International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

An Efficient Approach for Network Mobility

based on AES Algorithm
D.S.Dayana

Assistant Professor, SRM University, Chennai, India

[email protected]
Keywords:

Virtual Private Network, Session Initiation Protocol, Network Mobility, Advanced

Encryption standard

Abstract.Users interested to use the Internet from anywhere and at any time. For this purpose, the
Internet Engineering Task Force proposed the concept of network mobility. But the IETFs mobile
Virtual Private Network does not support for real time applications. In this paper, the users
communication between public networks and the private networks can be secured by using Virtual
Private Network gateway. This secured users communication is based on Session Initiation Protocol
and AES algorithm. The security impact is computed analytically and the performance is simulated.
The signaling cost can also be reduced in this approach. Cryptographic mechanism like encryption and
decryption is applied through the AES algorithm, so that the data transmitted through the VPN gateway
is quality and secured.
1. Introduction
Now-a-days Internet is accessed by everyone and at any time and electronic devices are
designed with wireless communication interfaces. In the NEMO, basic support protocol [3], a mobile
network contains several nodes which are connected by one or more Mobile Routers. An MR, is in
charge of the mobility management of the entire network. Mobile Network Nodes in NEMO are
classified as Local Fixed Nodes and Visiting Mobile Node. An LFN always connects to the same
mobile network, while a VMN can change its point of attachment [1]. Similar to that in Mobile IP [4],
every mobile network is assigned Mobile Network Prefixes by the home network. The Home Agent
needs to maintain a binding between the MNPs and the MRs current Care of Address [1]. Therefore,
when the mobile network moves away from its home network, packets from Correspondent Nodes are
redirected by HA to the MR [1]. The IPsec tunnel is built by using Internet Key Exchange (IKE)
[10].The proposed network mobility based on AES not only covers SIP-NEMO but also achieves the
route optimization between two SIP clients [2].Despite the security mechanisms that have been
proposed for SIP-based infrastructures, there are vulnerabilities that affect this architecture. Such
vulnerabilities aim to exhaust available resources, create false responses upon to the reception of
malicious requests, and discover possible security vulnerabilities in the real-time applications [8]. The
AES algorithm overcomes this problem.
In this paper, how to provide Virtual Private Network services with Session Initiation Protocol
in network mobility is considered andfor security purpose AES algorithm is used.A Virtual Private
Network can be used to make the communication between the external public network and internal
private network called the Internet. It helps the computer to send and receive data across shared and
public networks. This is done by establishing a virtual point to point connection using dedicated
connections, encryption and it can be used in real time applications so a mobile network can access to
public network and private network in a secure way. Virtual Private Network uses the Internet as a
connection medium, so that it saves the cost of long-distance phone service and hardware costs
ISBN 978-93-80609-17-1
1171

