location of stable storage changes as a mobile host moves [PK96].
  5. As compared to wired computers, mobile hosts are much more susceptible to frequent discontinuities; both voluntary and involuntary [AB94].  This may be due to voluntarily disconnecting the mobile host, failure of the wireless link, or the exhaustion of battery power [PK96].
  6. The performance of a mobile host fluctuates with changes in link failure rate, wireless bandwidth, and mobility [PK96].
  7. Performance metrics for mobile hosts are affected by hand-off time [PK96].

    8.  

3.  Proposed System Model

We will use a system model which is similar to the Global System for Mobile Communications (GSM) network architecture.  In this system, each mobile host communicates with other hosts via Base Station Systems (BSSs).  Each base station system includes a Base Station Controller (BSC) and one or more Base Transceiver Station (BTSs).  Each base transceiver station serves one Cell, and it is in contact with the mobile hosts via radio interfaces.  A cell is a small geographic area surrounding a base transceiver station within which a mobile host can communicate with the BTS.  A base transceiver station  provides voice and data transmission using an A-bis interface between itself and the Base Station Controller (BSC) [Me96].  Each base station controller performs radio resource management for all the cells controlled by it, and provides a system for managing the underlying base transceiver station [Gi96].  A base station controller also manages inter-cell hand-offs of mobile hosts moving between cells associated with the base transceiver stations managed by it.  Each base station controller is in contact with one Mobile-service Switching Center (MSC) via an A-interface.  The mobile-service switching center is responsible for switching, routing, call control, paging, resource allocation, location registration, encryption, and accounting [Me96].  A mobile-service switching center provides routing and connectivity to the rest of the wired network for one or more base station controllers.

In our proposed system, we suggest a modification to the capabilities of the existing base station controllers.  Our modification requires that in addition to radio resource management, each base station controller provides the capabilities of a complete computer system.  The base station controller will provide stable storage for storing logs and checkpoints, and database capability to support Certification Authority (CA) functions.  Certification authorities are used for key management, and the distribution of public keys.  Public keys are used for authentication, data integrity and confidentiality.

Every mobile host is associated with a home network and a Home Agent (HA) within that network.  The home agent is a router which is responsible for tunneling datagrams destined for the mobile host when it is in a foreign network.  The Home Location Register (HLR) in the home network maintains current location information on all mobile hosts registered with the home agent.

4.  Information Integrity and Confidentiality

Our proposed system will provide registration and mutual authentication of legitimate users in conjunction with the provision of confidentiality and integrity of exchanged messages.  Public key cryptography will be used to provide these facilities, which will use a center-based key distribution approach with trusted third parties.  The trusted third parties will be set up in a distributed hierarchical structure of key management and distribution centers, known as Certification Authorities (CA).

Certification authorities will be set up in a hierarchical, tree structure. The leaf nodes at level (n-1) of the certification authority tree will be in the base station controllers.  Certification authorities at level (n-2) will be located along with the mobile switching center, each of which serves the underlying base station controllers in its coverage area.  Such a hierarchical structure of certification authorities will provide performance and operational transparency to hosts.  On the average, certification authorities will provide more efficient access to public keys by caching the most recently requested public keys.  The distributed and hierarchical nature of CAs will also prevent performance bottlenecks in the system while storing, updating and retrieving public keys [BB98].

A distributed hierarchical structure for providing access to public keys for host authentication, confidentiality, and data integrity will provide enhanced security.  Even if the security of a certification authority is compromised, only the public keys stored in the affected CA will be revealed.  The secret keys will be stored only at the originating hosts, making their compromise much more difficult [BB98].

5.  Recovery Scheme

Recovery strategies suggested by Pradhan, Krishna, and Vaidya [PK96] use the base transceiver stations (referred to as base stations in their paper) for checkpointing and logging.  In this approach, the failure of any one of the base transceiver stations used for storing logs and checkpoints for a mobile host would result in rendering all the checkpointing data useless.

In our proposed scheme, the state information for each mobile host will be saved regularly on stable storage using checkpointing and message logs.  We suggest the use of modified base station controllers to provide stable storage for saving state information.  Since all messages sent between mobile hosts are handled by the base station controller, the BSC is a logical choice for storing checkpoints and logs.  In case of a failure, the recovery of a mobile host is performed independently of other mobile hosts in the wireless mobile network.