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

associated with the connections. A Virtual Private Network has advanced security technologies such as
data encryption, authentication, authorization, and Network Access Quarantine Control.Network
Access Quarantine Control is used to delay remote access to a private network until the configuration
of the remote access computer has been examined and validated.
The Session Initiation Protocol is a communication protocol used for establishing
communication sessions over Internet.SIP is used for creating, modifying and terminating sessions. In
this paper, Session Initiation Protocol and for encryption, Advanced Encryption standard algorithm is
used. The VPN architecture to support mobility [5] can be used for a single node only and it is based
on MIP, which is not suitable for real-time applications. As discussed in [6],[7], the IETF mobile VPN
employs one IPsec tunnel and two MIP tunnels. The three tunnels cause large overhead for transmitting
real-time packets. The architecture and protocols to support VPN in NEMO, is called Secured network
mobility. The proposed system, based on Session Initiation Protocol [9], and using AES algorithm is
designed for real-time applications.
2. Proposed Advanced Encryption Standard
Virtual Private Network makes a connection between remote users and private networks.
People working in remote computers think that their systems have a physical connection to the
network. Connection Manager Profile is used to initiate a connection between Virtual Private Network
clients and server. Till the connection is terminated by client or server of the Virtual Private
Network,the VPN server makes a communication with a server called Internet Authentication Service.
This is for authentication and authorization of a user and to create a session.VPN establish a pointpoint connection towards external untrusted and internal trusted networks. The remote server answers
for the call, authenticates the caller, and helps to transfer data between the Virtual Private Network
client and the private network. To establish a link, the data is encapsulated, with a header. The header
gives the routing information that helps the data to travel through the public network to its destination.
To establish a private connection, the data sent is encrypted using Advanced Encryption Standard.
Session Initiation Protocol Design
SIPtransaction has a client request that executes a method and hasa response. The Uniform
Resource Identifier is used to identify a user agent. The SIP uses scheme for URI as sip and the
syntaxis
sip:username:password@host:port.
For
the
secured
transmission,
sips:username:password@host:port scheme and Transport Layer Security is used.
User Agent
SIP messages and session are created by the user agent. SIP request is send by User Agent
Client and the request is received and response is send by User Agent Server.
Proxy Server
A proxy server helps to avoid the unauthorized users getting access to the network.
Registrar
Therequest register can be accepted and the information gets stored in a particular location.The
location combines more than one IP addressesto the Session Initiation Protocols Uniform Resource
Identifier of the registered agent.
ISBN 978-93-80609-17-1
1172

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

Redirect Server
The session invitations are directed by proxy servers into any external domains.
Gateway
Gateway helpsto make a communication between SIP network and other private and public
networks.
Fig.1 illustrates the system architecture of the proposed system. Consider a mobile network in a
foreign network (internet) connecting to the CN in the Home network (intranet). The VPN gateway
follows the SIP standards and helps to manage the traffic between the networks.The VPN Gateway
(VPN GW) consists of SIP proxy server. There is a firewall between the internet and intranet to prevent
external user from getting direct access to the intranet. The SIP server is the SIP proxy server, which
authenticates the incoming SIP messages through the diameter server. A DHCP server is responsible
for collecting all the information and maintaining the transmission all over the network.All the node
information is stored in the particular DHCP server. Consider the F1 network as an authenticated and
F2 as an unauthorized network for communicating with the intranet.

Fig.1. System Architecture

ISBN 978-93-80609-17-1
1173

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

Hence the authorized node information should be stored in the diameter server of the intranet.
The transmission between inter and intra network is happened by means of VPN gateway
only.Whenever a node in the two foreign networks wants to communicate with a node in the intranet,
the source node first sends the request to the destination node and the communication takes place
through the VPN gateway. The firewall first stops the process and collects the information about the
source and checks the source node information in the diameter server. If the information is available
then the firewall permits the node to communicate else the firewall discards the node request.The
authorized user nodes are allowed to communicate with the private owned networks. Then if some
other node in F1 wants to communicate with the same destination node on the intranet there may arrive
some transmission problem like data loses, channel utilization etc. therefore in case of the above
mentioned situation we implemented an option in the firewall. The firewall through the diameter server
checks whether the destination node is busy or not. If it is busy, the firewall holds on the request until it
completes its last task and after its completion the new task will be allowed to communicate.
Advantages of Proposed System

The secure data transmission between inter and intranet

Processing time is minimum
Reduce the signaling cost
Traffic is low
Routes are optimized

3. Advanced Encryption Standard Algorithm

Advanced Encryption Standard (AES) algorithm uses 128 bits of block size which is fixed and
a key size of 128, 192, or 256 bits. AES algorithm works on a 44 matrix.The original text (i.e,input)
that is converted into final output is known as the cipher text. To convert the original text into final
output, the following cycles are used:

10 cycles for 128-bit keys.

12 cycles for 192-bit keys.
14 cycles for 256-bit keys.

Each cycle consists of four different steps in that, one depends on the encryption key itself.
Using the same encryption key, the cipher text is converted back to the input text.The following steps
are used in the AES algorithm.
Step 1:
Step 2:
Step 3:
Step 4:
Step 5:
Step6:

A 128-bit block is required for key expansion.

Each byte of the 4x4 matrix is combined using bitwise XOR.
Each byte is replaced with another byte based on a table called as sub bytes.
The last three rows of the matrix are shifted cyclically.
The four bytes in each column of the matrix is combined called as mixing
operation.
In the subbytes step, each byte in the matrix is replaced with a fixed 8-bit
table, P; Yij = P(Xij). Each byte Xi,jin the matrix is replaced with P(Xi,j) which makes
a non-linearity in the cipher text.To avoid the attacks, the fixed table P is constructed
by combining the inverse function. P is also used to avoid any derangement, i.e.
P(Xij) not equal to Xij. For decryption, the reverse of step 6 is used.

ISBN 978-93-80609-17-1
1174

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

Step 7:

The bytes in each row of the matrix is shifted to the left by some offset value. For
128-bit and 192-bit block, the first row is left unchanged. Each byte of the second
row is shifted one to the left. Similarly, the third and fourth rows are shifted by
offsets of two and three respectively. For a 256-bit block, the first row is unchanged
and the shifting for the second, third and fourth row is 1 byte,3 bytes and 4 bytes.
Each column of the output matrix of step 7 is composed of bytes from each column
of the input matrix.

Step 8:

Each column of the matrix is multiplied with a fixed polynomial z(a).The four bytes
of each column of the matrix are combined by linear transformation.During this
operation, each column is multiplied by a fixed matrix.

The multiplication operation is performed as follows:

Step 9:
4.

Multiplication by 1 means no change

Multiplication by 2 means shifting to the left
Multiplication by 3 means shifting to the left and then performing XOR with the
initial unshifted value.
After shifting, a conditional XOR with 0x1B is performed if the shifted value is
greater than 0xFF.

Each byte of the matrix is combined using XOR operation.

Results and Discussion

The proposed system for network mobility using Virtual Private Network with Session Initiation
Protocol based on Advanced Encryption Standard is tested and the results are simulated. The
following fig.2, 3, 4 clearly describes the simulated results and fig.5, 6 describes the signaling cost
and traffic gets reduced with Session Initiation Protocol and the cryptographic mechanism called
Advanced Encryption Standard is used for security purpose.

Fig.2 Internet and Intranet with VPN Gateway, Firewall and Proxy Server
ISBN 978-93-80609-17-1
1175

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

The fig.2 describes that there are two Foreign Networks, F1 and F2 that are created in the
Internet region and Intranet along with Virtual Private Network gateway, firewall and Proxy Server.
The nodes are plotted in the Internet and in the Intranet region. The source node from the intranet
region and the destination node from either F1 or F2 are selected and the file name that is to be
transmitted as ee.txt is entered. A request is passed to the gateway and the process is initiated.

Fig.3 An acknowledgement sent from Diameter Server

An acknowledgement is sent from the Diameter Server to the Firewall if the source node
information is available in the Diameter Server. The node 2 is the source node which is registered and
the firewall allows the node 2 to communicate with the node 9.

Fig.4 Transmission of a file ee.txt from Intranet to Internet

The file ee.txt is successfully transmitted from the source node in Intranet region to the
destination node in the Internet region.

ISBN 978-93-80609-17-1
1176

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

Performance Analysis
In order to support secure communication in VPN, SIP Proxy Server and firewall issued
through the VPN gateway in the proposed Secured Network Mobility. The cryptographic mechanism is
employed through the AES algorithm to secure the data transmission. To evaluate the performance of
the proposed secured Network Mobility, it is important to quantify the signaling cost. The signaling
cost function consists of transmission cost and processing cost. The transmission cost is proportional to
the distance between the two network nodes. The processing cost includes the cost to process
messages, verify messages etc.