The local checkpoint of a mobile host represents its local state.  Any one of the following events would change the local state of a mobile host [AB94]:

  1. Receiving a message.
  2. Sending a message.
  3. Other local events which do not cause message exchange.
Every message passing through the base station controller (BSC) will be logged by the BSC before sending it to the mobile host.  In case of messages of types (1) and (2) above, messages passing through the base transceiver station (BTS) will be forwarded to the BSC, where it will be logged with its status flag set to pending.  Upon receiving an acknowledgment of message receipt from the mobile host, the BTS will forward this acknowledgment to its BSC, which will change the status flag of the logged message to confirmed.

In case of events of type (3), the mobile host will send a message containing state changing event information to the base transceiver station of its current cell.  At the same time, the mobile host will also store a copy of this message in a local log.  The base transceiver station will forward this message to its base station controller, where it will be logged.  Each message of type (3) sent to the base station controller will have an associated counter value, which will be incremented and sent with each message.  Upon receiving a message of type (3), the base station controller will send an acknowledgment (ACK) to the mobile host via its base transceiver station.  This ACK will also contain the counter value of the previously received type (3) message by the base station controller.  Upon receiving the ACK from the base station controller, the mobile host will check the counter value.  If the new counter value is in order with respect to the previously received counter value, then the mobile host will remove the entry of the message from its local log.  If the counter values are not in order, then the mobile host will re-transmit another copy of the lost message to the base station controller.

Keeping local state information at the base station controller will simplify hand-offs.  No exchange of state information will be needed between base station controllers, if the mobile host moves from one cell to another cell, whose base transceiver station is serviced by the same base station controller which managed the base transceiver station of the previous cell.  However, if the base transceiver station of the cell entered by the mobile host is connected to a base station controller different from the one servicing its previous cell, then all state information will be transferred to the new base station controller.  On the average, this will result in a more efficient scheme, since state information would not need to be exchanged every time a mobile host changes cells.  In case of mobile host failure, its state information would be retrieved from its base station controller, which could be used to restart the execution of processes on the mobile host.

6.  Conclusion

Recovery schemes developed for static wired networks do not work well in mobile and wireless communication systems.  The algorithms used for providing recovery in such environments have to account for the various issues specific to mobile and wireless computing.  Our scheme will use a system model similar to GSM, with each base station controller hierarchically serving one or more base transceiver stations.  We propose a recovery scheme for mobile hosts in case of host failures.  It will use the base station controller as the stable storage for keeping checkpoints and logs pertaining to the state of the mobile host.  Keeping state information at the base station controller will result in a more efficient system.  On the average, this scheme should provide faster hand-offs.  This scheme, in conjunction with the provision of mutual authentication, confidentiality, data integrity, and key management should result in enhanced survivability for critical applications running in a mobile and wireless environment.

7.  References

[EF97]    R. Ellison, D. Fisher, R. Linger, et. al. "Survivable Network Systems: An Emerging Discipline," CMU/SEI-97-TR-013, Carnegie Mellon University, http://www.cert.org/research, November 1997.

[Pe97]
Charles E. Perkins, Mobile IP: Design Principles and Practices, Addison- Wesley, Inc., Berkeley, CA., USA, 1997.

[AB94]
Arup Acharya, and B. R. Badrinath, "Checkpointing Distributed Applications on Mobile Computers," Proceedings, Third International Conference on Parallel and Distributed Information Systems, Sept. 1994.

[PK96]
Dhiraj K. Pradhan, P. Krishna, and Nitin H. Vaidya, "Recoverable Mobile Environment: Design and Trade-off Analysis," Proceedings, Annual Symposium on Fault Tolerant Computing, Los Alamitos, CA., USA, June 25-27, 1996, pp. 16-25.

[Me96]
Asha Mehrotra, GSM System Engineering, Artech House Publishers, Boston, London, 1996.

[Gi96]
J. D. Gibson, The Mobile Communications Handbook, CRC Press, Inc., 1996.

[BB98]
Tasneem Gandapur Brutch, and Paul C. Brutch, "Mutual Authentication, Confidentiality, and Key MANagement System for Mobile Computing and Wireless Communications," To appear in Fourteenth Annual Computer Security Applications Conference, Phoenix, AZ., USA, Dec. 7-11, 1998.



Back to the Table of Contents
Back to [1]   [2]    Forwards to [3]