Fig.5 Signaling cost with and without SIP

The proposed Secured Network Mobility has less signaling cost with SIP than without SIP.All
SIP clients are able to directly communicate with each other without going through a mobility agent
such as the Home Agent HA in MIP. Therefore, the routes are optimized. When a mobile network
changes its point of attachment, a registration request can represent the entire mobile network. This
reduces the signaling overhead significantly. In the proposed Secured Network Mobility, a URI list is
used to inform SIP Proxy Server instead of sending the information for each Mobile Node individually.
Thus signaling cost is reduced.

Fig.6 Traffic with and without SIP

ISBN 978-93-80609-17-1
1177

International Conference on Recent Advances in Mechanical Engineering and Interdisciplinary Developments [ICRAMID - 2014]

The authorized user nodes are allowed to communicate with the private owned networks. Then if
some other node in F1 wants to communicate with the same destination node on the intranet there may
arrive some transmission problem like data loses, channel utilization etc therefore in case of the
above mentioned situation we implemented an option in the firewall. The firewall through the diameter
server checks whether the destination node is busy or not. If it is busy, the firewall holds on the request
until it completes its last task and after its completion the new task will be allowed to communicate.
Thus the traffic is reduced.
5. Conclusion
The mobile Virtual Private Network does not support for real time applications. But the secured
network mobility integrates both network mobility and Virtual Private Network with the Session
Initiation Protocol. The proposed systemis based on Session Initiation Protocoland Advanced
Encryption Standard which supports for real-time application and the mobility is also secured. It
alsosupportsnetwork mobility route optimization. A Uniform Resource Identifier maintains a list to
intimate the Proxy Server, so it is not necessary to send the data individually to every mobile node. So
it reduces the signaling cost. The SIP Proxy Server and the Diameter Server are responsible for
authentication and authorization. During data transmission, security information is processed by the
Application Level Gatewayand accepts the data from SIP Proxy Server. The gateway is responsible for
switchingbetween the external untrusted data and internal trusted data. Therefore, unauthorized data
cannot pass through the VPN gateway into the intranet and the transmission of files and application
will be easy and can reduce the traffic and the signaling cost.
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]

Tuan-Che Chen, Jyh-Cheng Chen, Zong-Hua Liu, Secure Network Mobility for Real-Time
ApplicationsIEEETrans.Mobile Computing, vol. 10, No. 8, August 2011.
Chung-Ming Huang, Chao-Hsien Lee, and Ji-Ren Zheng A Novel SIP-Based Route
Optimization for Network Mobility IEEE Journal on Selected Areas In Communications, VOL.
24, NO. 9, pp 1682-1691,September 2006.
V. Devarapalli, R. Wakikawa, A. Petrescu, and P. Thubert, Network Mobility Basic Support
Protocol, IETF RFC 3963, Jan. 2005.
C.E. Perkins, IP Mobility Support for IPv4, IETF RFC 3344, 2002.
S. Vaarala and E. Klovning, Mobile Ipv4 Traversal across IPsec Based VPN Gateways, IETF
RFC 5265, June 2008.
S.C. Huang, Z.H.Liu and J.C.Chen, SIP-Based Mobile VPN for Real-Time Applications, Proc.
IEEE Wireless Comm. And Networking Conf. (WCNC 05), pp. 2318-2323, Mar. 2005.
Z.H. Liu, J.C.Chen and T.C. Chen, Design and Analysis of SIP-Based Mobile VPN for RealTime Applications, IEEE Trans. Wireless Comm., vol. 8, no. 11, pp. 5650-5661, Nov. 2009.
D. Geneiatakis, T. Dagiuklas, G. Kambourakis, C. Lambrinoudakis, and S. Gritzalis,Survey Of
Security Vulnerabilities In Session Initiation Protocol, IEEEComm. Surveys Tutorials, vol. 8,
no. 3, pp. 68-81, Apr-June 2006.
J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E.
Scholar, SIP: Session Initiation Protocol, IETF RFC 3261, June 2002.
D. Harkins and D. Carrel, The Internet Key Exchange (IKE), IETF RFC 2409, Nov. 1998.

ISBN 978-93-80609-17-1
1178